Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe
-
Size
14.5MB
-
MD5
17512948ac977a49f9e8976a86873365
-
SHA1
4251b97ea667160d8d27a4c66eee84cfc8d14a4f
-
SHA256
1260d3b23e47b2ce5d9445e8e00c90ce36630e8cd6db057f56be10a857fb6589
-
SHA512
ae70137b427a9b8ca43e60855b848055f5626f204691c23e10bf90dc2345084afbfddbb0b98c42cf30c9927888770efb2ef746b157100ea338badd6cd83b287c
-
SSDEEP
196608:RZ7dIzfYP++zRtUaYrXwr68+aghNu7XWyBOKl4lCmK2ouuqrR:HWz6oaYrXwr68yNu7XLBOU45d
Malware Config
Signatures
-
Detects executables packed with Dotfuscator 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023204-72.dat INDICATOR_EXE_Packed_Dotfuscator behavioral2/files/0x0006000000023204-83.dat INDICATOR_EXE_Packed_Dotfuscator -
Detects executables packed with SmartAssembly 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023204-72.dat INDICATOR_EXE_Packed_SmartAssembly behavioral2/files/0x0006000000023204-83.dat INDICATOR_EXE_Packed_SmartAssembly -
Detects executables packed with Yano Obfuscator 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023204-72.dat INDICATOR_EXE_Packed_Yano behavioral2/files/0x0006000000023204-83.dat INDICATOR_EXE_Packed_Yano -
Executes dropped EXE 22 IoCs
pid Process 4128 alg.exe 1748 DiagnosticsHub.StandardCollector.Service.exe 984 fxssvc.exe 4344 elevation_service.exe 2176 elevation_service.exe 4216 maintenanceservice.exe 4092 msdtc.exe 3768 OSE.EXE 3288 PerceptionSimulationService.exe 652 perfhost.exe 4780 locator.exe 512 SensorDataService.exe 1424 snmptrap.exe 1704 spectrum.exe 1060 ssh-agent.exe 2124 TieringEngineService.exe 3500 AgentService.exe 1464 vds.exe 4380 vssvc.exe 2548 wbengine.exe 1708 WmiApSrv.exe 1716 SearchIndexer.exe -
Loads dropped DLL 7 IoCs
pid Process 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dc9923a9ea8238e9.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78500\javaw.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fcd59304b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000212373314b66da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063fa8a314b66da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5c413314b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005649d42f4b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff0674304b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001734ff2f4b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ce50f304b66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000811f0b304b66da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 3892 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: 33 2224 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeIncBasePriorityPrivilege 2224 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeAuditPrivilege 984 fxssvc.exe Token: SeRestorePrivilege 2124 TieringEngineService.exe Token: SeManageVolumePrivilege 2124 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3500 AgentService.exe Token: SeBackupPrivilege 4380 vssvc.exe Token: SeRestorePrivilege 4380 vssvc.exe Token: SeAuditPrivilege 4380 vssvc.exe Token: SeBackupPrivilege 2548 wbengine.exe Token: SeRestorePrivilege 2548 wbengine.exe Token: SeSecurityPrivilege 2548 wbengine.exe Token: 33 1716 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1716 SearchIndexer.exe Token: SeDebugPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe Token: SeDebugPrivilege 4360 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4360 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 90 PID 3252 wrote to memory of 4360 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 90 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 3892 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 92 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 3252 wrote to memory of 2224 3252 2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe 94 PID 1716 wrote to memory of 2284 1716 SearchIndexer.exe 122 PID 1716 wrote to memory of 2284 1716 SearchIndexer.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exec:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=100.282.200 --initial-client-data=0x2e8,0x2e0,0x2ec,0x2e4,0x2f0,0x1402d1680,0x1402d1690,0x1402d16a02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_3252_RRJEXIPYQWGFCKLB" --sandboxed-process-id=2 --init-done-notifier=860 --sandbox-mojo-pipe-token=6426324206669266493 --mojo-platform-channel-handle=836 --engine=22⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_17512948ac977a49f9e8976a86873365_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_3252_RRJEXIPYQWGFCKLB" --sandboxed-process-id=3 --init-done-notifier=1404 --sandbox-mojo-pipe-token=6291107651173862812 --mojo-platform-channel-handle=14002⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4128
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1276
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:984
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4344
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2176
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4216
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4092
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3768
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3288
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:652
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:512
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1424
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4100
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1060
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1708
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2284
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5a83fb9a0a86632136b44bd2261f59980
SHA1ed4e325c3ea50aa12f0386de810052b6b76b7852
SHA2560db65c016bc24c48d4d405d7ddf541a3c15d343c4527abde47e133a479817a5a
SHA5123a0f80e094e1165a5964bce3fe4ab22bfedb299b3185c27c10e7a7fd497b365b3dc14c7f8ea9585815d30be50ff4b32ed426c7b312f3e34aef73f692a3ed408f
-
Filesize
1.7MB
MD5484ee7e7d777b17de22ff631718dd8d6
SHA1b1cbeaaa5fa31c058c26c0cc49e2870d71c65c75
SHA25607043b1e08c994795761d506334f27293e29c7e1551f3d5a3b9beca0979a010c
SHA512b0e9e8bad69b12858f923569615b6b76030b6dc34493455c5c4c76959fbe88704fb9ea014ccbdc1cf0aac969788788dc4b07adffdac23833687e9b9ae14b6684
-
Filesize
2.1MB
MD5fb0116f12d44b56f5d20074b065f72d5
SHA1fb672f2e08a4d439cbeda25fd3e4dfacc71aa118
SHA25601878dd92de96573973838d9b07bfa7985947c980a89e3af035e07837986a7cb
SHA512630880f5b3c002f09c4f6f1e042af2888b7019a22030229b942d8f5d2d24db954f886b01c7ffa5311376c2ec3686a4cc3d7449f94c38625d0e1c5211e6ad0198
-
Filesize
1.5MB
MD5a9e723fcd443b640d87485731cd16517
SHA16dcee9161fe0d633dff36096c730a6cf45e33dc5
SHA25652858693b4321b2e0a14b3938f238b7022da8cf75bacdfaa379fa1244ab517df
SHA51253daa5066e27f3cbf2359600f1ee02235be3b4bd7f85f4f9ecaed634558bf1d1fbd1e19c12148714db229b09b4fcac51a5c702d9798531c3779c850c3346992e
-
Filesize
1.2MB
MD5bc06fc863029e39778315f396a2b9b8f
SHA1f0a1b8b95cb2c148ed63bf63f50ac3aa5d59a37f
SHA2569a91aa9ef42e5ab9d0fe69c1c831625bd2197a1fc43c81990ab621e08b537b3c
SHA512b97c77a61844362e45221f9b8c72dae875ab466228d9dc186c7a77ae6a2838bb8968acc27864b2761d175f9b14d2ff033e46e06eb18868a8e04f7f2f562ab57b
-
Filesize
1.5MB
MD5515a5826eeedb40d34067a1a9deae695
SHA14160e686a767da344547f08db9432e360ab333f3
SHA256d0d953117546f5e18633c13640660735cdb3e938590d8ce45d3d718c3eb4bcad
SHA512db7df89967aac9971a9848ef4335c65b0c1fddf26a9b1e1e8a6bff7d7eb11b793c46526801ed5c9bc26aedac5776d9f250767e48fb40ae84951008f7209cfb4f
-
Filesize
1.8MB
MD56d3de24d8ad67a1edb74b57c377207ff
SHA1ad53414926c050d5e9fc362a586bbc210f30109c
SHA25617f358227a29715313ccee1c72efd532f5523a9b4c8e0dd926f2b57cb7ba0e51
SHA5126565d90f8b73d09618643560210a8a1f40659c731e4df65136a24bd86853c059a55c7c064ac61bca9fe1b96fdde59d724d82eddebbd477d99899b14d9ef39eed
-
Filesize
4.6MB
MD583da0a240e8fa44d7e8121af582bbcbd
SHA1ad8d5aa123ec7d6bc36970c27870b4c7faa48622
SHA256a462f605feb24270b063694c0e7ac08e787d6c9bdca52460494df85d32cd9263
SHA512dbc25591f4077306931c7a05e73d7b320efb0ea4d8b32cb882be12b9a69ac77030ed6789db6133687e3a735e14e5452b7dc7b486d53681be4816d9d799fbbec1
-
Filesize
1.9MB
MD5753fedbfd80e3bd9f447bf64cdf9c6ee
SHA1e6de39862f6979ba2c806e4b1f3a90ec2f7f17ad
SHA256d271daf9c149ca6d84f67b21ce1ff7a03ab668842cd5503efa01ccf7af333751
SHA51287216e0a72731894d5aaa591d05e676388d927472a6acbed9ccf1e46bdae148ecd86858888bb73d5bd8e05c180e6c6df358efbf69da731a7e75fb4dba48683ce
-
Filesize
24.0MB
MD5a407e921b1a4862218b5d29ad22c8a94
SHA12f6de5cbc7d26c7d0abfbea294f08543b8775d47
SHA256c67f2b068186ce06ab1a8ce4d62beae8edb993bc05454aa8b832beb0c8bc4146
SHA5122dbb5fbd9a909ac800ca4e9213692345b35cbf9b06c42697825e7bc374819890b0e32b8ccb7033620597423f24f8ad76cdc2789f1d2f82b14bfb2b1514350f67
-
Filesize
2.7MB
MD58ac9b69afe0011b3586488c66969ff3a
SHA1992f17735a05c821c714b9402a95ce646d234bc8
SHA256fad655e17803c2d3fbd3aa25fcbe210b98b0652127ffe829ac4a9f0faa957aa7
SHA512b4ee211c8db84874e150513439421e54b1302d03343be3fcef8e83bbab11e306b810a9096cf4b242dfc1f60d630dce53ba706a0cc2ca553d3622b96ead6d3e52
-
Filesize
1.1MB
MD530b0563194fe645d4fb384d0868b5fbd
SHA1497dc7b13f2b10bebc18279a4ca3ddad1d494835
SHA2569884515edaa0f7e021bb44619230d6d49d893466747c6345c508e1c99263b0d2
SHA5127f4cf1663b874acb71429eecc6909eff5edf7d9047177cff613fa2def4dac32a613f0f7523d908cae7c476a8dab03cc34f661e3d4c9ca38852f801dbbdd1af1d
-
Filesize
896KB
MD5020be5d3a1281a354d9e9ea506d3d13e
SHA16cb57f045067598dc21eb46972657eefc57593b2
SHA2562c5a2bab2b0c06de901c4af40958480e535691898930a3d7787da697c72b185b
SHA512372222cc7407b540b0efd0333aeb7083cf614e614da1bfa8e9540cf7e4c1f0c41652cf9a654cbf430583e43c79f8c114557affccaabaec4b48943a506a786795
-
Filesize
1.6MB
MD52ace8e7da96abca4f41735c43775ad75
SHA1cb6c142d35b5674ecc69b51b6a296526498afc7e
SHA25639640f9ccbe458dd2e25b6c35e784bbb4e51f32728ebfba943ad74e39dca04c2
SHA5126ad75eba2761fe3a014fddff920f322f1ac6ffc9b76602a71efe1058057db9556a6102e53d724aaa47f2f92b98fa6995036bde69bb2d7326e65e0b1e78bc52fd
-
Filesize
2.1MB
MD57274c5229170355e56e349a0a86a562b
SHA1a5ef89117fa719b696238966787dad7a7d87ce88
SHA256a3ae50b654c082a92e227d79a8904f3bbfb56f2bbe8cab864ec8d8001f95025d
SHA5122b0d366577a900cc54986aca19c13fc1dae0b555cad7fe0fb2e3b6da037ff53ca5522338528e97665776a19cfc6eec67b527b881abec86a7a2c3d954edce0384
-
Filesize
1.5MB
MD51f0d8c7dd074241baac7dc6c8ac5914e
SHA13dabcaaec60d93b4b74629382702842d51705943
SHA256014098ed86f0b916507213595ce79c9cb96897debfe7252c6c91edb3091c9add
SHA512d719b841bcff249eaec1f1db9c40600064d513d340ae468317ad71f3211b1097edda5cf63d28779da1f966974660d6a3bbd19d01cae024c131f2f4f158fc0284
-
Filesize
1.7MB
MD59a0cdf07971dbfea9d52d0dd82c7a8f9
SHA178f4dbeb8153fdb198cec9034155445b11448450
SHA2566a9b38da7e8256a62d566d0a3e5daf758b5965c666e2d492246dc8c8f12c4956
SHA512b2e7c7fa00ddc15f9ba9a2204fc890ec176f398d706e2cfba1dbd4753522edad4377b870904bc371c53790ac8e4888628c4c9a1be794cae211b9d6f00888413a
-
Filesize
1KB
MD541302b5266f8db87b3c65e7936334c06
SHA1383e25b8c1727bf9ea8919166f38697f293d0481
SHA256093a880b06d48ad7218e4f82edfbfabc3b48cefab99201f47f8e3b8560784f64
SHA5124d8a790a847a0e0267223597a2f97bf35fbf38351588632776891599bf459017e91431f3557ec6151e9a07f9e5e228c54b0383458c609d31572177ee9ea9a44c
-
Filesize
446KB
MD5e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
Filesize
36KB
MD5d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
Filesize
378KB
MD57adcb76ec34d774d1435b477e8625c47
SHA1ec4ba0ad028c45489608c6822f3cabb683a07064
SHA256a55be2be943078157b7d1cfb52febd4a95e4c7a37995bb75b19b079cc1ee5b9d
SHA512c1af669ee971b4f4a3bb057fe423a63376cfc19026650036b29d77fed73458d235889a662ac5e12c871c3e77f6fbdb1fa29c0dfa488a4a40fa045d79eb61e7c4
-
Filesize
640KB
MD54247fa3a043c750081a0da8def8a7d38
SHA13ef146ccc895ae3a7f574adf8598016d0a0d0016
SHA256119c572828255ab2f8f637265d92f017899163c7f474f4e12e865f996d427f48
SHA5127460760c3b54d3e711f67087558c75c51a2f998da722e518c02c78bd08a06e963cf708d7088ea29538150d7e55e072468a613fb7c694e4d90fe9c8a3e89d3efb
-
Filesize
640KB
MD551d9b24494cef634dfe2dd5f82fa4a65
SHA1983b98dc406481d8dba97301950db0582ba25831
SHA25667b07ae624a41f9a8e7471ce058d5cf8ce449f743abfb491f9576e472fc17db6
SHA5127f3acc9350ee31a48f82636b29a0fcd09e8716eaa3e72bd0dc91a82eca30b2c91ed24c2f61cd374bcd96eb90eb7d9158620a7bc291c373ddcd86aa9df80cd937
-
Filesize
576KB
MD5a36d3123ccc058c13e18cea6b5e3872b
SHA1af007822a98429c6ca24035937911db21c5a9a00
SHA2563bd755beb8bf6ae76fa28cfe69996ad2d324f55f875e18dd6a62e411abe9b1cb
SHA512942e8b188629a5886b43ab19b821a63bf6635bd62eab3c62398737ddebf79b4a5861d4fc21b26def984e966c7666985316d33281c7b2b19d6c25a85e6ab8f16e
-
Filesize
384KB
MD5cc4fa910844136ea666e9fc52b49f42b
SHA12f4fd086b5ce80841fa4d4ffc02d03ff68af60c7
SHA2568e00d043688b192db7c5f7e953fce551f1dd193a60c6c25250cb2fb381bde790
SHA5128298d977dd8fa1a9a12965480a38d9afbf94f3f1f142e05e8ee20ff393f2ce36f83cc00ab37925f911783aaa058e960e0c8b1098d5416bb326f09f70c3fd2d27
-
Filesize
12KB
MD56d7e5555a5e8235a6f58e1c15dc075bd
SHA18282925744e0603803bfc640284d01dd8d3548f5
SHA2560b46fcb2bd8a1fbcfa05d52b032d5bcdbedeae0653d9f48a1d0a4c1bab55f70e
SHA5121d68ce0234da72dd99d3e13745afcff40d716053e010641028815f6d37371a41275685463abb6f3f520f12bd8350f8926d0ab90a3ece2be28113b70ac30ed05a
-
Filesize
1.6MB
MD5b7230e5983b8c39291892f60157e110f
SHA1acb148c13cbeb1229766892936e4a49723b0c7e0
SHA256fef1bef5ac2c1f7d3c27758f116c7144d0409ed6e2da38ea852ba97845efa856
SHA5120825bb6eaffb986a26b66f1dc443b2966a37c12f2fc092d61068fa9d997ce7a899c0bfa9406c8f1a4f4369b59b3aee0a5b8d6ce527795894e16fe06837373fd0
-
Filesize
1.7MB
MD57a5a29c60e27bd29dbcf45d329312f71
SHA19c3e9e4a69c284167b7e5c40de9416f7f753b96e
SHA256f65573ad5cd2ad4d21569c03d342fca7f359c8c553626bd8a486befa1a7422d2
SHA5126fc1a14a9f3770a3c761ee965f4adf4a04b9cc2bf46252774101e163237716ccf2b5d229677e4fafc09f191a0375473066d2608539395f7b188c9f79d345c98c
-
Filesize
1.6MB
MD57b368fd4b2d12effd123619579b15d7b
SHA1054b9a123c6f3afd16b9e1b36917cab44c7a4089
SHA256cdd106c95d48593996e083ea81ca4dd35ba458600771319347b4e804c0c31f3a
SHA5124e73967caed43ce313c79a6a5fe8540ec654d185fc8d712d1e121473c5a91ec210dac54c57a802963c587f5571231e423712fbb8f711fa629776698f6747467e
-
Filesize
1.2MB
MD5e5506ad9ea134cc804b012ecf4545643
SHA1cbb0297fbb5dd486c86d523783703cb79595a86e
SHA256e8b8faebc135aa0998e46023e1ee642c892e55e7e41e8003c405eeb7ed5cff69
SHA512c21035034c778adba368cbb87a8a8502abaee0f7900fd61f63f3bae2768310a5d527e0c31b5e5b8316db8145ee258d530975a42d90133daf56a41cb2cb91e87d
-
Filesize
1.5MB
MD564078d4dbb565e2d928c88444548fa33
SHA1766cdbc44d331bd0c1e3fe57e76c7e679d35f023
SHA2562aa0c15cf766c3cbe00742c9bb9a123684a3de1c5eeff17216dd66c717d4d767
SHA5129f9850d6c0006d3764b5bb92b828320b910b0cb1660102e84bc9a94b097dff95835467e42f9b259521cb8ed185e13e6e0a066781a7db69df77dfed7791094ed2
-
Filesize
1.9MB
MD580026466cca4c41583a29e061b4ec47f
SHA12bfa8840f2bc96be876032528fa0a05c360f2a83
SHA25632d6915e88d1900190baf5c1006b2634766a9d1857a8eec09497ecb0ac6985e3
SHA512f4d0e50a1329be17dad2219da1377b1c2296c231733550fa0317d9c2481b1f802ed1a6cc776a00f57c8f845ff59815f00991ddb8505d6fae3d732311b8d7bc5f
-
Filesize
1.6MB
MD5041733bab23625b25f00f6667fc58ac6
SHA16a3046aa9dbf5404eddef13fd5977f818c656e8f
SHA256adf6f14f9b2123f066e84657366b495ab381db225cd3fc2e3d900b8c318e042f
SHA51215f72aec203f88059b4c8f70fb23586e4182618c134d138e36881209e61f710b49dd1c64860a25e4b522bcdd4f32f89c5b8cbce756a3d1980b5d19aff19a2a11
-
Filesize
1.3MB
MD5a7cf8ddef5f2d6f5d03ea8c7b5ad0ece
SHA199ec52bc38589b25981dd23ef03ba76084989b19
SHA2567f7e7393635b39b06a674b31ca814107ee21634c63a5857e9118d617e9eb5805
SHA512fbe53a2639ee0ee6a6f06f542d686f5c7d3390731dc24e5b799a45b68a26150f9fbbd2e39f5f04c61e4f43195beae377b824901106ff8e3b776a47462b6199cd
-
Filesize
1.8MB
MD5191bf0a786b767bb44a5b660675c12ff
SHA15012b2aee2755b735c453ea166d410af9da9652c
SHA2564c3ad3e8301dabf32f3225a52eef24f3bd06c0ae86af12c75828fc9c43c2b513
SHA5120e6763ed7604862d5eb5e1c95b7d3a97082cc4ca5059f3d80abbde9a32cff7c114b23fa8f84179add626c486b7c494caafd249ca74a06aec2561fe3b2c8005d1
-
Filesize
1024KB
MD59294563d1e4c90684e5cd0401fe22888
SHA1b1be16df25952aea76fa225a7547229729230340
SHA256dcb5013bb24bd16e18afab7f10a9e8c6abfa7fafa50ad85b5a279a58a566e964
SHA512d37f02e343921d8f712761349e9a289aad36541b645dc29cb8f5fd93d04d57e240865cf54df731f96e4f100bfb39c742330495aaaae5854b828406f5e2a1729d
-
Filesize
1.8MB
MD5cdbe3263d4674404279222248cd24318
SHA194b1e918881a0085b85456fca86a5b074291cf8d
SHA256e6a388b46598778fed4c77785b7dee922f12fb692ce9dc491daa7033fb42ff0a
SHA5126ba92925bd180eeb620be0464ed3b411ad9939ed4a346d1a12aa177b2981537e6183ab2ade7ca29120c843045ed28acc1fdd27fcb41646f2819e983c1289d065
-
Filesize
2.0MB
MD51a40caa92f90933a30d8e9ddac057025
SHA16214d47a2fa76a15edc643feb9c5c4406f5ab512
SHA256a0712a26c727b52bc2ee6bb8b465a8c1c29a7c186b8e36688298cc0bbaada9cc
SHA512660b77450c0268b120253bad31970234cf69028ada6cea7e45b72e924c64faf5aee827b3994bcbe811bfd576bc881e0457827520695ba8f15349ac9bfd5fc76f
-
Filesize
1.6MB
MD5454a77574613db46015cc79f50668a69
SHA1cc8a7a52a5f74d46dee30d69f44fea64067a9fe1
SHA256ee06b99a2a675733b26c633d71369f7efb2e3a1bd70ec89c392c41b507f4a897
SHA512508c2fcc77c24146271beb42c7ebb99082d680d1742fdaa12343573c5b48aab6f8b2ca83f919c41beaa3e2fb322c1a9f7727f9aebecd7315fe83978e60f15adb
-
Filesize
1.7MB
MD52baf96af9fa90ba82e3df0758a172267
SHA1dcdf758265ab3fdb17bc81bc70a7875bd09f5b11
SHA2564b2bb5819859ac106d6c09a5bd31581696127135652d5d5aeffafc51502b5b76
SHA512c434c764d2ca1982f2f5401188c3e7d850363e5b7cbc2f5a76717490dad80ef9eef305689f14905419e54eefe1174a7367f9c50d7d2e03100d0cf006ecdbcd4d
-
Filesize
1.1MB
MD593dad8a22eb58c491452c3e23844141a
SHA1c8be51249ffc606b1632f52119d08a14ae8755db
SHA25694a2f723b5899a5218b7c850ae8adc78ede4a1c1d99dd22d0fc1f841ddef20ef
SHA512b21ba5dfe7c7a0ee522803c008274dfca8f6592523cd1d7ad8d744c791fc633d9d91caadd30b5add163b1d36302da670b38cd1c48dd05a1858012dcf4819750a
-
Filesize
1.5MB
MD51ad4cb4dbed8b44efcd856844d709fbf
SHA129b447c4af34932f0f58240457c3a21bbbef6705
SHA256309a0998b7cef781776cad7fe30d631f5a4050076a052b734e2e16b5dcb7f988
SHA512a082b74aad958cd355da15104d4cefbd0d9ce623421a2956d4fdd339df5ae2185198fb43a92d9418183585ce3bb6e9bdc6f5917eedda794658359298ca16b61f
-
Filesize
1.3MB
MD597166ea62662f0eac642182c7ae9b5d1
SHA15a0435440ab8b735814137093ac1dd833cf01c30
SHA256c5dcc186d3d4efc80f6430bab017cb84eba347fa0d4ad1c80359d1eae5e85f30
SHA512aee97cfe4c4654ac336b6f565eb38581c7eefb841a2665320f560a691b104e2ab0e6fdc6f26847d84e1dfd182f94cd66bd952cbb690e7b4c3fa069e3e6a2a1c6
-
Filesize
1.7MB
MD59eea4ca10e1cb6027b0e9e331e3b5acb
SHA170bcc3f52c8e850cf9fe114fa52f4f88623fde12
SHA256b471cd620461fd675f5d334c8a231f17eb31a7abf6ecb0ebab5015636a4c00ff
SHA51274d63c6f118d1f5f4226d84edfaf154866927c367d00d1b09d01eb8ea06b3da355d13306e04574d00b4bf5065b0e324978c9001bef81f2851ab1e22cf722eca2
-
Filesize
2.1MB
MD58e81a30c10cc18e21a8f50d0dbbc49ce
SHA1a452234c850ce34e131260566daf63987701142f
SHA256d0a4e2924e42bd9c526bc01d5273a40ea3b42909f70b9c016b337382cfe854fc
SHA5126929eb7ee9b61c96e77578c8cf5610872b11250eabe59fc1d77217da3a5a5630cc81ebdb98ed6085da5f800f980ea486014ad9c63812ba293cad5c409516364f
-
Filesize
1.3MB
MD57ee23d12f56fbcbadbe12fbc1ae09b6f
SHA13f0b1b93919b507e997c6f276fe482e1286d8bb7
SHA2562871444aaa721fc9b19f66f10991f577c5ccfb186d36563e53d95daf87edbd8f
SHA512c90aad31387f88b70dab65155b7e2b721622b55fa565dcdb0338f420d8a5416c177e2c5513a27f0797edf85c6acbaf289771a54b731e1bca6c624ac29769582a
-
Filesize
1.8MB
MD5b19ac2435d6b7182250dcfdb5d05a94b
SHA184377fb2e0b1b1e40893c2b649f1410a78e40b7f
SHA256c46358098ae57629ffa77c2a839216a6b7654d1fe19c182fb0050e02b18a2d2c
SHA51213f1535aed41d4286c9de7d1a2b7c72ff7821135688cb015609a1a3b448cc31d315cc88db3d046190e0eaf21cbdbf6fa6a1b938d8965a072afefad6d36f27991
-
Filesize
1.6MB
MD5841a14c755d80d2e1052f24a7135f539
SHA135ae16cf2f427e946f6fee3eca999c28c91a96c6
SHA256a282218055d0726b5792b0269fc2392b546a07a797b7d498b2f48bc3d917f0cf
SHA512acd228d8bc3d67464686ad6fcaa37f86f15234094f6302e22e9af7a9215292bcaa879b0452aa90387ae7ea72e3decd5179c3f988360847729ca262ac437af643
-
Filesize
5.6MB
MD505e542f328f9c217a7acc273a617cb0d
SHA16265bae06599d2b7a3b7691a43217951b446788d
SHA256dd41b82cd0e98980f38563e942a808f3d64739dc7f0adc2f859c95807514e65a
SHA512eef947956e4f9b49aa1891cc3379857d48b5a73a565ebe20579fcc55911869b3500fa1fd7ab2688e4c398de0d78cc5dc72ee6818c264f06936b81613ae749082
-
Filesize
40B
MD5915e8146d9bff8f9dd24be8c5e953016
SHA1207809729a309f5544e72af13dcd2cdf794b893a
SHA256589ddb46fca20d957423652416f29d82442a9fb2de509324d851912f0ea5ae04
SHA51234ac91de5663795a6c8d8b1ee0c4b963618deb76a23ed173a4ca8b9b3e75222d386c9e68c3fc88a4a3d7e5f2582d8196da2b15c1b1a5e3258a2b392f0ae45305
-
Filesize
320KB
MD526d00a73905f9fa8d26d4f17edc58b98
SHA170c2575e4dbd02f243a876bf055842438e29eec7
SHA256869abe21a6548d77c34341e714ffa61100daf604ccf68b6338f4e7a46507bacb
SHA512bc2e3ef3a8fd813ff658a0f0e59d2cd48208fd4fbc5bb8b091ec2cd02a7cf09277a8db6f2fd81ca4af076083e3f988079d46c5447a6f626f6352355ef5fe6301
-
Filesize
256KB
MD5ef7ff96529345f7f477782bdcdac4d1f
SHA11e39fbff96f10a2d1a48739c5adba7ac62f7e8fa
SHA2569051ccee3791ec424beaffde5728094fd72c22666912f34ab63ab3ab6557216c
SHA512f6906ec8d4d6cf58046563b63988c4d77b12dcfaf596955139f5dcdb7199bf26a7045bc9ad41bbdad781b2032b61c6d14b712378be783c1146b19c5da592411d
-
Filesize
320KB
MD5c403bea3068bf1407fa0b8e2ab181098
SHA1fc3917ca84ac4bcacf7c3823214730b6816128ea
SHA2565fdc86da6d9b17d12c8fa3e3198bdbd636795d7092d9e74f95852bfba491bd78
SHA5129d0742b1c6e38b8d3d94d434f697f515f23a58dcc4fd14488138f1344ed378b305fe242467ed8c1b4ea971fccff5641258a238ebb590680b67997c65454d03bd
-
Filesize
256KB
MD5726d4439d2ad0b91095df19ab265a30f
SHA1bf5c8a1de7a941db30eb75d89e724e307c0b36b8
SHA2566f766a8ba7084f1fa435dd055c23da00af060d6f1f35d29e4607f839e868e1b9
SHA512e3669aa8daac48a4f12d3a9a66959e5ac5423f4cbb7bc943f75aa24561c9a8e78a5ba42c15551e5f38b8d7479ab8047ce85249e484ce0db5c4d6311b7ec1a36e
-
Filesize
291KB
MD551abea5120587a753d37eaa8a072fa50
SHA11a70878392d3cce6cf4da3710c29de96375d7f7b
SHA25640b7562db4a5d547b5637d19b03855c37dc93ba94f09156a43bf2181f5d57a7a
SHA5124ed1a145b530d35047d57f053beaebb1b87633004c9a4ca47a25bb651275b68b61b40ec70742e23ef81c1ef25f0738686b113af9ab6982a29aa0046fe33956c3