Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 14:16
Static task
static1
General
-
Target
2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe
-
Size
4.6MB
-
MD5
e4a6f54cc1a59929353452324b8ce997
-
SHA1
8e66bd8e6aa2a20a28ff9b7fc37a5dfd0dba226e
-
SHA256
e5592a74ea5f520055dc05a0935f080519c1ef011585f8d26fe30da0cd6c71b8
-
SHA512
36956334016632a0f41f18eb3b244bfd95bc84db2f74de79d801c8b0e9b7551b9a03a458f286a954d15c21f4871bba5bc047ad2d18d4080d7cae3a641478c58b
-
SSDEEP
49152:rndPjazwYcCOlBWD9rqGfi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG3:T2D86iFIIm3Gob5iED3R83Jd/IZ2v
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 3760 alg.exe 4548 DiagnosticsHub.StandardCollector.Service.exe 4828 fxssvc.exe 4468 elevation_service.exe 2772 elevation_service.exe 988 maintenanceservice.exe 680 msdtc.exe 4088 OSE.EXE 4012 PerceptionSimulationService.exe 4568 perfhost.exe 1324 locator.exe 4080 SensorDataService.exe 956 snmptrap.exe 1672 spectrum.exe 4436 ssh-agent.exe 4412 TieringEngineService.exe 1880 AgentService.exe 312 vds.exe 3196 vssvc.exe 3492 wbengine.exe 3132 WmiApSrv.exe 3684 SearchIndexer.exe 5592 chrmstp.exe 5700 chrmstp.exe 5832 chrmstp.exe 5944 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c05c66e1ed82f9f.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045c0068d1cc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000224c4f8b1cc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000baf36f8b1cc3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727e0f8e1cc3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4928b8b1cc3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a376038b1cc3da01 SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2408 chrome.exe 2408 chrome.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 2660 chrome.exe 2660 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2408 chrome.exe 2408 chrome.exe 2408 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3000 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe Token: SeTakeOwnershipPrivilege 3896 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe Token: SeAuditPrivilege 4828 fxssvc.exe Token: SeRestorePrivilege 4412 TieringEngineService.exe Token: SeManageVolumePrivilege 4412 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1880 AgentService.exe Token: SeBackupPrivilege 3196 vssvc.exe Token: SeRestorePrivilege 3196 vssvc.exe Token: SeAuditPrivilege 3196 vssvc.exe Token: SeBackupPrivilege 3492 wbengine.exe Token: SeRestorePrivilege 3492 wbengine.exe Token: SeSecurityPrivilege 3492 wbengine.exe Token: 33 3684 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3684 SearchIndexer.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe Token: SeShutdownPrivilege 2408 chrome.exe Token: SeCreatePagefilePrivilege 2408 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2408 chrome.exe 2408 chrome.exe 2408 chrome.exe 5832 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3896 3000 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 81 PID 3000 wrote to memory of 3896 3000 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 81 PID 3000 wrote to memory of 2408 3000 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 82 PID 3000 wrote to memory of 2408 3000 2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe 82 PID 2408 wrote to memory of 316 2408 chrome.exe 83 PID 2408 wrote to memory of 316 2408 chrome.exe 83 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2228 2408 chrome.exe 110 PID 2408 wrote to memory of 2544 2408 chrome.exe 111 PID 2408 wrote to memory of 2544 2408 chrome.exe 111 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 PID 2408 wrote to memory of 4424 2408 chrome.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-20_e4a6f54cc1a59929353452324b8ce997_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x1403796b8,0x1403796c4,0x1403796d02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef941ab58,0x7ffef941ab68,0x7ffef941ab783⤵PID:316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:23⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:83⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:83⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:13⤵PID:4496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:13⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:13⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:83⤵PID:5524
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5592 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5700
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5832 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5944
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:83⤵PID:5732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2464 --field-trial-handle=1836,i,779199448442099149,6382734019454148697,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3760
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3580
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4468
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2772
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:680
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4088
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4012
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4568
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1324
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1672
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3280
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:312
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3132
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5228
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a073d35aca36131f0654ddbf1a6476f8
SHA10cdab97e230c21df5eb55f90da93e24071347b32
SHA2568866badf391265c76f3192771700506461cfea1ef30a02d2f5d490f95b0bcfe3
SHA51281be6368e1173b85d080bd63ade98e716e8d216af9fba547b12ac322886031764801f6b42f40a78df23abbe119d5c9aa7b525eed5464b5825074187a6ee20954
-
Filesize
797KB
MD57eb3a2be2bc13136a15bf2b72031f255
SHA157399abbddb48c8cd1f1985a45a2085eb2c843c8
SHA2561022971ac7215392c6090240b2b919ac35b009b974ed441adcb41474e9bb760e
SHA5126b76358c1e16b58a895e4dd3e7a4c009b9ad0639d99d88627158e59c7da62ce5c8f31acf2de3b1c174acab4aab0c72e5cf8e79521ab644aa6f2ad51fc6ccf353
-
Filesize
1.1MB
MD53dacc1c8ebf907a07c19b0f4a7cf6b98
SHA121cc285f1e1ca9544c617389aaf0434d35f636cc
SHA2563b536b0bf97a776ef9e82945df16012d104216a6beb1e42fb0a66d76a3cbb0b5
SHA51241486cf254efaf6b7336fb7f58c43051c278fab1f3a043118b8d9d8c0a61b7f8b5e87fc3626a6b014259dca604d28f3a7455e16fcd3e2d44599f0a75360cedc5
-
Filesize
1.5MB
MD596fa4df8652bd2126f2c4203d6a781ef
SHA1a95755fa4a83ab502c2793c811c6e452473b8d36
SHA256dd02487395ed221071245e173a7834e49db7d3e1959bf8fa802a7db8dec46246
SHA51266838d801853de67de3d2fe02c9b18c2c6d59ab62b0b817de3cd861d7d4c7052486eb4456d3050797eb40a9fbc219560924d5432a0af11c6fbbb00c5cd1f7275
-
Filesize
1.2MB
MD55946370e53d156ed7bd48afda3a7f1dd
SHA1aeaf9eac9ec2cc7ea7a573dec0c608fd3bf5c647
SHA2566633616c707d28ed53ba65ce5837f9b365296f3075114d45b241dec21c3f0f5f
SHA5121d5faf42ce7d250ab7f6a13285cbf02daf099849f6a4f3561c03d50e4f9b782897164037a677131caf80ee0d888aeb48e66100b46c913a8afa3b80cee5feecbd
-
Filesize
582KB
MD5586a4024b69fc8993eb826c90b674ad7
SHA17ea8eab73a8e2ce30f78b4f03fd5ccb17bb43eed
SHA256f70b3a2d7dc2319cf16b6d031aac15499804c2b91d1fac070187807405a7b894
SHA512e7a4df8b2cee6e1cb790c27c3e58b2b722cfc9aaa88bc1383e821d2cfcf873ed5a8972c3761ca36e4a282574abdc2a19ad583aebfaa6d8acdb0617e329d5d063
-
Filesize
840KB
MD5ddfff103fbeac75408a62ca32ddab118
SHA118cafc69f4df4a7d71687079068e367ea205ca46
SHA256d9b8152c69bbed429b7ae01aabf2f4553cc43c9e87fee986edb0322661c481d7
SHA5122c29ad482a70012c7db628713ce33ab7533812b18d81e29f70a230a54ad6f2170924f29697ec6a1d0ddfe50d8fd1308ff705503e7d41baf1d5b4e9ebae0f82fa
-
Filesize
4.6MB
MD5e6cf574e15e94eeb00603fad0079cb83
SHA13b5a9b3b2670dde8d281aec2ecf87e13289aea9b
SHA256f4bfc1864848fbd18f33446b704d018d9db2552a0193f3f2c46cacced4cb5e5c
SHA51268b5574ffb9d8a68138d5c9f7352ab544d13f7dc0d1834bd3a5faa1d9656db6cf71aa9e7f52e6335b1e3db1a4c94fbd3f23e203a8b3f8befe6bfbe30ca00b383
-
Filesize
910KB
MD56d85dc8a4aa4d4d6fe94103549827b2f
SHA15baac50c97dade510ff4a6860717b7ea627dd8a7
SHA2560955c70432951176817b6447f12df62fd018714c9049d4bd45667b8c894ae2f3
SHA512c55a739e47a1c34a21f135c055bbbeeffd061395d04abab52652126c91514922a7b55cc4dd4d8c1ccdaa51a49c64578ebd1a6dc2200aba6ac7d87a3986163896
-
Filesize
24.0MB
MD577fcf8de94be240d2be197e38ed0bb2e
SHA1baf8f02ad44263dce5cfed33ace2a5ef6b46ffbf
SHA256dd769c3e954b0430acabaaf15d427704d37b15a8ec9377be8bcc18748ff59787
SHA512685c3ffa64069df0859502206694cbef20114688e36ef9772a78fe20ee1d1607e19868b85a5e3283774509921bac03474ab9b91cde3190aaeba10795ca305b6a
-
Filesize
2.7MB
MD5966a836872a7b4aea64c61bbc5d0123c
SHA1ed7df9f8ef2343ca0747a0eee44a1e779b2d68e5
SHA25682aaea7feae950ba0ac591d9864447af757f8f0cf8bf7d0f58c040e903ef4d4f
SHA512c8a6863cc31a798986988389cdeaa8509b35d4569eb049ca100def1197a26eed78aa3acd6ba7f8c777801810604dcf901054ddc5972abe445214fb3077c952de
-
Filesize
1.1MB
MD5cb8ffaa214dc00c480c0517599d164c4
SHA1952947757d79345fd5ef1ca81ab0f40d1b1e8f3d
SHA256e23af8ea064a58396269311db38d58f6ca26e15c1719fd6cd46fab46e03f53b3
SHA512a88b50656325dabd3e3716dbe5a74ef7f31fda2d9abff2f546bfd694c03cf1bbdb3d24e66df792c6a9feec6662559e65eac4b78bd71ae56a6b0b591dc44cd3b1
-
Filesize
805KB
MD5cd697ba394d4ffa548420968e23dfba3
SHA103994274e3780f4fa1c76d16f7978bd1c523eff4
SHA2564b669cdaf98b0cc4ce3d7421c6788f980759ce1074e1660b761a79f40776908b
SHA512562dfe819d5c8130cdc2c7cf9686cc2445cc2df6be69b197db15dfb47acb474b989dfe7d44d9427f9048ddc836360f63008a537fb4eedfb8e9d7a7477502f4bb
-
Filesize
656KB
MD5250c1d9ef57a34480c988a045248feb5
SHA1d23eef476d3fd9a55072c292c0e76e31f0f5d3b5
SHA256be267a1cabf70a8b97fd0c068dc8c3c9a9cb063505dc9cb9534dd2975b4f2dca
SHA512157e1bfb2fd19634d19fbc1b1d5cc6baa8b4ca0ce5b2b70a8a3a2b7f80bfdb93d54782a7bf6dd5ba951d93819c9b14bf2b29358577fc451a3b15d3940d3df585
-
Filesize
5.4MB
MD565cd38b6f85659f9056765b2445415b5
SHA1eba8b5e85720a756146c36fd30e3aa4f0e7ec89d
SHA2568770e6b3129df2b30cb00ab55c2ff568cd003961749875036d39917ccdf0cfa6
SHA512fd694bf6ca9711620d55549980a2fae1a269f074e4954abebfbf47324da09d7a54fd826351cc02984dfa10769d0aeabd26c42391cda869e66fbdeaa0b2bb840a
-
Filesize
5.4MB
MD59a22a82133b3d027549d6311d90204a6
SHA121a71e8201894e81bc49702845b7e368fcfb13da
SHA256f58367c6bdd34e505936b14ee0369ed9582f9232f9e0fbdd79fb5fcf7843ab13
SHA5126e5e72150748d582ac3e78de28e5d3af08fc2b21c9434aad7388b368ed9f562778ceba3f7aa8555026c009faab90b992ec5d8ad5395d8d5884f0a6e0956c794e
-
Filesize
2.0MB
MD5ef55ea5f803d81dee3e4943ef87a2457
SHA1efff6bb9ed3c90f57ee1898629ae49dd32c03cb7
SHA256d501d62941b91018c3694ba61920e81c2e07217e1e786e17e39a495e97dea1d5
SHA51252ba6a123637d49e9e6c4dacb0947ef0e81d2aa5e4ec66e316635a2157e6f7203fcafef113bdbedd39177baffa019b231e7da17157a65a9050e89ae5790e67f7
-
Filesize
2.2MB
MD5e678df3b4ce8357434fc7d9c8956ca80
SHA1f8736db17581a319c7847d09de0191d2e37aa1cb
SHA256905e984f81610d4bac38919fdfe3e1068752817466a44d832daebdef4cbcfe4c
SHA512405770669d942448509534f305ac89f9505c8afc4570b4f4c5ab0cdee582aa6258edf3bdb397ab6ca4c8684ac850d0daa5867c40909850181500855b63a1eceb
-
Filesize
1.8MB
MD55f10759036081081b2562fee1e82f3a1
SHA1956cac8fd3206ec46f458bb62ffd335605c6355b
SHA256a1164810da4fe02c65f2cf195fd22db10ea129c916efd304c72b6b981314f992
SHA512603b19f308c39f9e0b66f1878595face82ab1dda53d81423f0c931280c9356b548db1d497e42ca652a1d241a69b3b69c76b2b3031bf84232149b87da04a42cb9
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD54d20ac8c27135675edeee670e9165c22
SHA1b5fa3bc52097fdec03709bc82c99ce377bd49a97
SHA256cf03d1281922b4206318cfa79aab504ee7b004e6235a79ad94f97a14609a4176
SHA5124b07f6099ee4f7d0887319ce2ace74c3d95d90400b013cc7ef3a0e06fc9a108012bf54ecde2a5dd605fcc29d5f5de718bc233f94b18db295c1fa3dbb0bccf365
-
Filesize
701KB
MD5e46e3f57ffe89de0061f28616c63e252
SHA16ff63bacb466ce74a6ab8be65d5e7515ed604b9d
SHA256d18dad09534194a6aef28ea967af0677794013a873dbbb708483bcf7bb45f911
SHA5126721ef69978a658182fb493b81327b4067a5869baed20d5a6d356a9f5aa8e626f01ce83280632420b1ed9283c6a96a289a0f27b0467315c37a02a67b9345a32f
-
Filesize
40B
MD50cd429098412849541cb95afaf497de7
SHA134fcdc8c1708981ab8e69a9ccc50ab898d7f7df3
SHA256d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a
SHA512955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
5KB
MD5e7b0143374dbf1c38eb43f6c32c5b855
SHA16a60fce8d7d7f197da9786f1d94e31add6808f24
SHA2569c70ad0657a52ce62ae2d0845170e26591c95dc832af9b454687bfe5ba090078
SHA5128b14fa4b491916810c66d966292f408bf8b8a0aceea284be82cda4777ffcdd9a292e923b4cf51576780f37616f925b19895cb2cf6b642a62531037b9726f4e38
-
Filesize
5KB
MD5ad3bad05b87d214ffa63b0a27a29c27d
SHA1c75bb3f0cdd32aaed47ca9bc3773d16490b33c8d
SHA25631dadbfa3589dab05ca24b1ab72e8e95c073ea69ba6cb4c6f21b8a439deb8dd7
SHA51206fbe4b7b21286218396d82a2cd9e5ddfff758fb9c2d5473d90cff0bfa6b2d9ab790099573dfa7a9f1266275ecf61287f2a3d4470010774171c7d043bbab178c
-
Filesize
5KB
MD58cce3f25dc2012ce656e2ac26e607d19
SHA156f23eeeb36c4d3d56199723ab14d5d7ee0f7384
SHA256c338395490259a8ba1013b6b5743590ee6a6514b98bc4c3fb3a4f729797f07f9
SHA512627fe50019599a26940ef56c213ee89edc1dbac0939bbad051a33506e706880e6d9ea52a900d74509bc993e9f4f875832896a922da4101976b3c6c2cf08bd2fb
-
Filesize
2KB
MD5411ac782e18a3f8947b5bbdc13773829
SHA1d9a709bb6b79ade9df4024e8fb6e36190070bc21
SHA2560217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb
SHA51203cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d
-
Filesize
129KB
MD57bfe86cee54673a4315b8f248f9505d6
SHA11413684e7d218940bd9e7f92a9fcceb6c1750aa1
SHA256910a75f64426b0f325d1e904f6164d587f963516124e89a39822a30519af6159
SHA51299363e0b14b21f1b3b5d7a70502703af67d887eabdcd786c0de4360ea7cf1ac44fa5f0b824c62fa383ac238c276eaca3de1c6a2dc8f9f00822042b50856080d8
-
Filesize
7KB
MD5754e59a6a3ecf81817ffe99d005ceaa8
SHA119053f20670238521bd629204eefae51b784eb0b
SHA2564e0ba3594f7505efa4b64dc6e5e9435d0e789ec8b173bc9c74b070d655aa6555
SHA5124eebb376cdfc8f346b1f4413a62f34c20c0739c26d2295d9f027f3c2b5814a73855874be70419438e0ae0edbebbbdd3b76aee2f02e92b3460ff1a953bf1be115
-
Filesize
8KB
MD56ec4a2368120edb226d3f20664f98b60
SHA164c10921125065c05ea104ef5934547a17533c22
SHA256ec16c8aa8d2f1f230a8b3d83057d7ad2640c9edd8abae8d8e4e3f12aa447f9f7
SHA51203b8d310d285ab3d73318750739d54429ef619d37cc8d073c0a1de7b0129daf88312a26d05043f2d229922119f75de3a9b74126465e6c814ea434161fe20c9d2
-
Filesize
12KB
MD5977cec20ad8a3cb23177224e05fcabd2
SHA1ebc955f161454855a1cd5fe9d54f367bbfc32ac6
SHA2567beb674f45600a9a21fafcbafbc94d4e2e24f957760a70f29c50e406050b3d66
SHA5121338dd681cb2cea9687448e1b1739bd88f2aaf269b298503318927a4ba616e2567c8d06d83bcd03a8804c65b8d3b0c67ecdf2c0b9afba5b1b21fb58e38835e21
-
Filesize
588KB
MD5235cb49dbc9df5c70e7400bae3f5219f
SHA18676aee817448ba1520f39d06c8aa2c015b3cf63
SHA256c76555c5e47509204b15fec879d9b7d237dd2edc3e6ae34917ae1a8b46d4eacd
SHA512a7103f9830b00fa319c862096a657980b24ceb0a43010a40dd4aaf736e6f65e4113bb05a33489391ae6c3defb4c5517b85607e08dae96535cb8268f02c80de11
-
Filesize
1.7MB
MD58311feb066064dde1734633baaa79b75
SHA13e5aa135cb49a89b46adf7350ce881d36ebddee2
SHA2566739f3f95c711586945c17ff71001a116ff064cbea4addfde478b735dd1448b4
SHA51206ad1e80fd5daaecce439a8c69ce8ea2d4504ac7485c642da23185be56337fd4de8cb98257759deae5864c1bd17d28356befff99ede04af07b20ef2e9bfd1f62
-
Filesize
659KB
MD541922c404658383cfa596652b83ad913
SHA166e4609e755fb5365365b1d2e62a985c03f4cb53
SHA2566e86f3bc32c89407a615ed20f96e42577f766e978fc538183256070b92096a4a
SHA512b1d94eb8f383f341a157f79922e98466bc2a9c72b8979bbd18f388614dda0f227e7cb2eff446f2b1340358d4ca16ebcbdb99d2584115d1f021d6e3ebb075294b
-
Filesize
1.2MB
MD5065294fcf05010b8400c9494bf28570e
SHA186c46c0938416e6ace267983fe5d34a9e8a0c4a6
SHA25642978ea0ba278a51b42a0341f9f8f6e9948ff69a2fa1ecbb6d8697f01d7d5443
SHA5127b491d0b2ff83823bd7ef55ff2927e41c14a90dedcfb279522025eaa61a8e461bda7c739079259b25d1e85800b08ff400ffea36af11d425c1b0cc3a8b2f5a80d
-
Filesize
578KB
MD5a3e873ab9958be26897564b4ad5d43a5
SHA15e5c5cc6a4be0467d8c37d141727938a707583cc
SHA256db676673aba72f13c7aa333336ab684d71250d39c3eb7629addb906963a24763
SHA51277550832d59de6cf7e7ae6fd94760d533dbfff11f30cd5fb5197722c64c5781c220226cffe6126564791e38d55b34fb4a84999c6173bd2d19818874fc7c206e8
-
Filesize
940KB
MD5fa307d405c9914d67db596a88f4de78a
SHA1cfa160af370f4e45cd7352c01a79cd0ee4ab4ad6
SHA2563e3a9133df74e44dc37ec7879ed297bb1b6d2f97b452ae127f7f0ce4e909c028
SHA512c106f352a3b452f3dba0d741e02569cf5a7ad51119a1e200bc7179a5bde9901e2936724f018828e562131582bcf75a21f04978c7daf132e4863db8d5b80767fb
-
Filesize
671KB
MD50eb68f021ce98897ec67452b52b9ba68
SHA133b94a8ba82ec606fa044f6ced72f466a976f90f
SHA256007a87dd67956a388144039973dc5d629113fe32ae30446b0b0a48af942e2b60
SHA51249862eb45e38d0c699ac92604af4c83a1b7937abcee1ff003ba267c40c565ade44940e0673e069e90ba3121430d0dab89e8b890c2a954ccd2d47d5d7056112b3
-
Filesize
1.4MB
MD5d3e36b2ff4d5e4f056c499b6972ec1c8
SHA1eee3070f9d1ad5b893454c8b8db4f8f4c86277f0
SHA2567551030627598246e26cdb3ef7d5b0706c31ac231acb1c2c839c41641e3ecc81
SHA512cebef7a12ec07780a73ce1abd0849e1c2ca416a17287fda46969819d634eaad0f4367932ffe782b1f9f59abc05a3dc52a6c26939eb68abd9e37efbaca6086d89
-
Filesize
1.8MB
MD51bda5d60326e4ce800f38e1d866124e7
SHA19947f6ed50a407eb57631e8f06a906ee09b30ccc
SHA25623a30f278bc0e2301435192f74def534593979d7f215bda795597fe0ad37492b
SHA5120c6a40547d0b64f41e40f54dfe84c80e110779e4404d1c60d3b2746140fad30b886681c010e3ab36cd1fbae9a1e02011e071d9d16b1484b20980bb700f68b8a7
-
Filesize
1.4MB
MD559de6dc432652be0be71a331e25819ad
SHA1ff4e6ae5546e9a39ed5a2b41523a52391bebe40d
SHA256212911a4b7b7442abdbdeca35ca02e6b0358d5624ecf40326479d4d925387e7c
SHA51207e06c061675e4001dedec34916b4cd4a28535a5cd3fc398f10bae023a1ff05c49ddd214cc118f8a23e98006f59757142b9e96d92351972dfac9d8133c75bd71
-
Filesize
885KB
MD5ccb166770928a3705de96f84d812b7c6
SHA1aa09ec3275402407333200d6f0b6cd07cc615446
SHA2562e9bd6aee30c3326794a5047673be3a8461934fdab9cdedb6d6c3a386602a239
SHA512054ac6599704d775155da39b2e10ee0a40492bf3dd26fbcb0e263cec6af1e9e8e854b0ca1d6c253f16fd11a92e0d2ec912769a8b9a9dae5994570482cb78d99d
-
Filesize
2.0MB
MD54f545cf90963d8cc6135988785be864b
SHA1734e7e6eb90c8341ed5580f339b476dbc0bfd12a
SHA256bf9c0c299fc0d38e61bfca5c2f7bd4eb1145017c45369b509ffe83b51b747fec
SHA512339429ca24a7e73a9bb757f77ff9d4d237fafa149dbcf4b02992f5f52cc9db7b3e1dff186a36f54dbb11eabca4c55084fc21f4a9c80eaa3c703ba6550ee5c398
-
Filesize
661KB
MD50d221de66baba4c7ef06ce86cd73b386
SHA1b4967df125cc967bbc77745732f4d0078dec3414
SHA256f0eccff457ee14b9f66b0558a4a3b6d0b1d25d546005b0440e437f3dde5ee6d0
SHA51217e596e99e724ef37046968a0f1cd77f49a4f5738b70ee3be4e959d521256144974268f2ca9d7b3efd6c330b20b5d6bdced006d29bd4d31a0bfa9f7318356053
-
Filesize
712KB
MD54958a4d22975e26342aa7c3d1f206afd
SHA1223b35220b0c7a2ffcf9c68927f7bc39711cb8a1
SHA256316ef79470aa92e9eeee15992175e5e74d64d7d8ec3c37aeb8a287b4bb0f78a0
SHA512001a79b588771272906c89fbd70480bbe22ab00e1edd68790ff39dbd101f55a47643df02aa513d0709aef81b108e9da98f0e3c245f49b814e5d1f07892417a8f
-
Filesize
584KB
MD57309c32722a7570149a3e396a2918669
SHA1399b20245bc237395a8e63d8f61b561f1a2af421
SHA2567976c75ccc05f53a76ebdc63e8e8254e59a33417e62a35db40debee69a3e48e7
SHA51222787e4e8f3e8e6a6977e389426c10f911a1c67229a1a6e4fee1197be07cafdd7e9d6168af7137fcf29d286bf8699bd1dc4fbcc2816499498c3de2f88c47a029
-
Filesize
1.3MB
MD50025a9b27d284b9fd7d93386a5a60fdf
SHA1afbf24fd31f1d9fddfb5e49956732735432a9e30
SHA256514104341f0926929f6b260dc4bf549f33958ef8dd840c1cfdbcf1a2b5ef3b1e
SHA51235d43ab39e41d7dcdd016d4498bacb91c823b7252b32f301b9d27d16aad92f9df1050ca25f500767ead7e825ed9352a0b14df7ea11c62237048e4d20da46f1f6
-
Filesize
772KB
MD533e40e384f50fd56fef750617a64e2a9
SHA127c28fd9aea52677172351c60762193ba355f8fe
SHA256680beef399ee673eed9751aca110aa3c5b63528c218e24e410fe45cd5de5dc28
SHA512acbba2416112ddd2ed653a22fdb791f38d2de3710a77f917070cd93c490802b5c0901287cf246e4ae244b677c76fb674f5e788bec39dc3e3fe1abc1464206322
-
Filesize
2.1MB
MD578654e16044b49cf19c5fb2a56daed8c
SHA13a17e8716d104ce8d647f8b375ef2d6e43784d80
SHA2562f1f63d5a33e93a34bcf86ea34e4875bc81ac93350c7c022b3b81248e363936a
SHA51248d144038e6e12269ddd8d5fa699cba3a918c0059355656c22e275cd5e1efbb35dab7fb8d41f0f7e0a8fa8675501cd4ef9beaf823f85b36d8f9b2f4e6076169a
-
Filesize
40B
MD54d858969f9b63ec4e90b337affb40980
SHA1c5f517b47ddc66cf8fe32495fe14e425f905c252
SHA256d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9
SHA512df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f
-
Filesize
1.3MB
MD5f30fb61e842a15107992c212646ea582
SHA18427084b3847d2bfcce80fcd873f6381481bd169
SHA256aba7d3240898bce7157008059906bac4152f1c113f55373298a5d1b83c785444
SHA512af25dffcead57e860e680cdb76ccf724f637b9df34720b8f6555e2e99ceb251b8fd5ad442e61abe34c6fb57282ddd71670e20658c9936874c49a13e385fbb76d
-
Filesize
877KB
MD56da436ccabb71ce91db5b3f4327ec958
SHA110cdb339174e41bf1e90b8685a2809525adab566
SHA256c0cda542cad056a7307aa84e4e6a43f7cd476408d44be485dac6c3fd26d758fd
SHA512e7cce07b8b7ec73214660c6a693c399073cbf0022e4765f892e63be7516a8dbb1e431b11359c20f524b78a0c7e72a8e1cdc39793936a497626d6465c351b0bd0
-
Filesize
635KB
MD58db5a4d090dff4ec2fbc05c1b3cd9bb2
SHA1744eb48945c861a4008064779d092dcd0850f14e
SHA256b2518dfd15e85f212d73ebf197f32a6d42d8cc9c5f8497677775e8c7c3e2c6ef
SHA51220c88f00a09b57eccfbd0bde78d7d880b0b6726c017a981e350ab26cb88cd42e994a8e93833ef8cb911b983dff84c7442160b15610e5fccd40028be2b4155b37