Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe
Resource
win7-20240903-en
General
-
Target
2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe
-
Size
3.2MB
-
MD5
0c58bf93ab6ad2610dd38502a08c0577
-
SHA1
e0b59abb274562d3cd98bbdb1b594a93810a15a3
-
SHA256
a389861b84bd87b5c5086e7c08c6e9e95c22aca1ae27f54699e82bf0e088a2f5
-
SHA512
726a264cf2dcbfc3991677c67e20e7d7fc46290fd5751b965928644134b22f73936cd2c2e1b618bac9fc1d0b57e29eb5c19190e12e70ddbe8e0dc510eed9a259
-
SSDEEP
49152:M5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqyIgDUYmvFur31yAipZ:CNhSMYw8ypU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1860 alg.exe 1596 DiagnosticsHub.StandardCollector.Service.exe 372 fxssvc.exe 5048 elevation_service.exe 1188 elevation_service.exe 628 maintenanceservice.exe 3844 msdtc.exe 4404 OSE.EXE 2456 PerceptionSimulationService.exe 1912 perfhost.exe 1480 locator.exe 208 SensorDataService.exe 2720 snmptrap.exe 4020 spectrum.exe 4344 ssh-agent.exe 4620 TieringEngineService.exe 2628 AgentService.exe 5228 vds.exe 5384 vssvc.exe 5536 wbengine.exe 5704 WmiApSrv.exe 5872 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b149cd6cdb05c3ba.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaws.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaw.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Crashpad\metadata chrmstp.exe File opened for modification C:\Program Files\Crashpad\settings.dat chrmstp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Crashpad\metadata chrmstp.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3027512ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba203613ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038c2d612ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755516741561743" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061f02312ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4100 chrome.exe 4100 chrome.exe 6684 chrome.exe 6684 chrome.exe 6684 chrome.exe 6684 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4100 chrome.exe 4100 chrome.exe 4100 chrome.exe 4100 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4016 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 372 fxssvc.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeRestorePrivilege 4620 TieringEngineService.exe Token: SeManageVolumePrivilege 4620 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2628 AgentService.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeBackupPrivilege 5384 vssvc.exe Token: SeRestorePrivilege 5384 vssvc.exe Token: SeAuditPrivilege 5384 vssvc.exe Token: SeBackupPrivilege 5536 wbengine.exe Token: SeRestorePrivilege 5536 wbengine.exe Token: SeSecurityPrivilege 5536 wbengine.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: 33 5872 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5872 SearchIndexer.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe Token: SeCreatePagefilePrivilege 4100 chrome.exe Token: SeShutdownPrivilege 4100 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4100 chrome.exe 4100 chrome.exe 4100 chrome.exe 5960 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 1292 4016 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe 83 PID 4016 wrote to memory of 1292 4016 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe 83 PID 4016 wrote to memory of 4100 4016 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe 84 PID 4016 wrote to memory of 4100 4016 2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe 84 PID 4100 wrote to memory of 220 4100 chrome.exe 85 PID 4100 wrote to memory of 220 4100 chrome.exe 85 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 3020 4100 chrome.exe 91 PID 4100 wrote to memory of 4556 4100 chrome.exe 92 PID 4100 wrote to memory of 4556 4100 chrome.exe 92 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 PID 4100 wrote to memory of 4528 4100 chrome.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-11-08_0c58bf93ab6ad2610dd38502a08c0577_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c8,0x2cc,0x2d8,0x2d4,0x2dc,0x140221ee0,0x140221ef0,0x140221f002⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc30bfcc40,0x7ffc30bfcc4c,0x7ffc30bfcc583⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:23⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2532 /prefetch:33⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2068,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2640 /prefetch:83⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:13⤵PID:4440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:13⤵PID:1720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:13⤵PID:3548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:83⤵PID:1768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3684 /prefetch:83⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:83⤵PID:1988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:83⤵PID:5208
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5688
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x26c,0x270,0x228,0x274,0x7ff76c804698,0x7ff76c8046a4,0x7ff76c8046b04⤵
- Drops file in Program Files directory
PID:5756
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=04⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5960 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff76c804698,0x7ff76c8046a4,0x7ff76c8046b05⤵
- Drops file in Program Files directory
PID:6028
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:83⤵PID:5976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:83⤵PID:6136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:83⤵PID:5340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:83⤵PID:5208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5316,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:23⤵PID:5356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5100,i,12012937277102431840,4959301224589438542,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:6684
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2400
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:372
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1188
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:628
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3844
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2456
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1480
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:208
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2720
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1464
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5228
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5504
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5704
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5872 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5936
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5124
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50c0b700594e397f30393f34c94155cfd
SHA1397346532bca5819fb760584846be22f6ad084a5
SHA256e75fc94281c28fd5215d9fc0803a820b77496256a8f74038662e90884ff41096
SHA512f688bc56968cab80321bed4c84e02d43aba291594569028ad59cebb3a7468cc0d06325fafa1afd68c6de6bc2e929158039242af6251eb120591276aac037134c
-
Filesize
789KB
MD58fdba9592eab9d377eca969e6ec19d4c
SHA1effeb96ba724d60d88fbfffab74cc326d658e77f
SHA256e86e95b245923b462d736846ed7ecf09aa16e175b6c3bf6a01beb68c40003adc
SHA51227f934a7c1f17c952f9d065f9b69de8e4e7792ea6624d009b5f450676c393eb06bed808d498b35d025d9a72d4c4683700481ecef0af1d3b9090a85e5923b6527
-
Filesize
805KB
MD58b19cd6a86e1d033c203f4f251fb1f2f
SHA1be9a8f0305502b4e091635da1a843f9db05b7704
SHA256b39ce089aabb158a68cfd175c2b3d6d5454425ee725404f44f81bf167ee9b295
SHA5124413202eccebfbaaeceffd69ed9c5d90ac36eaae681b387d64c4c33ceed450f7e191c7f4ef2ee13ea53ee7c389fb17607599a5084d09a7c47841f25a58861900
-
Filesize
40B
MD5f632e37458a7d2a0b282845cf14defc6
SHA1b277b49f5940d306784fbbaf9b3097ad90554599
SHA2566a94d0347b0199937d62c782ff9707c6e06d9e92e3dee87621670bd1bc1dd3d4
SHA51222f8f4aa8310d31c4542b919914ac2d10e49aff4f82826ef10a113efaba22ab19953bee6f58df5814b0700184f4030cbf249b41b2f0b331d6530fcfa46a954d3
-
Filesize
2.1MB
MD5e231ac0867b4421610ddb986506b8a37
SHA13d1bf94cc0b5e892ad20986e7eedc11cd95b76fe
SHA256f6e411dc3db81d134a8a698db6ec21b1205461502069a1fe05e29af023ca6fe6
SHA5125d306eb7e84189ea18f809a4bac150aa3192586f83b0b7fe93d1104852a58f8063264525b2eada73368ebd0a7c8f6350076ea36e7659ad843084992e0337c0d4
-
Filesize
520B
MD5d7bdecbddac6262e516e22a4d6f24f0b
SHA11a633ee43641fa78fbe959d13fa18654fd4a90be
SHA256db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9
SHA5121e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1
-
Filesize
40B
MD5800547b40b40a6d57a70b74809b450fa
SHA1310a064c7ba82120f80af50892dcbe61b53f9d70
SHA256a562ff4b14badc73b0804883bf4ccfd9972e485123de5e5949981794f66ed936
SHA51239630e3b5069d0c66ea44069358cf01f180bf25103968f77d483a27deb7e91e796a1718ce9af2f438bebe8207537e735cd402d649e2adfa2ca7748faae2db949
-
Filesize
649B
MD5009ba1d1311807f7cd5ce3e9f80ee537
SHA1a364b25c1349444c9f69d958317b0e9364169283
SHA256443b97f9a1835bec5857bbb2fd82cccf94ca8fe77633534ce1e42b1f6ee0ee59
SHA5124dc5b6ced7d615d0fbe0d976e31268a6bd8ca3d719fbeb1e586efe65889e1438e128922b519b606f12d2deac388a0609403662dc963b624b37f8e11b75414968
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
192KB
MD5a8cf54419129b874864cf206392ece0f
SHA12d8f78e5d6951faedba3257d5794227f34c50967
SHA256b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f
SHA51202a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c
-
Filesize
2KB
MD5d6546b25ce517dc2ff60bdaf96d05881
SHA1db5239c35ab36b6997671651b0c6b7d0607abf12
SHA2561fa08883f9c4ceaf0637845f910e077185e558f6f6c40e4184fd62a7d0734620
SHA512b7577655274e169b689147eb1e1057bb20b2ac96ec21e568521ca6f01d49e68123a5ecf12852e4d1ecd8b4ef0626201d67dbca67db6fd11b1ce5984bfd99f11d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD56883395a59c49c9bacd81c26d52383fd
SHA16ea6611f38fb1f80510d00fd8c6f2a1bb8b000e8
SHA2561c3376b63a6f5c6ce90ad0434cc78f962d05a7cc89709154005c262097ccf91f
SHA512b0ba7ef44281cc3da18854937ce731e3bb51b85293c51a042384da6b229812f0ded12922ab434efe587e4e7c8679c8820e6f995e57e032ba975148775d5e0bba
-
Filesize
8KB
MD5a3bba565e8770c9f08a58f84597bf594
SHA179708eb16fa44033dee3a0ae8fc83a79e2d64669
SHA25651e6b8fe7dcaaf879d52279ec9a183a51b59bdaeab50f0083e4b1e99dbe3dce5
SHA512a0036b78c6608927f6880e1e407c046db7385af955e3ed42bae4b917deb907921413da152170ffa29b136b904800622687563048ff17b82e6eb5d0f73c50f468
-
Filesize
8KB
MD54fd45c39b5d9c3224072b77e7fd426ff
SHA177d71e1701d67372266f3e9c39d8515e2967a715
SHA256788c0fa47a99fb9f1bfdf1850b454e51767cf97f8b2a57d506750125cb73adcf
SHA512a433081a974723c18e71babbdceb06b8233949b48893efd8d6bd34c15093a819729495d96b31da96d92abf7c6a6719651577745d415e9ac1f9dd11c3b85f8aeb
-
Filesize
8KB
MD5dacb306c7ad116ef431b0e2e6fdd5a67
SHA1f72af5be6c42772470ee9a5d03c6942c6003a6fc
SHA25634a66569be7a9ee0b0fee51e5cf9d7aa1ef4a1095e5a1f5edc9c671cacbf084a
SHA512fae6aac1da015110902a7ca20e8d095209fb74777f70a66908618bbda7b5912d18ff9ad699d8c6374e4ff9f54cf608b81be0bef5b608150cffc114e332fce89a
-
Filesize
8KB
MD5f6daf0d3ea24db8fa1747b2b7ae27a55
SHA102381615750e0e78078fc96979e627553e4d0385
SHA256ea2a93ec316b001772432eac1d3cbdb74edb700de2ab560e946154b2a36d0bc7
SHA512c922b2443492bfd856617da44b3af0b4653d981d0590de93b9a260a8cd0fdd3196e76de2626adffad7cc3894c57fee3830e37d657955b4bcbfe5030856e88682
-
Filesize
1KB
MD54165d9f553c78912d2bb0e9183ba96ea
SHA105ad7cd959182da16ef0fe6e79da5bb088de1bd0
SHA256fd167035a1666b9bcf3084348476b1a2082f788dc75526a1e6bcfd1b6cd48ceb
SHA51270e2e5a32a91472790e52e51ace7cb1bc1d69b4a24963553ad5ba77c2b00399e4d42898749fa51ba04db38992cae7b2d153733c820efe71b3ee662cfb57e17ee
-
Filesize
15KB
MD511c0e30e9c07c4c148b884836931cb25
SHA18e9c7decceaa8584e0faf7b84b31c5f56a5babc6
SHA2567b2daf044dd6767511a22a6502983ba3b3579c1e22a1f276b25edf60de6660aa
SHA5127ef5969742a2d259ee2a36dd479ae5b6f0f53ca303a4b163027815ab2bbb91ed9ed2092d704097bc529c89424d72b0f8a42c3a79172bad6cbd8d729362a6e167
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD513eb634f6a9fc6080c89b8a86364e24d
SHA167d761d7b0259839ee19142bd1181f47264b037a
SHA256e2e921744517cf1b097e85a3c285617094c8d08b98c9ba611292eaa77357faea
SHA5128af55b7a242c64996afbcd4ea3fa7daeecbfa46a1e943e0fbdbbbd72ad1a12d4c4584d7aeae0a09dee8e8df4324f7220317139881559665164502de880b53c71
-
Filesize
232KB
MD53bcf08ce01864761215084976b788f73
SHA13102da81c143c84ccfe9873d81e1992c134aaf72
SHA256f8b8292844b734072b865de0bc867c07bac3847fded685d276a9da5d7389edd6
SHA512b594c7e2e5bfd836214958eedd46f73a7ee8a4632fb88b6cbbd64a3034eab0f7e579257d04443eedec4d2169a33615fcc0be20d926b6fefa2297b841fdd3af47
-
Filesize
232KB
MD573c03aafa62f6601f3d41b02c914973c
SHA1823c0edbe403777ca13691614c58abe6920350d3
SHA256ca072e8638087b4eaa4f8ddb57b643f5829b2de6a6a106cc878cf668a1660210
SHA51222c0ca8f5f18b4024adc6355c031b309a91d5f4f530b62d6197a1f4d637f28e5c1589f8b9debacb8f66d16ce35b39d770130944c68491618ab84422b869d17eb
-
Filesize
7KB
MD52a597fa38895cad8d40d1c02e2f56d4c
SHA186e2792a7925c33e570bc296c89869e5d6dc023b
SHA256eab70571fbcbb4a583b822fb0abf1aa126808102c44e8d83ab03165c9adb80db
SHA5129681dca27d115508efe9eb93dabcece1734be4dc7b835be224d94f1d23abfbb899562b3333980c90179e9e9ba8e26500435ba9475b3aff06539e53800b4800bc
-
Filesize
9KB
MD52fd6aea954bfc1272ec4e53212692b5a
SHA1cb699b0ad9e6a6781e2972294357861c6989e33b
SHA256076e67c8ed988d82334b7d7be5ddcefe39601ad1a6d98e2e417dd50c6424b753
SHA5125bf747cc11fa60bc950b6f368bd0b358471a65d3185355ffafb83da7f5e24af5993a8fdec9065d9851b1e946d3120c74edc5ed738fc06eede68689f4cd39f93d
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4100_1780467848\86c5804f-7fe5-41b5-b78f-ef8bd54635dc.tmp
Filesize132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4100_1780467848\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
12KB
MD506e9ee02689e44949fabc24476018ccc
SHA13ddbc39bf2b7a0cfede261c897893bbcad6370e8
SHA256c329e01e02712f4bdc706cea7a4f5b6251dc39487cd0779c621ac96c4f8eb973
SHA512ed77ea9c9778d262ffda8d4263ab82c90b17b82328a1ecdc24565940efcd04f8ba13562e6d8f0d21d71fdbcee44fa3beb2f8286c2b0d9f531043db5e45f92dbd
-
Filesize
588KB
MD5defc536949925d9e9d1853122c2c574f
SHA1c67545a12f204a17ecbca15552fcb4316e9c9182
SHA256db634f30d963a528afee24e14dc1f5209dc42e6c95951622b6ae228c0a68c7c1
SHA512727928b76adca02587d3ea7f4c4fb370c28051f7dd7a8b1540bf1363bda7d978e07c01942b3e40594fcb354715a6200df99323033d44eafd4286ca1a8866c7df
-
Filesize
1.7MB
MD51f2173ac15183675f90e1148a7baaacd
SHA129e7abb98b5910321a2098469c4d3a0904c03587
SHA2567fd4321de44a39fdeef46f80efa50e0c9ddcd0aeb486e8ebc0b0827807356112
SHA5126f9e603e1a40edde4731f669b3abee44d5ff605239a406a3da342b8d2e86ae5d1beb157f740fd42fe5956babaf87a4f24505a03536a04a6b65da7539f9388d04
-
Filesize
659KB
MD50947fef50d4dfb6d133223a1215b6c03
SHA117a5cfdbe8a6d354120328219d66cb00af0d4b3e
SHA256b64bbda2c996e242f378a75b8d7f84ba94a75113f97a58248ec3bb18abc094b6
SHA5120dc73470d92617b79094517a3a77d2f20fe79821fa3869098ef0b5aa73408d2c8c01fdc0fc4f5b1d9b72dd9d8022e26934c71f11da23ecab66686243dad5cac8
-
Filesize
1.2MB
MD5648885a1103a866914770d938d4f0860
SHA1d72f3832c3bed94785934b3839929c50d9425efd
SHA256dce7dc588a5b74421aa5dd291938c6bd496d120a0c8362d6bd79c2a473674b0d
SHA5129a8bb8a8efdfbceb618838560ac8aa6f06657572e61079bbdb1507702eb7141f8250cfa041530d158c7e7e679b6113aa3a2a167341b92dd1c877fae5efe21d45
-
Filesize
578KB
MD5ef45dbee6c988f4cd183c5a538daad7b
SHA1b2fbd60160f160dd2f6bdafd9c7acda027477634
SHA256db2ee3354d226cac9ebffe6ef36978f136f7ce2f922fd2c329b843d4668bef65
SHA5126682056b4e368ddd5163d9488745aff8e712daa166f35d54ed6ad2336693e927becc91a7caebc21196ab5159fe6a9d72209001ac5026bfe22d6e28b195c146e0
-
Filesize
940KB
MD5f0eddb9c6586c2fa17c59f6274e7aa6e
SHA14bc992a88f9bc2b029835243f426cddd1b22104d
SHA2566f5c748f2b876d4ba668604975111ad7cadf7bda3987428beb243549010538e7
SHA512bcaeec5af939012ccee57a4e767310e1942d13f53d4f3ee5a34cc31ad9825d668652041f776370be4c7736cb58be7e820b6a7f23a624e594d3331dd5de363a09
-
Filesize
671KB
MD5dfba288e30d9f2695811c3592d209a11
SHA1e8d303e8792be518c56f4c9807a01f1fdda83c45
SHA25649805adec138868314778e7fae98f8ab3fdf68b4a81ff14f07560645865e34d4
SHA5129388972055a8770d65d8da8632e28c411eccc6404f37cbb7e5ac73744a7386f68953aca7a51db37cd2645f37128dc927023c9a6d73828a810e456d7f6acadcf2
-
Filesize
1.4MB
MD5a9c4738625fbd1feb460595f4b69d85c
SHA1907515f89802236678b2146fba81e32026976dae
SHA2569874e9d48493893a7f087c2f1ca1796c471afd70fbae5453fddf4537a2639d7b
SHA51235fe219ff2c3a54860ead3eb0de207073c2cdbd7f416ede977d2d6acdc40ec64953ad568a0ed1c785decaa395299e8ea4c5fbead34cd44f702d2679b25629eed
-
Filesize
1.8MB
MD5cbfd7560eecf4b6b66d9e0890b36419f
SHA10c0ee3ce23da20aca9acc8c72ab8d5234b83ed14
SHA2567f3161dbfb2faf2e82d4cd82855191a79b99693922e29a26d9244b05d516d7f6
SHA512b8d6104a2e807d51bfa08255d4efa211d5c987aced5484478e090843a547bbf08866dec750bced157ac6508f1d2fe81fe4769f96a781b13d4f3bdcace39a3f49
-
Filesize
1.4MB
MD595b02e2ce525d1103b49b6bdc96503b9
SHA1615d7a50c7f7c18a7f0cf5efddec1309247e5e25
SHA2564d63ad46591cccd3ed8c0c503a1fafccdc2b6ac887d44853fd1b1bd00a338796
SHA5129fe0dc8c036c5ce310929d4effc3c52645122e37d5ce339afd4847716ce450992e15a102d7fea3b88b32280274bfcf9b1f3d331e1b4862e64edcf77c531a2c94
-
Filesize
885KB
MD5345e83e78dc6c2fc0557e58750d0a18e
SHA177315ecd32b9a3f43d64439b587427c41514602e
SHA256847a97751c67b6fb2b0fdf50a1e9bfbed3733085b635cd33dcba283385df942a
SHA512b734a1ce60b75ff45668392ed956fd10873b6a0d9dc452148a240e8acc80ea9bae3564096c90698e2bf7d87cf260b6e6ad805756580ec2b797d0c1147035ce4b
-
Filesize
2.0MB
MD5c80b3720ef843275c2fe2a942c644ecc
SHA12b874b35d74d9c3f73512321fd4a49c899b7c209
SHA256ad29a3ec51347780b756925b61ba3467a7c403ee23d3ed4bf7d2f9092cd76643
SHA5125d6e123e487d95cab95b582527aba25b3898d031d5333955dad793d6dbbc51a47ff7c198673aa6188f2e313d5210a905f389127787401a6909d8f2232622cfe8
-
Filesize
661KB
MD5ce25035a20215e5e4bd02554a88a175e
SHA19c42159ea9fd0a89bb65c222999e0fb004af14c4
SHA25619d2633e0ec2ac56bf67adc6caefa11061dd02b11602ee9bc05816e0a68fba12
SHA51200e9008809778750c394b3e5cd4a91a4efcefb5240fe280b1474bf91446ce97a5defea67608a69b2902ec84e91b7445359a02d1c59890a844c62554c8ae33417
-
Filesize
712KB
MD5d2f20ef8d8e3d8f9c328c585e6a2c475
SHA1c5900d6c239d620dea7ea36c16e69507aee03725
SHA256bee486a28d0ceccd339db454d5e755b50f3211dea223b4594071209d572d4b9e
SHA5120f652b8ca890865fbadd1458a17517e124df6d75f882ac0247e52e84bea7739b38baf8dfa5c8463538cb2a2000eb2105d5e11df1f22103ae41b19ca9bde7959d
-
Filesize
584KB
MD567c546e7635c727d73f0df25db1bfb79
SHA1512f89dd4076264b0926ea546482ed310967103f
SHA25629f50a0ba009f2a7fb0c798bbab944ae466067568a2cd3b5388bf6e695706981
SHA5121f2c59d5b71440dbde76714e9fd986529b48394cfa3e59ce71188326f5541d6c6e06f6c376c687abd5df4b9a5f3dd3d2394dea70f362145f2f8518ef4432a491
-
Filesize
1.3MB
MD54d7ce8baf3dabd03c644279a1a4a719f
SHA1228a016b2807168987a964c4ec07da24bc9c5e74
SHA2568689d64d3793b56cd5e43d503c97d0d918d13ae1ff92f4eacaa1375cd1086476
SHA5129742f6d20bd26276bcff19f5ca8949ceb621b3ace9263620f5fd3bdcd426b3a0a6b823dbb0fc856c429b5da5e4b3ba2c3c1fc5cfb8e345d71d7afa77f9a30cfd
-
Filesize
772KB
MD52920cc7a6a1932a9170088e6e6b3415b
SHA14147820d1410d21902fced508a9482bd79c15cec
SHA2560a288ea535c40f65d8fc8e2a75fcf381bbce4753f1f7e24ffc0e70a3639c5200
SHA51239910d4e8e9547ed0fc5ce4a320faa071f0e2e07c13a2e84f6842f7e0d1424aea10d05ccfcce408be93be78154c19b420145c5028bb213b3b3c23a9b1a5fc7cf
-
Filesize
2.1MB
MD530b61a33397828f6c5b57f1a96114d0b
SHA1541e325288c40f3f17287335742dda129f63c9a2
SHA2560a15da6f6f6409e970416f476a02cce83d58b044cda5a29fa0084debcdf26fd2
SHA5124fcd9fa34fcbe474b5a7735301f4579a887161f3fb0496ccc62ff970b7074f2fdbf5798bc63326d59bcb25fc392e83b96c2b0a75b7e77cf3e89fa4b32e78dfdf