Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe
-
Size
2.1MB
-
MD5
dcdc870206c1f2ccbdfd7bc0ca709ec3
-
SHA1
bc7fdcd2ca017177d1ab548819149444b36e4a89
-
SHA256
254588a24faf74e0208074d3fcd2ed7d42096db295ad409919861fa10e6ad257
-
SHA512
6d66026e00ecc906b4ddd4cbfbd546f4bc02c6f39439c1ff6f9fe07a737a60fb9a6d41b092ed4a957b665c6be5c10bcc0ebb2bb6f40be1357354433b4ab279d4
-
SSDEEP
49152:9sOwbb13ntb+g2nxDv1PZ1LTbWvHs3M9sR:9I13tb+Z3cs3/
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4328 alg.exe 2904 elevation_service.exe 1468 elevation_service.exe 3340 maintenanceservice.exe 1032 OSE.EXE 1012 DiagnosticsHub.StandardCollector.Service.exe 3176 fxssvc.exe 3000 msdtc.exe 4904 PerceptionSimulationService.exe 4848 perfhost.exe 3572 locator.exe 2692 SensorDataService.exe 3548 snmptrap.exe 772 spectrum.exe 4268 ssh-agent.exe 4924 TieringEngineService.exe 4888 AgentService.exe 640 vds.exe 1500 vssvc.exe 664 wbengine.exe 3004 WmiApSrv.exe 3472 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\280f9d498ed1090.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4531284b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d3f1e84b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe040484b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e2c0b84b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008793884b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016dd1b84b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f32dec83b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daf00f84b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1cbe983b185da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2904 elevation_service.exe 2904 elevation_service.exe 2904 elevation_service.exe 2904 elevation_service.exe 2904 elevation_service.exe 2904 elevation_service.exe 2904 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4888 2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe Token: SeDebugPrivilege 4328 alg.exe Token: SeDebugPrivilege 4328 alg.exe Token: SeDebugPrivilege 4328 alg.exe Token: SeTakeOwnershipPrivilege 2904 elevation_service.exe Token: SeAuditPrivilege 3176 fxssvc.exe Token: SeRestorePrivilege 4924 TieringEngineService.exe Token: SeManageVolumePrivilege 4924 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4888 AgentService.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeBackupPrivilege 664 wbengine.exe Token: SeRestorePrivilege 664 wbengine.exe Token: SeSecurityPrivilege 664 wbengine.exe Token: 33 3472 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3472 SearchIndexer.exe Token: SeDebugPrivilege 2904 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4624 3472 SearchIndexer.exe 117 PID 3472 wrote to memory of 4624 3472 SearchIndexer.exe 117 PID 3472 wrote to memory of 4372 3472 SearchIndexer.exe 118 PID 3472 wrote to memory of 4372 3472 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_dcdc870206c1f2ccbdfd7bc0ca709ec3_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1468
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3340
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1032
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2912
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3000
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4904
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4848
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2692
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3548
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:772
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4996
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:640
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3004
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4624
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5107df978b4ddc8667509274d5635c2e1
SHA1eea64755def889ffc5e54d5f75b9914aed2ea882
SHA2566f36853c9b06068d9316104266c3e2174d43bb1ce797324437d478663c4985e8
SHA51270f8005dd6dde4c91e824e5c537144ed4736253119ded42237466e896aff29cdfaef40bd40ad4accde159c9847c0a871f72ef3c06be439c1944bcbe5e8493c87
-
Filesize
781KB
MD5045e09af7eb6d252ab8db35b05ee2329
SHA1830fb3e3e7bbd872fe003873f779fa7334a4104d
SHA256b030f81540a0e7e2bfff72c245ad91a250b20750bb6fc6fe140f3d3aeca0a95a
SHA512abb0635ed5671723207f4045cd48d5f258340826221b69cd2e3b0de17bf5211a60319e4ccb76b2fe863a2f0039db6f0f50e846dc165e3095828bb19c09d1ff1d
-
Filesize
1.1MB
MD5f2642ba47440b49b5010ca24d5ce0df5
SHA137adaf16b2dd853e43b7f186953988db97c29135
SHA256b41442887f743bdf05bb6a244e9f3075090c322699a1a5e771fdac681bc55256
SHA512d8e9a807557b32f6f5b2262e917d3337d1df4708478a82a80cab28b2ca46c0d6cd7cdd5fb265bffb9abac4fec42a5d989574fba1504c119065322f41f2a815e0
-
Filesize
1.5MB
MD520f1e82fcf7ec49ff6e24c66cfef75fb
SHA17f1de6446609e0d2a56bd3d12df6c6ff5899c062
SHA25685584f8f2fc269404c016ea20b7b1464792f4a17f67ed33f0018ed0f0473dbd8
SHA512ec98201d6f91149084eb054a7dc56db0fdaae3c86603552e9f8c359da7ce967f3e71a538a56b5089ca87816f6d1d3b636cd6d069a64ddaa0763e4a3c892a4683
-
Filesize
1.2MB
MD5c7fa564fbeb93e9cfa4ebdbac491900c
SHA1245ba9412553b28ff38062cc763fd0a5cb7744e4
SHA256f4b426025d169a3e73e5361b85aadb07fc15072dab12a4ecf260764ff894f79b
SHA51278b9b5ecbacc732c1e4ddf8f73b706ee0209cc9ca234b11e171013d2847fb883ad89a0413ce69d2679a21ddcb5f809d7fd092d5dbaf6f06c4ee08497c9dd3c17
-
Filesize
582KB
MD5662f94fc27791e4e57463902171a78f4
SHA1a4d79112e4898ea985d5733e18b57ce3174be523
SHA2562968283c6ef04196a64a0b472d4fc46c1afb4375127d6e606ddabfc104a11fcb
SHA5127ea7d5f4ee030dae3b4855b2f3174d6e74e48c890a8c4e78f60da66140e6fab5393387ab19050a48e3b6fe12ed1619ce9d4981909546d726ed74988241bbb5d6
-
Filesize
840KB
MD55ee7e71fa3e295eb078280e950d07671
SHA117bb1727bbd0ed1e1fcae1bd504365cf3c18c732
SHA2566cb45c416cba71012f753dfb8a3168343fa61b48a48daf33521fdc4df20a8d3e
SHA512d3bdc547be38bbead9e5d2ce5b21d60e5f6a593b133ca1b06600a4fc10cedd59c5cafc400cd67c98622d3589aac50ab425f4658b4877f7b0913baac6dde445c7
-
Filesize
4.6MB
MD56186b5918bd732ac5976d656aa2065a8
SHA17b238d938f853db47f8d35f5b9ac0fba5ad04887
SHA256d2e8f625a6e5ec32005000baec58b30c66b12f52457dec8240f3d43ee11c85ac
SHA5129ef17e5f3d4f72b12d352c4602e22ce8c85b851e8e8a0e66fc94b52ec912e1dd476b12b1e27a28384b869a761fde3a5680d3fb4a98b355273caab6ee665ca99c
-
Filesize
910KB
MD5644cd3af5951c078a26a7f97e3f591de
SHA16a64c6027b711b6acf26bb4264fe347d7e53594c
SHA256a544cf8eae3d646e1f538cd13561031408313b54f81af0f57a79b2de0f968650
SHA5120d5b3e092966938ab9c8c77bf2535feb0e5196677afcb71acbb97a5c29a77eaebdb78719f234ad1acf14c16cdf930768bfc2190401ab51d7e0ab7e15d9e67006
-
Filesize
24.0MB
MD53fab7151899b17457ef4402c97ea33f5
SHA15017e9122d5a27264c40dc54c0f341a04110a965
SHA256fe345a3bc1d3bd5e03bea07d313234d4bc4504080ea51ce2d325f6320c076a52
SHA512ae06de3481bbccc521c0d618977ddf01f27ca7cf1cac8e6878df6b4c0b40f1457662c223fdfbbf7a785f11b772a2c8fad2ef66414b4f183b9656311c7106343c
-
Filesize
2.7MB
MD568b643d603235ea3ec23f67793625719
SHA15dd6c72b58c51714dc61dc78e59fbc19fd6341ff
SHA25608c52a02d1c102c086ecf62e639365b6ca2d8504b0680c2274898efb50591eef
SHA51239ecb505e45cc759b95dd0b415525187508d14e8f42eb1ac5b67865c5d7523fdb6f25225047944181751a8583f3287e268698006ac1338f15fd6feca73fb0f6f
-
Filesize
1.1MB
MD5b3d5aa31f8ac7e750a3d528c314360b7
SHA18c5f4072883b7451042796cde82e56ff08cde82a
SHA256f2603ca17e8d292aeb6906934da86a5525e5d5066c876847058299b175bd841d
SHA5121169c2595d7019c7d07ad9389e9d006a2af45464f6e1a66469ecf5ced50992cf020131ea1adb6dded031ced1c4a0675737de6012f45097a59d7dbb737cb493ab
-
Filesize
805KB
MD569288be9772980fdc63fc8db81c38900
SHA13c7548e7808bc1f32ca02220a22ac3940ed67746
SHA256226301801b1f484fe56dd848dffb54e1cf19025650b59053f75ad87754323f32
SHA51276aa093c79029b1f6c545e33e4fbc634c073c9991bce887c6388807f4c2859d83d623147ac83e46c3f1fb861d2d33ef090565e41830780c45ff51dd33c6ee428
-
Filesize
656KB
MD5508ac53a84be0d1b548a63ae973101a0
SHA18c962f17cd9bdded6a7049f2c534cd332eb77a10
SHA256ebdd3be8708e308b0a3c44522bf7e96967d65dcabe0176b905b554fb3dfa01f1
SHA512b59301da5b14db72c3f1fcd8e0ee1457e9f2737eaa1b4ac09d3166da8246d7275afdb5bba4e774c768bb448723fa156d381dbbb77c0eececdf9cff9a8804240a
-
Filesize
4.8MB
MD5fa7fbba898cdb70cfae2325f0959158b
SHA11a734d16a2af1470ab9efc099a75c2294eef671c
SHA2561f2dd575cff2766958c872f3edda208dd856707871ffa41e610863e6b52f8831
SHA512799216fe67b7e523c4ed4bcf0063404db96f3fe3a8e1e43cc57840d0bb0b7be7421bcc8839b4c2bc36091a4b00fca784a6e0f71e8f4bec97be238ce088fad9a1
-
Filesize
4.8MB
MD5c99b9dfa36a3019475f8537ac8f9acb4
SHA16d990fd12063be0b93cc2e73926fb5e451937fba
SHA256f1c9a82396f3f301885bae4783e6c697030be3eec83e2401c0ceb9a8dfe3688b
SHA5127def2e7efe3cab8b868e947c842e29053015175035f1c15a18ff376f0522a8e98f71273d5976bff1ea7edeb43170cbcc70c8b30cba081bf415f55350ce7e5d45
-
Filesize
2.2MB
MD511b9f987b1ce1b6d43678c796bef510e
SHA1a54e9a40630d30d90de94f9a1f10104746b3116a
SHA256f592696f0ec503d37c1b201e3c7d9f6639af3044591cd3e38e75569a5e5fc208
SHA512874063d5dd13737f344bf9d2463a5989d749b1b721d3a61892e76c1345645c7b2e31d68e72fa29a3291d985591637508bdb065f16bcc7fe54b8578fe9450084f
-
Filesize
2.1MB
MD500e393b950e14bc71f5378ad41f43cdd
SHA1b60617e1679e50a96680c573749045fd260af5b0
SHA2568ffb241b2039792c5bc5742eafe2f13c43e0be0469f1fc4e3d6ec9cb49f32cfa
SHA51271eb55602115b7cdcd49f122ef9da6dbe96fe3adf19ff5aa4aedec1a68a9332563534d8e85c8a76c603eb31f9378adb8c2b910f8c66d897971b4fc2db1617cc7
-
Filesize
1.8MB
MD5a00b3ec3ad70eda2455b4dc098c27e0d
SHA1f58b6ccf575e9b3a40a7108e4a943c07674d41d3
SHA256f9c2e2eb1128822ad163bb0bf67c86254827293feef1ddaa3adfe353ebc60e44
SHA512b7138161a695950c069160267d3a4be803da075c0cbe79029f18b1e44244973b1a9e12783cf2ea643ba508ceb8219039a87c1a3c5794133c78b4d5161cd8e928
-
Filesize
1.5MB
MD5f115f27acf4c28b26a6b350a9d89f3cc
SHA1bbd42ea64f8929b0c6169284d3c72b41497198ac
SHA256adf82acd6fb0471e8e899debb9f69cdacc90648383a56fd9d19b73e825a41c43
SHA512d08eada52ee4b7e6d419261c00a8ef7619b207d792bfd2de13226ea90546a6deb2a31b60bf381a39314d407f802c9747f19474cbb114fdc89834e94fb17e0346
-
Filesize
581KB
MD520100e98488c284b2f4da8ed96d0ec8c
SHA13df40e469e3785e9d775300f0d13b31c3e9d6390
SHA256fb44fb27529a39aa168cd85e87f2babce5f6856f7c7d37037c115d3b135c9cb7
SHA51241b691d5a5ecba1fdd38b14e534a4095b135f8a831b7be57a1a4f1c944ffa7fbd80cc32c8a2654abd7cfd0aa372b0787b5f9fe1c13ed0b87f36c62baf1e39a56
-
Filesize
581KB
MD5401fd6fa6f57f8524046bada45eaaa50
SHA11c55b21a46c6be5e186ea594275c850ac86ec38f
SHA2569992ce024f7a575ab86849dca74f7c9c88c9db36f02a89507fe684fc22de536e
SHA5129b5255958829ba0f03382ab59b400b9c7a106237badf1715336a12603f718fc6125a8ad66c685b3e15505a667f1b830feb50db37126a8c4d66c0f8f605712d29
-
Filesize
581KB
MD5f2e3c278345a555b6c055336fd92709b
SHA1444fa986c27876089183bdae2f4107876bd98e51
SHA2561e5e68502204c0ea19e6de7b377be44782b004d5c7c8809972f51fa589795c1c
SHA51290fe32414f50f507c44558678298f98f2990ead173f39c868dd75eafbdbf4fadf3ff8a3283c9390293871dd539b4049e0ba34b38a8f53ce7eec08ab0f6d14ef6
-
Filesize
601KB
MD5232c6531847aa71102e97c6137af3f36
SHA14aa6a72e639a4ffd5eeb89d9c605f28398fd270c
SHA2566d68f29744d77a8dfc6baefcec64ee39e0ba7cae1cee371aced2bd9d76140b43
SHA51249e0664fc3a18a2c58491afc1e3cbc8ed6c55d460e42731a3268173e7c7c0c1d677ad3467f66594203af4784c3b630f5e1230ea69baa729228806b19340e990d
-
Filesize
581KB
MD5922e9a281b481870ebf1c0a3c07d6ed9
SHA1739645bd29512ed77d87e2fec7148fd91d7d0cf9
SHA2567f35dcff26269d28d99b2a971b3a667152aa93f416cea0f4e439fd9c1183aeea
SHA5123e17475256b7085c81bef6c9038a39f654a2208d5acc4517cf943e8d43911a6d0cc6e9d2dd22a8531f263f12eff96bc29e5a07166a3e189fa28c5b02567cfb40
-
Filesize
581KB
MD561ca87b6f24a336052d684013d6808c3
SHA157fcfd767d234c6796304867e2319c91bd406f43
SHA2564caabb623739631a90a9824a5a9d671287e474d669cb840b178c1ac5ac2b48ef
SHA51208d6ee16779d58d47cdbae68094f1176b77896fa4fd7d50aa09ee086c3c155292fbed7da24bc44ec9d944d383dab2685a950f122c7be725e1bdf87710f12a801
-
Filesize
581KB
MD52c2891469b445c03a1e61a7734151447
SHA1808cb1fc2a2ba9c224c409b7d695bcfc2d513c49
SHA256ee10b4b798ee8464623576cf8b71089329d55b15829b3c06bf12d2bba0181d82
SHA5126261c8d9cf7c47c1541f12ca11e0a43aaa63df1f91de095314889885f7aa884ea1102e2656fbcaa21f5356dded3d20c483eaca1d66e9f798c647665eb1c337d0
-
Filesize
841KB
MD5302043f645d97b289a45ff25baaf66e8
SHA1db8e586bb2c8b536b4c61ad98cacd5e5a1627465
SHA25645437cf7c1a83c1eac4f3711446d1f3e37c6f41fbfc1d291f485c63ebaf23794
SHA512e3a346462b1a49a7c044179cda5ee3fb96fd19612fd09e27785c3e92e597e09af7cbcf2a4e0c3dc1c49c8b1afd5721248eede81c4ee9ef4a53ad488ff6bfee22
-
Filesize
581KB
MD5b422d58a3450fe496b88fed94f7fa45c
SHA160f3969502f01826a9968677c3cad68f2c555147
SHA2561684ed6042510c257eb8c7c0ced778c0cef09bede580d055109544d14de7b6a4
SHA5126a51cc836456e1586341774fdea4820d6ff9b64e9402f3721b5d237cc249fb59abfae2bf2e93e5fabb7688caf0507b055dffca26a86d7b4c75b596fc78b6a312
-
Filesize
581KB
MD5dfdee6b512e11215b697f073b31a066d
SHA12e709a7c9a12c8b2d2e2a7d7b9f4ca46d2368396
SHA2562d3fbe5882b7b403de2cc529c1f4954d71483ba262b8cf45bd6f2584c702a3ac
SHA51237812269d08a8cc0dd940873390ec53ff158d3307bab44674f15246e3785872f0f687b59ed326037b1d5e1a336c1e5cf76cfa05a6fc801d4b83a7be7300c905a
-
Filesize
717KB
MD5032bfb962fb4180d59ff1766beb3469e
SHA155a8b616d584267f9cc05b76f9ad8b6061b62bc8
SHA2568ba6f907aec02333af04740cda9e83afdf9e01962520da9f35f8b0d3d38600c3
SHA5124995d2bd50ce868c2524ed7474faecb984b5ab6659e62980454683d211ddb0b3c66e54d31d16e948715c8cd8ae844dcda7d938d3076bd9abb7db59d32ffe1817
-
Filesize
581KB
MD55aa95089d052e2853e38997f7d7a59c5
SHA138137d063110357d16599e9623ef524e53835528
SHA256c7e56e5bd12084afd45f46c817c321b542f9cf889ab7f7753ee7e71cfe718239
SHA512bf86a244893ba33c7601ef6e823a392718c44b489af57d8f95e3e2270d8f15230e053c45e94feade9a044c7ae964506ebdbbcd0f4ff5d2a7b2bbfb91fa4d3a35
-
Filesize
581KB
MD501a134f4288fc82eee1d1ec7c8d67105
SHA175ea8a31e57b523c5f521e6b563dfdbd774923ec
SHA256407aaf8a22f07ad91025230685ebeea336b9163251ad89cfc4b7445ce2b6c9b1
SHA512e91f81bc5a319e7dacecafd0135f0a110e248ab0c6a5fd42340e3e24dae7365b9409238928622a1859f485551514bac17257dbac0eea8f530e87c5c68caf5809
-
Filesize
717KB
MD577eace867eb47f63e7de0f6ae88e9104
SHA10c8bfa2c9c2901e7a8e0c00ddf1fc04b400c6a7c
SHA2568b4aecfff368a8df1d64e783306662dec4905d37677e2edeffcbf3039710159e
SHA51257925031fce81f462db77782bebede26307cb623e998da311689ecc1b7e24ca6fb4a88ef7877fc1d5007e6fa07f33be2ab0ef562f7f76bc2dbd1367f0bd84e1d
-
Filesize
841KB
MD56c13ae9a49db58c2ae59c086ec226e9e
SHA100cb73bf913f5fa48e59e2b45a0913bcbe4b2f31
SHA256ded564a4b4dac2da568c5435b4fc7e207611fd323fb79c4382e6fe145f2ee04a
SHA512f5d8a0b1adcd7c9800ccd5ba53803610bc7d928d1ef66807eda36d0bd89f6d2ec010058364fd5008cc9dbe782eab913e3a326ef404b2e0dcd9d36bff15d45df9
-
Filesize
1020KB
MD58eae02b6877d3841a3c7924d3594774e
SHA146e6438aefd3056ba2827ea170eae66b00c46756
SHA256ed47e869dfd042992600812099728129c311aea3954e16faba6184604a82c1cb
SHA512f92a3d7b5d17244928b15c70612656784c0159545d231c04833bdb51238319238b0cc9de15ce12178758d4ba0022accce285e45d2493135fa3fad7485e88944a
-
Filesize
581KB
MD5f9138a948a02d516698c54120addada9
SHA19d7ccc5facfc0a1e8a7cf76b9c8bcb82f99c1b72
SHA2563001855e6a50877c2776ca39585011f207566daf5aee970b4876595ad3e90630
SHA512cef00e66b1f4aab036ae78f46a768fac242bea2d4f3f09360a039b3ea5fc94f1b30e4fbfca4fc86f7447a8ca1b404089d9283db3c445c3fc2142d11a15aafe67
-
Filesize
581KB
MD588de1620c4e0599750ec6d380cc18149
SHA158164b7f625230670c9a594d78cc5880840c42c9
SHA256c46fdf7c32d44663cdd7a306f6b9b52584cbad15fd197df2c22ea19174efc438
SHA512847d167df04f4c6dfd2f5de85a5d1d7b49d715ff418c895480f183017db53ef9c5bab8998ffbc699b252c97113f04ada1272c1ca892f873b5012f05227d39456
-
Filesize
581KB
MD5289462863d572619bc58bcec919c46ad
SHA1a791e08554fd570752d903d3eafa4ffff013eb1f
SHA25643bd47a56c4e1cdaf5e52a18250f9941b7c306ce4bff27621f90e41d192c4691
SHA512cd7830c5c5d2b8237e60e0af86d9d9e89dbe5ea323e1d63e4472e995a86d15425bb2c0a6451bcbde2dc6cf36fac32d8eb762bffe811b21cc887a0c3a34a9a64d
-
Filesize
581KB
MD51c0f5685ac9f0206e30ff0a71f6f7233
SHA10cab2eb877b81d86300d42672c95094a150abf20
SHA25638727f5d80c393d602c2e6d079ec3180f2344a496f4bff9386c0439db333a6c0
SHA512c2f7b467ccde034e1698b611e268687252fa10e9f8825b26d54393ea4eb76d781e9f35725e449390ddc3a318cb8699dee6cc037fc438ccf11abc9f7de4aadb49
-
Filesize
581KB
MD5b1f66d6160fde8a3334a1eb98bc08d67
SHA1f5f5e0ead9af227d20055ca15b5f969692fe8098
SHA256918c8bfa19455922913f5c0bf88546dd6981127f8abc093c1453c04d280dca20
SHA512766c8a3af260f491f351058232c8e2d6bacf818d555c6c752ab8fe2f23b36b51a55a832befe3eb3d1108b4b64bdf1d48264d8cbfd431d38e88d02acf6f881989
-
Filesize
581KB
MD5144db10c87f000abade3b6e025cefa4b
SHA1403bbd7d6722b185a8d8832073387f1390968ac2
SHA2565f6d2ab195117a7ec865b0e6fa392c32487edc79d17a89fef3f75890046839a5
SHA5123b4c2ff5060dd4a05241aa0068e5b7b2ced8b3795ec96a2ea8558c4f17425e072adb79ede35f0487c21a3d9b9bb565cb7442b8e7728c631e957680523537528e
-
Filesize
696KB
MD553460dbb1790d86472ed6efb94e94934
SHA1278150a01f68152a195181399c73b7ac125c15ac
SHA2566d2d4e83ecaf2d42da82a31cf74273423ec3a35fd8073dc6d5826e884f751280
SHA5128a3ac0c43a37eb579ac4f7a309e08cdc703da9ed30cc517adb4df9fe2135ca33e65353947007e97d6873c80bd7ad7826a588829f9f815eeed79095c89f9ab90b
-
Filesize
588KB
MD5767ae203fa99f551f51f1049310257ca
SHA1cffc94d71af784a82c3bbb8fd251aa172a2ee496
SHA2562c287d9161f4704cbefcb00ae7e547d7f7765fc14062ed395d11c3a20dde2d07
SHA512b51a1e98d2e5018ab9422e1373d30fc4a085e7bce648f011a7e958652fc989094e4f05485e561df955fbd7e1091be4bf783cb6baa65ae2eba368a0ead4b127c8
-
Filesize
1.7MB
MD54b7eb5f9009336e68e1f5f9425cc3533
SHA1d10ff55ee6ecbdccfe60fc2070bb575d9a19fc7e
SHA2567944501449b3d86af0b42db7cced76e8267d536de6e4a319c18605eecaf698c2
SHA5128ef39ee28f8cf7eb97c3254770105842687298e0372d1c20bd4698751670b7e69a4d360b3e4f0a15994e043195c78d4e2c36b990e8a0c4a4a776286b0c4515a3
-
Filesize
659KB
MD5c761db0bbcf389eef36a756a432044ea
SHA18f258a42d3e29587e29d89484e6db303263d476d
SHA256b5b09c3f5f9cd5af94e0f585b16c5a46587daabc2837f9e3c7ea15be0a526746
SHA512c52ec3e74b1d47f2633cce99228c0d5c36a993d49ee2c2a6492c865d78b3e0a888e93117edf7f4a85d880423b905cbb63dd3007928e4721ab613e5053bc389bd
-
Filesize
1.2MB
MD506cd1a708444aa6c1cb5a6a325cb7a6d
SHA1daf4bf65b68fdcf068951a6a1d462efb70789b13
SHA25654c51801614a3fd1ef015edaafe8bfed5a7fecd58317c408d413721e136be2c7
SHA512e2540b686316b8223fe32d7fd897d74dbd556777860c9864218e61f5153517639a489c6359e210bccc483c517965363059622d83e83baea4fc6fb9783d6cc339
-
Filesize
578KB
MD5b2f5bb3ff2768e6d211f8696eaa24ebe
SHA17b00ada0ed1e25e6a05c04a0ebfda3ed4a37b169
SHA2563bd190d63b5f6311f78849cced0d07cc3f5a80c526aa8f274e2fb51f0c82f5e4
SHA512979c6a252cd7c35e5341d993213754b8c10dc71219a369725b2f6b59675ca199a1a4bd7d0b986db445df7f9610d7c5a56ffba42df20ff28d02622e70e7e065eb
-
Filesize
940KB
MD5e5d0e4527707785baaead2184599fa75
SHA1ca362e7cb6608f5c672c629151d28cf377bb55b5
SHA256c061259d21e81706058f35f0d0ef3a48030562055111b3d35478175f89736fd2
SHA51200bb2800ab4333e2505c11ad04761518df492faeb82b84db062a98abaff57c8710ec929909f4d95fba750701f9cd73c4f49e5cd704b0548226372988ed3b1215
-
Filesize
671KB
MD5db8fc30c219127fc4f99ae20008bc589
SHA1665b4bdc4dc4ef5568dc3a60f19bca0e82a96be0
SHA25668062153e04a512cc7a1025b7a454b211b5c9aec4fae2ede65752f50e89fb869
SHA5129005b2598e020b44b06181e0c30ce6d69fe92f1e805d6004ff92eea2fab24dd369a15b28ca9e3bbe76deedaf4833a5a0a6c3e9fa74ae20d5c8f54696f14ae0b4
-
Filesize
1.4MB
MD586d243be9c7995fda21b09e477c65f84
SHA11562d0de171f1eee2b4f1faafeb7502677fdd242
SHA256c1d5fb7fb6089fc534e0b841a1cc2c22b7dfebb2a20f33214e3e3d4a214ec7c7
SHA512c23c584f588b441e03c0ac06a71f794fdd8c8cd5dd3b9c9420f072b855add6c436e92c6b66a9219188d6ad91d174dc9f6ec2a2db8dbc88da8fc1a444a7b8e7e4
-
Filesize
1.8MB
MD5573a408e5aae9115ca48f8bd427b867b
SHA1068f5a2a1975c10556cbb3f1397538e6dc3e2241
SHA2565e9c0524ffb4a33918a677f94b908a94c57365e3cba6889bc8eb3d9af3088096
SHA512d412cf8002354b689e68f9dd1ee89d17b265a6e9f0e7f2d7254ebfec3ff6ccdb89f92b340183851a22778750afc2d8c672b17f2788ab0b7b114adc1fc751fd0c
-
Filesize
1.4MB
MD56b66ce555b568671f6ee1e63e63b2556
SHA144fb4d469b9b63e87d491c76b113da2a598ef82e
SHA256395eea27cd5142312d95bf8ae6c2e8bb2b3d4c40df3118fb06f3cc91e74634b2
SHA512cc47d5150b659101bd3190ee84aca448af3424219a7ae216d17b965154bc4c9967eda12561302ef5ed4e35c33e876560da6ebba6f0b5489eff89ce1b1e85c5c9
-
Filesize
885KB
MD54e7d51b444311d2a613ca813fdf42328
SHA1953ec99057eb595326218217d41d6c93b0e55cd7
SHA256361c1b2d1d3e5252deb2c4282b5693fc19e966c16927d6e47ccade1cc2fceb65
SHA51236992763a87c4dd8d3abf73d45f5b21d7f4d11295524ff8879a3b1c83aad18eb49c37e77b4aa13ddb98443faeea025d61983bc5dc89738f5fc2b93b552aa817b
-
Filesize
2.0MB
MD5e0286f4d9dd80de3e88c1366f02cff80
SHA13e31d1b9b4042e16169f356d60cda11d98907410
SHA25603af08f56fff2f5a1016d0c58b67df5eae159c8b1df3c8adc766214d5387bd30
SHA512cf290eeff6789ad88452ad645a26708aa357ef84e0602e90d709bba33a941226e38dd7639716d27dddce7b2cc34635f852c05d4c52eb09e5316a58993fa496f2
-
Filesize
661KB
MD51dcefc225ec797da41151d966ad6edbf
SHA1a03763a537edd72c939f0922e914886292036965
SHA2562f96b27d1f520fbc3343d2eacdd17165ac6cafc7a103cb7f851a70ff5a92c554
SHA512b45fc1c52eea9f637fbabb5542329699673a95a1c4cf8ea7d39e816aefd9112d665579296f560d0049ec854ef8ba8c3df335a59b20a00f94c627905a09e9188f
-
Filesize
712KB
MD50679030110f06e40ef81672591e68dde
SHA1120e386c5410e07c3273fefe6b56fea3389f709a
SHA2563444caf973f0d7cdecad581e91729e3892368cee8cf3fc557d6cf6a64ab54567
SHA51286a2f5a6a4ab703eb9e054474c41c9fda6967a1ef86d408797b2bd90b5d303ceb955e7bf8ea16062856ad7d5a049c9cf2e976f59597e157f77f775afa59bbddc
-
Filesize
584KB
MD532cb3cf709bdad7bd789b3e98b91a127
SHA1c6ad656292839d3100dc8ad1d5ab83e295b63989
SHA256588b9f060e46950c41625f4c1ae33ce86242854c8064a1feb3382f1181b9b9c5
SHA512413cee220bfd37d3defd31166d0c72df68be74883d2edee0c15d7a8edd3c2b471e831c770ab68d14a359603c63c1a16f6c3cf01d3413b93462d41f118dc6d01e
-
Filesize
1.3MB
MD5569f12ed25805c0ae4eff78ec0fd936f
SHA1bffae170c05f77d6d9c0b4ce3aa018a52abaa020
SHA2565614809c99a3356c724618eed0e9d0da016d75db082f558a2d4c4c2fe8f822ef
SHA5124b9316ed497129bffac52418f8e65f17260ef73b61097fe3cada2f882353a3402740284e8c2443495acf353d07a0c62d21aba27c26572cb5b5fe96df88f6fb35
-
Filesize
772KB
MD5ab75d3ff7016c34987b9cd1a25a744d0
SHA1c9a13a322815d0c730b6c2a3142ba3ce5daa144a
SHA256fbc8e17c3a7e1cfef17fb8c4b6dde7673f6b03f172e485a1e992e95fe15816a4
SHA5122a373da95fecc96c7ec675955390152645f1e22e39f8a06d5e65e735d6c009415c59bc04993265629fffb8505d84c9626c5a262361ad379299bbb76ad24d41a6
-
Filesize
2.1MB
MD5ccb9468bf6ce82c0011ee483037457c9
SHA13a8228d94429a6ab5ab6c4763c8d8cd520f4f7bc
SHA256b38a586da4ae790275bbe411f5b99680b87b6a94d4431acbae02b95158c6e297
SHA5123c73398ba9d8f69255e7e61aaed4941ee4e5a523bf186fff32468f05e2b18975e8cb8c125267d5b68e48159a05374135099380720749d9f7cf15f3068d204afd
-
Filesize
5.6MB
MD55ea6699efe3d1535e82ddec182841d03
SHA1b8c2995168e99047a7c20d00615c4497a2d87e00
SHA25645ef5aae39c268916dbde4d1a2a21c8012d6464435ae01b55e01be041e2edcf5
SHA5125c8d25932dd72f87e2cb7eb0f2c807a9f6434e9789052b2fb15b8c2d5808a976c79a142a50ecff575206e36cad74606ee603e6e7636e770f2206bf2d9fa4a5d4