Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe
-
Size
796KB
-
MD5
4d99784aa40a6534d547d59ee27c2a17
-
SHA1
fee94e7bea64a0768aa369062c129ad1c5594b4b
-
SHA256
e82729c43fc322484f20402c292e4ba43a825f25d1b715d03939af3188c9b497
-
SHA512
8c33b09414a1b0842ecd13fa0579d4bfcb09dd61e034caa6f543ac8c0f086cfe4e94e9342ba9bc1ddd1a8c34828c2706b089ed4bb117c6ec449d6038e6075576
-
SSDEEP
24576:4ANw243c+L6VMRCPU6CENltmVVdpx7fLrQWd:4ew2e6ZU6CENlc7dpJLrQWd
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5096 alg.exe 3864 elevation_service.exe 3904 elevation_service.exe 32 maintenanceservice.exe 4220 OSE.EXE 2436 DiagnosticsHub.StandardCollector.Service.exe 756 fxssvc.exe 4472 msdtc.exe 2964 PerceptionSimulationService.exe 4496 perfhost.exe 1464 locator.exe 384 SensorDataService.exe 692 snmptrap.exe 3808 spectrum.exe 460 ssh-agent.exe 1404 TieringEngineService.exe 4732 AgentService.exe 5060 vds.exe 2764 vssvc.exe 4400 wbengine.exe 2632 WmiApSrv.exe 3260 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\35c66b6c1f063bd9.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f9bea724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c28b6724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000603526734d5fda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000924cdc724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000853707734d5fda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000620e1f734d5fda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002486f6724d5fda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000affcd724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaead9724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009711e1724d5fda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060b1a0724d5fda01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3864 elevation_service.exe 3864 elevation_service.exe 3864 elevation_service.exe 3864 elevation_service.exe 3864 elevation_service.exe 3864 elevation_service.exe 3864 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 912 2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 5096 alg.exe Token: SeDebugPrivilege 5096 alg.exe Token: SeDebugPrivilege 5096 alg.exe Token: SeTakeOwnershipPrivilege 3864 elevation_service.exe Token: SeAuditPrivilege 756 fxssvc.exe Token: SeRestorePrivilege 1404 TieringEngineService.exe Token: SeManageVolumePrivilege 1404 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4732 AgentService.exe Token: SeBackupPrivilege 2764 vssvc.exe Token: SeRestorePrivilege 2764 vssvc.exe Token: SeAuditPrivilege 2764 vssvc.exe Token: SeBackupPrivilege 4400 wbengine.exe Token: SeRestorePrivilege 4400 wbengine.exe Token: SeSecurityPrivilege 4400 wbengine.exe Token: 33 3260 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3260 SearchIndexer.exe Token: SeDebugPrivilege 3864 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3260 wrote to memory of 3796 3260 SearchIndexer.exe 117 PID 3260 wrote to memory of 3796 3260 SearchIndexer.exe 117 PID 3260 wrote to memory of 1292 3260 SearchIndexer.exe 118 PID 3260 wrote to memory of 1292 3260 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:912
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3904
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:32
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4220
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2504
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4496
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:384
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:692
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3808
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3500
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3796
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:1292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a6965fb270d11c538b729c8682f25e7b
SHA15385f8abde100637ceaaabc3d6bc51f474e67382
SHA2562a855e5613a590932e0bc4dad547ed77388444080a919025c6cb21dd8fde81da
SHA512a7904c8a24338e0a9b2b24989c6912dfb9edf2c213b66e97e5cf9367e18de7bb7ef8505b6a80514ab286d70d09454f7bb408b9aa19611d812b96814d3102b88a
-
Filesize
781KB
MD560b8a3d7f6e480d005bc860f7922dd7e
SHA1f9d2c4c9474d2ba4a767dece3debe6ae85d80798
SHA256d0974105fbc6a187a7b82749277f38012fdbbcee12ba24b4570ed93dab14d606
SHA5124ec79f20937bb716063ff0a0faf7bb1e9e2996b6c85786ead649ff6c84fafb752a95d95e7ad5be18c0358f42b9cba5519daa53edbfbd1758994ceb2593998370
-
Filesize
1.1MB
MD58bd9553cd4daa779369b8ee80a40ef72
SHA1af4d3677f6a7c526cbdd2396b9df42f9371a93b4
SHA256192086f34988c7ec2dd2dfab53122b0e9a265dcca37b50008c8ee3e3c2ae487a
SHA512036da3a2767a9100ce0c648e4b25c53f936b24669a9de5dd2eedab783c40787ccd168140d0e6ad5eded795a66d3a991d25d2369617e036ca31251eaf39dfc96e
-
Filesize
1.5MB
MD59143f71d478e446744acd055fc7438bd
SHA1818add20ea8ca2e232d59bc78ef81c903e74f33a
SHA2560397b6fbc9222a4bb379d6dad893e4c1d53f88b0a3013e0f1de17c87267c6b74
SHA5123076cc33b936c817f07697e2924520274a336f3eba11a3e83c26f967b9c8ccc58cd5c576e5ec02fe90799877ce3dc63447f1510eeb691bfaa311016003b534db
-
Filesize
1.2MB
MD5b68dd3d632204fb29076516be0b1c11e
SHA19d0288ac5f38403b54a0b6dada77749f68250018
SHA2563ead6b6185346fe0a57703b685cd13b9c8a0d2b7f419bdbc97368d829458e348
SHA5126561f5548c50e0dde04e6f6cb74ac6edbe73063873c26897bc861f31923d6990ff4509ff353c4c0bb902119cc9de3d2a0af94c341005f576dfce573a2fa492c2
-
Filesize
582KB
MD5140f65850e65084af1eae06ed4061e3d
SHA1b2a8b85a4f74b9db33ee37b03c81fe52326d93de
SHA256642535511c78e13ddb886416b15487e2d1b51ad92edb14c7e95301ba35e0f092
SHA512087dd8ae029c01d663138753ad4c265c13beaac6d1841deba97d2838043ecfd28f2c7c3879db340d04f9e660c8fd902c309101d9ee56201c903aaba28c660509
-
Filesize
840KB
MD55a71b06dde6d03967b27186f23ea6993
SHA1e78ebcc6053a3ecae4f116e64f041a762cfd1c2c
SHA2565a206f4a74e5ead5cc54e8669ffd71f623165adbf2c01e4fc77b4a348e86b056
SHA512c2f13db32df94d59ae1d12301305622db1b533baaae75345ed9f1fec13bffcb06111580fb9d30a815248cc7cd35d66f97566bbaa95423f45eac10bbd53d4f515
-
Filesize
2.5MB
MD5925e365be18b6f5f99b68731363006dd
SHA17ca2b8ac0dc7b2fcfaa3614d154cb7685a784362
SHA256b246901eb980ed7a19477b163c0d37c91f820579e66811cc527eb53e0b420405
SHA51216e2b9f70d23b11379d99f176e970cbeb6b40beba16ca93055bf8be420d112b93610cd7d5210f270ecb40f7e3e5660fb7f6e78da90bdf66aca18bca830fa4783
-
Filesize
910KB
MD5dab7f06ddd4e79822e4d548b6dd90056
SHA1ee227c2d799696bbcff6384dbb14498eac797556
SHA256e70ec1d7c9e4966e937a696368833b994ea4675dbd9c514ca93dfb2a0b05cbea
SHA51252b1ceba4d544cf91c9f9f856b350e34d8eab5942e34400c83f68b3b8c235f6c189bcdfab4e97a2d87174206eea226f306c2bec0ce3e9d05a587541bbbf2fccc
-
Filesize
2.2MB
MD5f2ee1336fc23e613a4d97d1298a5584c
SHA1930cab86a29f165483cc18484f8e69424a5f4f65
SHA25625ef8e0d0932e4775c39769e2edc06191aaccf1bfa08dc24d6ce52da8c401da6
SHA5121d5f18dabfd3e2a68a8c80917bd3cae582240e37e83b5ab96b3ba04d06237d3a5bcd7580aee0d00cdb8f04302a14e6b777a3c650cd5b95469549a8c353abba45
-
Filesize
2.7MB
MD55dff18564dde6252dd6ae2c311376f0d
SHA17ed581903f24d0b3e55e6fb0e76f3144404f6dc1
SHA256820490c04f0c7d95db9ba33314809da2f4c09ef0f12b2d393e8a25fcfd96afa5
SHA512326970781df6d4094af27a9a856a559a972603690cebd90c9e84977ebf59bca0946003d20386e07c7393c9a6ca17935e139e6f53df9cd60e064938abadcdf20b
-
Filesize
1.1MB
MD56c173771df2ba752c3bf0e6be799f031
SHA108a59d05eeb77558443c3d4fc6a26f3f04f617da
SHA25671d9ac9c2c01ebec9cf7b647f371eb80dc40fc567c2e9b763c8857d7eca9f192
SHA5124495a1d36aae972fdcc47a727e53a2fb9b569b100bb9c6be9f16dc2bac6847b3d01f1129586e8e647535f0f6288c14f3d299379e2abb173432eb311360b7c878
-
Filesize
805KB
MD5cf8d809cf5bb5105498081ecbda4dfb1
SHA1e8720822ad6b7c19a31014e7631074dc4b72ec46
SHA2564452cd0740ae984c4ce75819afa71235810ee1b480840de3d6cb9a18ece95db9
SHA512d52a9189a187c81b0f4d2dba8d1215b91dac3b4cb27e43841ab1668fe44d7895f595622cdc15782295ff55ede2f8e5cac021492c05a76aded7eccc0be1ccdadc
-
Filesize
656KB
MD5628f7feb8573b06ce92b861015a303ef
SHA10c9086f8965ba406a174d0f8d1e2c85f8911182a
SHA256ba331cea184c3d663be7ffa2f4fcd1d7ffb13a84af9263fcba93f8af3abbf8d2
SHA51202216bb1671d6117e2fc5e54d3812b94b840e6b118f09cdb378963944f26e7e8dd39a3c282b0bc22adbfa915df02e0dfea34fb90974867656a6fd9ff0952f642
-
Filesize
4.8MB
MD54ef90227edbd0df3750e5be9df67cd07
SHA1e1057ac39b78c2fbca0d5d6725af47c1d5414abd
SHA256f5fd8977f4e720bfa3e14f9feb34780e82d4b00184568237ea94333e6a5e9c57
SHA5127b64e8075f8d4b1e2828ec01af3c0c5c5f37f27fe8c7355356050bfcf7188fede2272e05ae4e0b673aeb25eeba5be627052260da73f8a9ae178cd591410667dd
-
Filesize
4.8MB
MD5fb9ee03638e0df0684995f1e09d8d210
SHA15550f5017701d73a4480c7bfaabfab2d6c19b091
SHA256b1cc5128a9f3f2beb374db91dba1e4509496811f56ea192606e6649a1538ff08
SHA512e779c992d22b901b6140b4fb7228ba83395b2e85f72a69e28e1a8f063ad330968ad4aacf8afbde1dd4d540f1b723dc72f2616702f29b42ab5db484bcfb709791
-
Filesize
2.2MB
MD5b7acdfb8484ce31cb4bc5b540df6d79a
SHA10309bb1b088a121864dba8769c88a7a3987bac78
SHA2566b3ab0399ecbba6a79fe89ad3efdc28e91a00466746b73c8ba21ae68c16ac776
SHA51204dc630dd7b70a0a9ef7b3eae03fbb5f83601aac07a7644ec1db7178986da8357aab58b270bcad962a4b0afea21685bf422b93879117c825ed6df31ba5f91f0b
-
Filesize
2.1MB
MD5a3490c9fab18eb8043d8821cab4462d9
SHA1e1eb110f7e46ac1d18cfa5fb98a5a3f454784aa9
SHA25662833f9320db408e9d0f12e11caf6f06ddc4f50839db62ab64f40e475d1b9795
SHA512a7eb6ce38bf7078442d8de2d7e1a9b43314cd53e86abdf51ff8f1848840b57a51d79843a2d2dc9ed77fb462ae65e35bccca31be03a8f2c4203014e21188d65bf
-
Filesize
1.8MB
MD5e22c8796240f3b2502e5ffe4d27970b2
SHA11f68184d0da3e71939ddbd9ee711644dcf0d8c66
SHA2569760ec6514f93d3d6d5e309a3ffe2a1b4f92546fa33ae304bfdf68bac13c59ae
SHA51267350c7a072361f834b4a0dfd808a4cd1c1000f237a7b03222db3201808d98ddec02cc56c9c60c0b0dd5f3deab0623610f8d1ef80f94bd08f3e48e365aa648f5
-
Filesize
1.5MB
MD52925fd79178cdc5dbc320a1e838e1367
SHA1a5db0b59c76b545e58f47c4b654c2241dc9d02fb
SHA256bd3f1a594eebb048e882799880c3b05f281ac46b0037c4632fc7a6f17328b5b0
SHA5123d8a73954d4dd07486b558982a66219afd391ee5ae33e8c9225741b14d45934497b3f48fa409769add39c6f3b1e324fd0c0e6df92d25bfcee27f3b46d0974b19
-
Filesize
581KB
MD54f0d6178b5971433caf50cfba8134ce1
SHA11fa46b3b2f241106079c5222d0a8225cb38f70f8
SHA25619f5a72b38d63ce4c1c045a069eb49feeda224cbc068b4713e3fe1bfb8432197
SHA512db64aadbeffe6c23cbf57d8cb662b5860da3d11ebbc981089496bba755d6f62f33323d7109d246928e4b0722501b7adfcec8ea23aefb47c0259a68da3c48c6fd
-
Filesize
581KB
MD5e9c67e17b23b4fae83478df477ea62a4
SHA144af7eac1062f5d0defea9ead4f724eac8afde8d
SHA256d500c3b58ef2427893b82b43c8dcfeb1bd07377515619bc7345513c12a97453d
SHA5122116763e639b717746f7ebb81e97d63d5a125b17348a13016a8fcd45aeaf088b717778a2ec4f01898012ea03ef6312de3e508e43d8347297d17bb97db9363726
-
Filesize
581KB
MD5ec3ba05dbe0c6cf85aac1cfe13eb4ac5
SHA19f6eff174a4afa84078fa53ea548453c84c7aeb7
SHA2569ca02a907cabcd939e41a8288f5cc7a6e0630a86c51e4ec1afb26e6c34806bc6
SHA51218fbaeaa964e2815f77352ff6532596b5444d6da75349bf626891021b60e65169f7885d681567fc4c9c6d1a8abcac9641a29eaab26d103ee6883471099db6ce0
-
Filesize
601KB
MD5a1ef31e33c8fbf945bed54bd9cb60fce
SHA17e4ed75d31e62b693ee9a3be8e531ab1e23474af
SHA25661c8c2f915645d9de84e8a914939356cee3afd279f351d7739603d407481fe4a
SHA5122a318fcdf1c433b5023cf6bd63e5e014bc0fc850fd554463107b8b41754f16cacd5fa1236fa7f397630c39865b3157698183da4c60925ffc4fc80fe1f47b7356
-
Filesize
581KB
MD5f668661a3dc9ccf33188694572f8683e
SHA1f01388cdfe426da560132938018d6310eb2cb0ec
SHA2560c4e82c9e5418de3a9864b3b07bee838f648da6cb159d32af223e9ecfa0bd3b2
SHA51272b0f23657db0b5cb9e2de533dc99cdf00bd2501b078b55f212c25e7f1f0cf5e943456cdd0681d0526825f5c924325c4316152ef6141b5595671a46d12c64b7e
-
Filesize
581KB
MD5a1360b98ea413035df52c66d5c72c69a
SHA1a7247d3ec7700b9100b435d315f42a270b609a23
SHA256aa2e31f22a975a7ac9feca152da53d829af61e92aec3f001bb1d8422f33ebbde
SHA5120eed0029e1efcd542ef4f5663a6e8bb4ed0ac71183e6176294c784f0dd1654d9c1d54a020e40cf78273cde9c8ec071239fbc2d343a3bebb509d366154dc22170
-
Filesize
581KB
MD547ef077778b1a0d5e6bc77287dbaee15
SHA1e6eab1e49cc00032b0c6020bf9f2b12e4d10b7b7
SHA2568ddf0d8b43f2904825b4119b6305a28777bbdd225029ad03a0be7895c5b66c5c
SHA512d106f0c304a877de6c148558e6b22f5614513eb22751de283055ac366144dfde4df90b6145dd0293ceccf2a5db909d8dce94f346bbb3274b95cf03f4b4d6cb7d
-
Filesize
841KB
MD53a50a3eee59d08aa84fb11f5ee3cc4b2
SHA1cef46ef776f8b827a27d847b9e7671ed991e45b5
SHA25629b383c6264c189053524940c512a569cbbaa34e1f2b24a08ef82ee0dea9db4f
SHA512d38ff43254dc19918236155448e7dc48d71b3651160f5224f6e6746358d8e44e90001157e560dbbdec4bdb27907eb46e71425c6b7d754b5ed2cac7bcd38a96df
-
Filesize
581KB
MD518f7396cfb742a5ab7287f42cc317ec7
SHA1a984fe9ed1bd42724c00409b68eb185795d669a8
SHA256050a70d890a2de92ac37d0b4242d5c7589599db3564cc9ed2bf80a383fccef8e
SHA51269c7b21d6937cc8f8cb5870e181e86704ebf53d5bced927e3f596132dc673c65bbd18fc514a895f39bae9eec89c903e5413cf5ddedc8072e9833214e591a950d
-
Filesize
581KB
MD5b819e0b168e711b6f66a331b02aac165
SHA197387c4ea194a885687b88583ca19775d581980a
SHA256e06c2f80b6499a10c0895a57aa15a9c57d49d5b81ee64d3e8aa1322668afe5f3
SHA512892438dc718733b3746aed06d6c8d532984cbf317556de7ea2bfe3dcdd3df47ae0aaf8c7e1c2e205106d92a6f74816c972ad2fb74b634826bf3f597404fe1d72
-
Filesize
581KB
MD5804b7bb61bc7e671fff76ccfc291f250
SHA14f83f0c601e25a46143cf8387c7ed407379a6e70
SHA256028bbfac47525987b787bcec308a852e49b1b181bcbfe787818bf3de28e6e8f6
SHA51260b1cb979f0343bb43cc718ae3a2b9e198be64907e8ec921c98a8f792d360736cbe97a31dc3b11b1fba5770a21d03231e357d59e1c56d6d861c6f88207c515e9
-
Filesize
581KB
MD5b20d8d478fbd9145d54a1dfe40e68250
SHA130b61d477ae4f2a723130f38614ff44f5f7ee5a6
SHA256b20a2d79dd45538afc226c19287068853b7a9300c9fcd4379560cc6bc3f0fe36
SHA512d626bddebd2c44bda0edbef175b4b9279fa997f45a6cbddd70fba6636e893de7fa9b46979940b2a55b164b39f7648018546c69a8baf96b0356ec2d3b1a3e72c9
-
Filesize
717KB
MD5e55e041c73cfb7a5218e3dc7d881b3b5
SHA17ee9c859c7df2bc0e7b708769e7f1ed963043e05
SHA256ea3af18c94b3686bd751cd2910a3cbafb790104398eff8a2fecc4539bdd78f84
SHA5124eef616ed6762c3b516550e71ae09281286623059b2fe672545086f414f406d293b8d3b983cc4f06d2ee83d7a8153f935d3f247dd464a295d5a58b09f667467a
-
Filesize
841KB
MD5572cb03edb5864917d7d60a4b204e9c1
SHA1fd1fd320e4c0af34c5cb540860acbb861922fdde
SHA2569a4b835bf1d7cfa41f7d054a0551b49302dff7b669a76e7c2b148093492098db
SHA512513888814cca569147160a64827acaf9c710cefeaa5b451cc8483f0ab544a0e439f409e6022742bae52fa9279c6826a71d7847ab921320b5b75d2efd330a30c1
-
Filesize
1020KB
MD519126272f4e9a388139c0a35a3822d99
SHA1678d05fc1c0ffe32f48c068dd00e25c413c02a69
SHA25663d306271e58e5e36eca3e8539279e54383a18cae1433248832cdf448696ef82
SHA512a785f592639e8b52e03059ddf56f050b32b2d66ef56d4b8221d78469e8949ed1666595518ed6ee3f4926230d82efd0d511cfdcd6f63f92e63da159f92de22650
-
Filesize
581KB
MD59620c507e0411116e831d5fa0363cd24
SHA130343d2b119c6f7aef691e49d824e2996baa5983
SHA25639da5e5397345281968ee708143ba6873809d178982924da9e870438c723018a
SHA512093a83be255c32f089f6791610404e0a50a79f7da6d9840927bb7feae00005d206ed29cf774f95166ecbe867ce88e3706f7995b81b6d0b297a315b2603302fd8
-
Filesize
581KB
MD5fa421e7c88c471c082fdb6423dcf7c4a
SHA1c36c69b94f6e7f9dff85919a2057ad70e3dfc6a5
SHA2565523135fd8ba8129883aa08c91ebab9a31feb5bf807c6d8548e26d69dbc543b5
SHA512223fc78485b2dc57781462471aa8c4b17dc3955609f93a4fa6100e0cc11dc61fc54544039d574a772c26c7b9cb5c817d99f9f91e9138f9a68097f95d8f3ff72f
-
Filesize
581KB
MD5e93dc9b24704a6ada6e866534b67a984
SHA1a3e47e976d8a6975f87d5feb848c4b0bff696d7f
SHA256ab857acc209a56179a299121a148dbac5497e5dad7681607f095e9b1ef251da5
SHA512cb2ef47f0a1d56ad26d9677c74c8a7bfb8ccbf2c5dbf57dada0b455b8f1bc6c12704552f8242203b62b91e76802556c9c7ddc9eedab8f7432813347d26d27606
-
Filesize
581KB
MD55cd83df262c91da0ff5fed099596065f
SHA1d2ee9862827a7430e0a361a3d189ec5770322856
SHA256a2317029b6c860e60b5ecf51786d05c5fb0d420f9c4d6fb831213e44266a734e
SHA512d5ecfb1ed7e2144e06b3a547fdc4633353724c1f11feeeb96a2c1a3832da66abc1c3f5c5ee9185a4847c9dc06f5a5e3aead365c9680079e43f93910bb1970381
-
Filesize
581KB
MD53a78a240c49f79f906feeb3dafcd4b5b
SHA1b6cc45a45ef51bc63d9e50a24b829ea4b6a34c35
SHA256e0a2fe927a93672fef5101b8feec6f85d020348ec7d3e82810fe78a34a9c55b9
SHA512bb9dae7cb55bfefcc7616338945e44dc83786dbaed1ead3b24a8aace9f0430ad9d006821f7f332fcc41e3b8b4a8039e1783f7fa414b27921cec6a2b54e48205f
-
Filesize
581KB
MD524239091463c1d0a462c757f1425f0c6
SHA11829c67bb7d0ba677e826bd1a5d1fe4b3c275c69
SHA256af2b0de1fba8ed6e3b10cae0acc0500cdf37a973d3d435c34660e9419936c2de
SHA5128feb682d11ae3c31076cd954c490237e61a991c2e991a0924ca22994f98cea9670095da158bf8bec7982d24c0c3ad058fc4a29257442ccf3e2b216fb310fc8e6
-
Filesize
696KB
MD5df7eddf510e58977e4f5a8e4f714bb2c
SHA165d93ece7c855321d82a991991685a7418f4ac43
SHA256007d2bc6f5f4d8fe4c5a8dbad14bcc880196d598e998297321269803b43fe8c6
SHA51296aa9aa363e26e7f534bf4e7e2b0c33df5a8da24e933d445355e07b8386d29bf64d62b80fdd866f1c0679c959236a62f6d885540a0326905b5b345d04602a0a9
-
Filesize
588KB
MD5892382cf2a0052e8bed3178d8fe99368
SHA1e7d51dee9748a45f5806b1ae1888f68a7bdc8aa7
SHA2567abf764db3852a4275313c4fc084cbce424f9621a623d1359478b7399ecbe459
SHA512fbcc16cb4ba520a1350db8e4d0c57207dd2d31b870cce1960a367ad0c48423be93c806afbd7be667da840e6af05bf1870e8dba9d18aa934b053a1516151768f2
-
Filesize
1.7MB
MD5aca6e0d762c5dc11c325091937ec4b64
SHA12e391366399872324c8060ec7e6e33b0a5c2df7f
SHA2564b67f871b96197b9f60b332e01d0428835272a9e8307fa983109364e9adf3208
SHA512b104798ea27c5316eaf1b08bf006aee86d6f811993f7e6887e49af41e867f265f57419f31792e068ef76f7e499677150e412073ef9dc50c83b708b49d79ea7b7
-
Filesize
659KB
MD5402851a0a3525da0cc380404d4445727
SHA1081db5a9942d0543997adaa9eb0a7ba5d472fd73
SHA256c92f138675be6e8778e6c2c8887bab2911c4eb683909bcdfb5c3b7ad89f6fc90
SHA51279acc3311ebb8884d6307c3975fe69e58c5f356dae7514e34ab94cf416166b63755d00524a957ba4f5640718ec648eef9464caab8e4082395da3be5619e8f78e
-
Filesize
1.2MB
MD5141ee3054fa40757ad15b693125124f9
SHA16b0b103a4ebaa12d7a928fb2ff29c124827d3c9b
SHA25626b9059524517dcfd13b915b5e1f39f9cd385184816ddab57320a17c2c688a93
SHA5128010f41571f895850ab0eece0e6392a3b5db7e17b97afcf6bb89ddc7712f53dc5d2765bd6b289cda20ee0eccd7db542f210d6fe854a83c61fd866910d6911f28
-
Filesize
578KB
MD53f50163d1ae895f049531de21fff78b8
SHA1b8a76ed7582575aebe185bf728ce4f36de7ed3c0
SHA2561966ec2fd4aae056000103cbc75e91eda68f26a290e22e5fae28a2fa20437044
SHA512417319d3910ef97536e79c86cc4cd5dfb9925e812bc6ce9bba20e20cc845f54fddbfe6dde630408184b7477d15935ca6922ed0633d3aacfc8299cdad2b9c9faa
-
Filesize
940KB
MD5b376110b75522b55061cc6664bfecd22
SHA15ef3f87b2f3225cb5d9a12af7d3acd2c0f89124c
SHA256bcb6d9c5e5fd566056529eb46e3079cc5246046bf75f0e906767f000f64bdb12
SHA5121d92a614a5aa795a4aba7054a00ff2cc55f0a3948d126dceee4066e9b9dea1304c84ec8e618b576e0365fb437097e4f03c24f0322c379fbe337680da9b25ddad
-
Filesize
671KB
MD5c25f308622aa798b06e9f319c63876da
SHA1a6f7b3b0a67c3570268fb8fc8320b773a7b85495
SHA256d5e870217a2912f9b058ff987c3fb7d15c273a463b0b55ed6c9f434bb1be248f
SHA5127d259f372fa4cc1d6b6584cd69127937cbd1ff750f88671483002a70dba01654b0f1657bf558263ff8769639b462ca9581ce165159d23217143b0a669cdebce0
-
Filesize
704KB
MD56ab43197aa43a22ab7e3aba385d70c85
SHA14be4712f5640555da7ce9948c86c3a79199cd9a8
SHA25607e4e22d1d7b86c5371e782105a5d2f93a5d8d30af9caf10c4110cebd3e0fedc
SHA512a980bf7b6a1f0fbf096c02e3571f072e0a1fdb0d6aba7fe47bdf031abd708258dc96dbe098ed7b98742252a6781960a6e74634f269b81820d69b3238dd0ddf93
-
Filesize
1.8MB
MD5c8e291819737a5b6efffb34d4478c34b
SHA16ca717d52d16481fd90fc9e773c6e1f1e37f7c46
SHA256b9494df3fdb8ed8c91ce3c6374309b378b0ae8ce253b73a42673d3109b0b18d8
SHA512f025e99bb4f43abbfa8f1adfb634115a91deb22b15553b70e21e4e2c04caccd6b48841fef61c5c069b202f28dc4799b155046b9440b83932a687fbfd1dd3397a
-
Filesize
192KB
MD5e8a8b36d434dd7d6ed1a33c74a151894
SHA165652d13760009744094deab9e8ed2fe3a120e2f
SHA256a84f2a0799bbccd1ceef0ddba99a65afedce63ced1013d5d84c9508c954bf418
SHA512c7c0b2f88364dbaccd133cbd8f31a55cf7531cf450c465dcc1b9c3d1ab9bae917fbc4aea1b15e9cb6e1f6c445f15324f8d8264fc5f7b1d277f66d8ad1e04317c
-
Filesize
885KB
MD5fd83faa654b85eed048edb4104ee5200
SHA101b6731db60650f8d74b3f44470a7848dfa0ab9d
SHA256fb17ed430c3c63b1b4edcbd5443127db703b79b82d95a13fe2067d32aff02ea7
SHA512155a5865f3646570a4c6d48c7fa108842419aad7b380356cd6d1c8bbc28240f0d0f1ec510625f51ddce7cf7c9d31d9d090912169d730d8a4d294ec4ed453f711
-
Filesize
2.0MB
MD55f172cf2be1fb054fe48e32f002d2cee
SHA1ca9cbe0c5ec377db0bc640129a213baae56f205b
SHA256a36e8616fb2f6fafd99128df3a9ae3c84e845dbc97326b703923be3c75fc974e
SHA512b40a9ebc577d2d2ee57e9af758979550652eb35c750037332f8ba25cf959d33769a6d4c02ff6fd8d73559349c8af8604198ba436cff707140d4457d3f4c7c794
-
Filesize
661KB
MD53eaf0a1c7ed40ec434bf608b8c3e7d28
SHA17049df571dec8476de3f81b0958fd7a39ad290c8
SHA256218092a9d3f911049f631e7e1fad614b6bcaa59829d16d3c75168323ac7bb8c8
SHA51232e37f133f581a6dd17d023cdbbe7e233035b74c41356ddd835842d592c94d82935198fc84b97544eee4c39c652b484adecfc73e9d261309f698e87ae13703c5
-
Filesize
712KB
MD5dd77c1635f78d75f18a11c2aa871d277
SHA119350a4d3b70241a5ef394b087888d061782cacc
SHA256692afbb71c880d0eb9e1eea964a211f5eadcffced4d5c092f868ea939848d958
SHA512e53165154ce3857100b743f080fd060151daf2b0b6e87239030e3b39ceb478b286fa97ccda66045db231002023434e919408e1e5ca454b856b2e6c5976023df8
-
Filesize
584KB
MD5ea8ed74c1a81e3f47d5e583743f8d2a3
SHA1bbfd22fe561a5672c336c5c06ce7c16379bfda1f
SHA2569fd0dc4e20a45ce4511a06ece2db514eb2e9a84a507a9d143349dbcc0136635f
SHA512a5907ec828fbc40fba254ed5d4a9bc174d8b264f1873554640f0f80e4d503d0932bb59e47610940639fa4aa65e09efe1345e79532ced735eff08a0cf4b4dbbf2
-
Filesize
1.3MB
MD52dd9408199192937bbf6e8fb576d567a
SHA1c468080bff526139e9400c667cbd8f3fb60e956b
SHA25681eefaae05db79782f748bcea2359e9bc7b449ed15e401e3fb8790376e5eb578
SHA512f5bd0df182452a5a8b980dace6d166a0f3080f69e7c04ef0bbd15cd436e9cbe688472f3ec750c975b990d653adf43f1ec3b431c294b824b526a3f37bb10e8680
-
Filesize
772KB
MD5fd95b709a782cb5cb5132bedaa03ed2b
SHA17df989da44f4cd10312909e0dd2fe66537eb7275
SHA256248724f152df82d65fd2cc33bd3e6d4c93a1bbf6e3650ceddaa2ed12861c6043
SHA5127f305a8a576923937b4cd9c22fa9755f844d00dbce3a5accced78586a877fad28f828ef4b73c460c82b7059c2032b76f78d16137f52e49dda31152813058a0e3
-
Filesize
2.1MB
MD50a3b8241c299dffa1084f739607d9f12
SHA1b9c87325aa7f5951bd557d4121aeb1774197bce3
SHA25602515c7de6b0802edb707e759384f7fba4b595905cc5c9cc867317b3841c0154
SHA5129757e7c738664efd82a1c4ea5e626a52e3851de2352fe82d256aea28c3cbb52e4e5c6a40abe9aa5a5aa06396030ed59387e3ec3c5355fb0cf8d906a7ada7815d
-
Filesize
5.6MB
MD51f586d46db2b311edd47d0ede5ac64ff
SHA18c4ddf4f3a6bd11de2f53619bd9146646237662a
SHA256433e65377ba906bfa73f122e3fa83bf57b37b6bdfa1f3293326fa4880d10bdaf
SHA512d935e1f87481219488222c6447feebe0f28a496130deb8d5bfb03cb2f5f2f9569140835a2f3b8ddbe1adb8e27f15b30514552533ee1decf35e46edac7ad9e103