Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe
-
Size
2.1MB
-
MD5
e9a27ecad59d073c4df6862b73549ce5
-
SHA1
e0e05c9f3d8cbbc86a1a72fd5d3cd79ad114b6ef
-
SHA256
b9fc2e5b4b4471c811cd7df5e25a24ac75e5de69f882664919d7c10da46113c4
-
SHA512
958fc4175b3140de0a3ee7aa39d3b6f60336fe19d3cabe21ee64e81f6720cb4cc4b6a1bae776613be2012aab5739063db4eae94159c54a73364f7cf097c6d7ce
-
SSDEEP
24576:wsOw7PMlbXKF19xnntbTPaXTvSL2eYzxDvmaoCsO1llMEbUc6J17W8CX32+KJNAn:wsOwbb13ntb+g2nxDv1PZ1LTbEcW+S8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1644 alg.exe 224 elevation_service.exe 4136 elevation_service.exe 1316 maintenanceservice.exe 1128 OSE.EXE 3296 DiagnosticsHub.StandardCollector.Service.exe 3868 fxssvc.exe 3332 msdtc.exe 3988 PerceptionSimulationService.exe 4860 perfhost.exe 4180 locator.exe 1352 SensorDataService.exe 1928 snmptrap.exe 2652 spectrum.exe 4452 ssh-agent.exe 2188 TieringEngineService.exe 3236 AgentService.exe 4296 vds.exe 1116 vssvc.exe 1460 wbengine.exe 2160 WmiApSrv.exe 1544 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ea7fe5d412d07ad8.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c6157e8b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b1268e8b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5227be8b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0d2aae8b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e875ee8b185da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9990e8b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af2f29e9b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f726ae8b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dabcd5e8b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 224 elevation_service.exe 224 elevation_service.exe 224 elevation_service.exe 224 elevation_service.exe 224 elevation_service.exe 224 elevation_service.exe 224 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4928 2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe Token: SeDebugPrivilege 1644 alg.exe Token: SeDebugPrivilege 1644 alg.exe Token: SeDebugPrivilege 1644 alg.exe Token: SeTakeOwnershipPrivilege 224 elevation_service.exe Token: SeAuditPrivilege 3868 fxssvc.exe Token: SeRestorePrivilege 2188 TieringEngineService.exe Token: SeManageVolumePrivilege 2188 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3236 AgentService.exe Token: SeBackupPrivilege 1116 vssvc.exe Token: SeRestorePrivilege 1116 vssvc.exe Token: SeAuditPrivilege 1116 vssvc.exe Token: SeBackupPrivilege 1460 wbengine.exe Token: SeRestorePrivilege 1460 wbengine.exe Token: SeSecurityPrivilege 1460 wbengine.exe Token: 33 1544 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1544 SearchIndexer.exe Token: SeDebugPrivilege 224 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1544 wrote to memory of 4104 1544 SearchIndexer.exe 120 PID 1544 wrote to memory of 4104 1544 SearchIndexer.exe 120 PID 1544 wrote to memory of 2380 1544 SearchIndexer.exe 121 PID 1544 wrote to memory of 2380 1544 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4136
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1316
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1128
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2796
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3332
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4860
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4180
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1352
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2652
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3972
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4104
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55844a9926f5690fa10968d9a1b263cd4
SHA162c9156b8fdab7eb0e277ee92b1fdb154ccad7e0
SHA256f434cbc57eb4d4395d01618c6dde42cd8775ef3e2fe1b033a6359f59f4ded508
SHA5123d4eb54d0b8a825f00de858a0b0284b8185db1252b053e60ccc4c5d8cb0cc9cfa6743395613d854112983fc814094bfb543d7368888a4d08e851ad69c323df1f
-
Filesize
781KB
MD510b4f5c388b37461003f3f5f2031b7d1
SHA1b9386dc98181453bec04125fe286dc6d9b397adf
SHA25694ae9b224fee2a81c3f994523b9c92966a55f2f5427569fe1ba13da7a65c07d6
SHA512b2d34f944e723a2532993c3ef3550a64f2a006fe4936b9f346a75318a357d8269e31730804ee8940d9f1e750722648a3dd9c2087e846c129ef118fad8aaa9a8f
-
Filesize
1.1MB
MD5f8c16369564a2d4d7283e29ad887ee6f
SHA1188ff5e51592e8697a71c1a221a78487d355463b
SHA256b13e45ccbb09a6c3b439946bb8febc91bbfcafd259e6b8da352c6f748821dd56
SHA5125475d85add5a104c2d6164c8688a47db602fee22ae9b2f283725f30897d9cc2bb19bfd360e3fb986f2aff35e1437623c6a9972d3d1e1386fe8e3366141c4a1b4
-
Filesize
1.5MB
MD5387d535f8b8524f90b56dfdac8d822c6
SHA18a7833e31170c33cbca7b5e5c2a933b069b37226
SHA256d8f29ae2aefb1e4a457dc237bd2a9950ce89108f04f0825fa336e21cbbc652f0
SHA512f59e8e44a72732905ad292e10b1fc6853d08a619f71f1a079ca51be159629d2efb2c635eb632db4f8483059b721583134d99857bc908879e2f25c2003bb493c5
-
Filesize
1.2MB
MD55df06bb61e0573324e7c0e93a0589443
SHA1222a6a05a82b23f4afea1c113d892e4e19e88218
SHA256294e815bc12fd75d357a08c9fa820df065997e315ca0223969beb0b9f1e5b5dd
SHA512e01e4215e2f996a618d107f6d4af29b83b585f5b09fc6c2873067ba91fc9f93b0b9f2da1200df537a73b740bc63a5d5fb204fb692fa1ad5201f03124b6bac8c3
-
Filesize
582KB
MD52b7f393a5c895081d03637d06a4c66ee
SHA10d02f28e961adb23ca6815158281ee0f0419d18d
SHA2568387d3a6fc9775812ecba50e59aea7290dcd55ccebf84cb0e69bbe1919ccc97f
SHA512deb17919db211651e0fc5d5bc4a0bf069afd74d0cfee94e067081f2db2b6856fef5e13ea8554811ca3b75fe0677e9e8917d22daf9f2444db4f3db90e5dcd8579
-
Filesize
840KB
MD508ce4d2201ec15c51d3aa48a817b6ced
SHA1015e125b2e213827806bfbe58023d2ad766b8360
SHA25688978b4da641989a845db2702be4824dde1254bb7ffe1e1ecafba03ed1784909
SHA512fe4003b4289fe7c00804980947a965ea1411c720c76058162071ac89afee1b94720a4986957e2b34bf4919b70b46ef144882bd2d489016ea1ec3e05286acfb8d
-
Filesize
4.6MB
MD502ebc015054c29bea445ab769e75e59d
SHA192037a0579389854780157a5154e3495983ba291
SHA256de82ff8a5708245fc81d6cdcea0444c0f90db9e9797ac8c8246dba3c32b81089
SHA512a1084c778b21e266abe10acf43a832d4b60b4a40cc4afd886bd40ccba996ae612a0fe92ff95a75edea1d8402581d2fc8ed1e42d5138a1b86b720d66769dc0291
-
Filesize
910KB
MD500c9de88b071376c9a714435cf87ce24
SHA18b6fa0c509b32b405d0727f09b28a795bfd7677d
SHA256408a5b4910c487f5eeb01df71eed3007fbe7c6f9ed843e08051f8b2e46235974
SHA512eb035d05e581cdbffaec6c45e255559e6775a63e6678ef4101f3bb4235eece7ba2b8a4da556b30c73b5197adb238ee186964423720a3806a71df830189cec934
-
Filesize
24.0MB
MD5602ccd660301c1efd43dd76054f373fb
SHA10941cfdfd9fe43d7c6d727b1ef18f262e3da0132
SHA2568a8df72285de0dc49d99006dd6f71c0d801090d6ffd3e4f08fc6ed7bc28ce9a5
SHA5125245d5429b8e2060165bcd96275cf5764b9babedf52a03e7e26d95bb8a9ae4678eaba834ef140813fd972515c18f74c5b8ecbfa9bfe73692127b9d36a8ae1441
-
Filesize
2.7MB
MD53226d34e9ab777d7699c2ab48bf31b58
SHA1c98059a620027ca71f8d9b740cbd95e5c26f6414
SHA256b2d948efeee71070ba3da5184ccfb3f50ce00bda4fe421cc11e3756e00489d0e
SHA512371672337b8c576c00f6bfd1372ab80cd244d1fbc54f45606f17a043e95a9b6d64518f37a4fe52229bee73f3b05ece7263ecbd629c078c28c223fe8cd821c042
-
Filesize
1.1MB
MD59394b76e14ab6cca3816fcc923dd9557
SHA13d22e838ed3998c766e7761e9ec98bde9fb876e7
SHA256e88bbcb04e6f7c64e07626bf9a17d3accbb4c5bf2eb4380ec60ce598a3f4af3c
SHA512c4740b1f6325aa1508bddb11c3f4a638df9c48bbbd9d68a18a9b59d14812deead6737123ba0ac381a2aca73970c55180756d629805843384add510bec3061990
-
Filesize
805KB
MD5777e3d9ce5cdaab1d0653196cdad1c31
SHA18eca46d082527d3ab2fa42515de866c4f8628c3a
SHA25602207c5eb54eaff3afda715fef586ab6b7515837941166f3fb821945a7f59ce0
SHA512dfab796040d230f1dcb921ce02007b285d0b4ace457cac826890cf008fb929d1255cb2f2e0d0d9b4e4b3d451d250527a7cb7e1157068b47057416802402eac26
-
Filesize
656KB
MD57ac39551fe56ec7aab0df5503b216d1e
SHA1fa0ac9bdde0326c7a314dab406081eb4603342c0
SHA256ba341f24fc2d1d127b1053592c3e42a045c83d7444f8018dde75471f6fa60033
SHA512dce88d33e08fc2d6c47c0a5650eb1781cef1cf1f20bbed9e53206a38fed5e14f1c6db60bb8f3c9ad801916a81a2f94882e1f1f838602fe1b117c77331ccdeb11
-
Filesize
4.8MB
MD55e15aaf80de8c31a4b801dae1c63282d
SHA1b93789333d60fa1f94134ec382fbcd560e23fb34
SHA25665ef918abc2e069a88127f883870e2ec7be71afd5767192bdb4e8962271dec7a
SHA512588f5030a6ca4abf96d472eca7ddf9458f3b6925cbe118e20f4b8b7e7e585bf6115b75125cb9d11d14505e609eba203e95c57a3254f02f8e45be534aacae421e
-
Filesize
4.8MB
MD566f5bc7aaa288796c6de546ea13f94f0
SHA16191862ca06997a632b8a525d66e730f4817a69a
SHA2567162c1ac50f44d3a7241466acc0ae5a9307352825137ad6e911e6075a754711a
SHA512487c7ce0dd0f3b6e05e6b05a0960efb37cad93e67ad9e749f54ea52f3403d23c28ec1850ebed277ac5e987b9239a8df8106b3fd294d419dee3ae5961ec0d0d5d
-
Filesize
2.2MB
MD545defa9a5f9695b8fb4ad4ead9c19815
SHA18bb82fabb198381bf0241a957bbb545a42442384
SHA256114d809165f9daa7a932d2954bc059e5288c2a60d8e82b36982be589a47aae2b
SHA512b65bd342bb1faaff3f68ac35272bfba6754cec02e5b2552586c837954749b750c15d4214fffd65015565f32720888f14096fc2817e1303f8cf89908f42a0a487
-
Filesize
2.1MB
MD51149863a519e72d5a768af6c0e5dd915
SHA13c78e579724ca19531324b5d5ac2b3e29b09c283
SHA256c63c5768252e9846855958618c57e4a9bfa1c5d6b7b1c5177f4c41a340fcb936
SHA512e422140f17536e81bb6fc5887624cbfaeca93271e8a3534f9f2c49855386d5809c60e14a1a643c20fda21622baddd43d0c93b52ffb2cade9ac22c9cc2d26acbc
-
Filesize
1.8MB
MD50e54493f07c171a4f615260af68378bc
SHA1cbab30541c730126fa3ca612b92728209942e6ed
SHA25609495e0655f5872c71e49e4dad41f16062b0bd77f4a47c2df40476f2cbbc3e89
SHA512c963a5143c5c30dd30790366d36214fce152a3902c77e3c3cbd1e6bad02ba3b225f18eee6102f8faa8905aa808b30d2910c6a5e4e839051138153512e2d1160d
-
Filesize
1.5MB
MD537b215e265efaee32b6d92b81fc084b4
SHA1ff4f581acba8555204520a9288f6d4945eb599e7
SHA25693143f651229c38999bce48c4c5a8f8dc797c111a60e7231c1b1422442ce86a2
SHA512241d39347168ca0f49311ff466a59afb0c3974515987e74cf435a50303d2be5339a83bb652023cc8157009c4d7f277fc5bd5549dabe246b729644db0461dbdfd
-
Filesize
581KB
MD5dce9567741e82bc350168edbf1df2b56
SHA1a106aec24f1a01432c83aa00e88a2c090afa5346
SHA256a47eb595be92f782a5dc57e1ac7f5dd58d27813e758ee54c4c222d7cfcbb6cce
SHA5124e77409a733d2994060112601a476057a496d51f054b122312467ffdf7046ad93496d6c03812178d4a15873f2aa0df91a6f97b9198d07e3fde412f2f9f7f0466
-
Filesize
581KB
MD5dbf435351c7aeb4874b4e0049f33b102
SHA11f0145dd7325125a930740c95ac0c9f2711ff948
SHA2565756d9471789f07734f1e0faafd3c225c8295b1b34ed98a7d43f1a924aac1da1
SHA512447555322846ed8ef5fe660656ae8d1d2ab8fe035de26ba7269c585bb56b5c926cc127caa098ec2afb84734280420d58cb964aaf6838e0fbf09b0d173b710aab
-
Filesize
581KB
MD5224e92256cb773164a9c58e8021aa0b8
SHA1135d615222997f7853d011c5ea5686a4908bdb30
SHA25642c8817a8937672489cfc4d796cecaaea9a79dcd443283bdaadf045860039d90
SHA512503be696092f1902628bbaec356b4431cbafce96d551d4628adddb10f4285e0c81ac051911f240ae7c4c0ab73c03de8342d4f6f173b230c39b2f88eddcb07e69
-
Filesize
601KB
MD589929db68233d3c07e497289cd7f14b7
SHA18ac6c448649b2dbd817bb1dad5f9c3ef28c59a2a
SHA25601140ae5a361e75907d5016e9b25acccf18b9cbec7db052cf083194dac45aaf8
SHA5129419e54f746cdbb18186fd029a3d3d7dfa502adc403e3d51f26fe2762647d27f27f7134b7f57de248e5ad22ba3364463ab5981687b9a48d739c7a55a2bf9cf9b
-
Filesize
581KB
MD5518d252fbafc0966e468381aafa907d8
SHA1d01d0105c159a771430d2d519d56b521d5344eb6
SHA256928ab462fef18793b6e9371a5cb492215fb5ce38020545322d3fd6444cab780f
SHA51211cdbf33abedabe31e232d9b28ac11cda6d9903609239d1d6966a828eaae03ab813f90497d44bab374b9cf3808f361898fdd55b0af40d94fd26a68380ac2635f
-
Filesize
581KB
MD5255881f445bce01ed8bc2eb430f31893
SHA12642a7ae6ae45c1373bee45cec611b121c51ecb2
SHA2567b7b84df42298d9f26d5aed3ef1b8608b0c4c6bb9ac6c59719b7cedaca52e40c
SHA512caaf9aad4a154cb4dcd2544db0733f88558b731549d5376b1ed7ebc4ccc2969649a7fe05579dcee88e2bb4cce6b92bd111e7b0ac0fb510d3c3dc5e89cfb0b349
-
Filesize
581KB
MD59e77ccc2b4f09f5128da929fcef5402f
SHA1d452b1461def3a6941187d7a2da06dc1eb8e4924
SHA256e23e8dff6a14bd5c8925704885458d4c1621ce55cb21ffa2ea98027db5e8fa4c
SHA512af8e64fb0895d80f156e2e58c8657f0057fc20eaef8ee7eb3b81c1913621bd50f4966c2c8e14983680d96115fab014868c6e0624c9410c021d10bc840d97de6c
-
Filesize
841KB
MD5c5de1d5103d9cdbcb90f0b376a1a296c
SHA18770b09559ce7a0a8a6d8ecb94ad75f1806398d6
SHA25635d776aa04f3eb2812e31ab68da23cd5f9bddd8d9419755bb71ec0069515b060
SHA5121a0da8353c3bc67ca0143bdd5a8b2931d2af9a1b6c777d2f81171e6d1cde4b6527b08776f02cb0043f9186bf4bdec5561f0a0d255120c8187fcdc654e6d11920
-
Filesize
581KB
MD5b8454f3050ad9c751666cf98173f7977
SHA156b46018665801569ff91bd30b5cfbf412a230b0
SHA2560d5564902e1f58980854ca29fbf3f6dc219f3903835ad5bfbb6a0024d1f24371
SHA5124aa3ad16b91cf4ba1037f6240433c2f679d223a9a1c4e7e91a0bfdcbf08e8f5108ab46c6cbacd926274e3f043ffaf4402bda7ea62761f152955e5649b97b0421
-
Filesize
581KB
MD5e8e3d76288f032f8d59f13ca097a15bb
SHA14ae1b773f2e8ed01bd88e89e5c5c695cc63b4abf
SHA25612073db73982e423b6bcbcb367965a0aae364222df57e7867985d7ea2e1a2e3e
SHA51299f72067764aee4b956ee2873c21cba9391fcb1c3449247e736d48901470a378221e805f12bee42fb5cde204036ad386a30433cf79f7f01111facb2fded84f0a
-
Filesize
717KB
MD59749eed6018fa61231fd0932f52036bc
SHA118b4169031505c3fb5064e2e8d9e50953c63d054
SHA25648059ddab8c9df85ab66e39c26c572f588da7ca2cd3b335f7cbc7edf8cc94b77
SHA5124c679289ebc0cdddc8159e6a17f562398e3b27039f76a82ba8fa321dbb33f1e48549ed2b30f6cf702562f170e2863622b82adae9b7bc2f038fa7c05bf4b02f1f
-
Filesize
581KB
MD51ff8705e38d6425948a9cd2730a776b2
SHA1e0949a6316ba188363c2eeb6c2c9d60f6e27d88f
SHA256f410e27521d86a403dd003e4abdf90f092431043064cb7a742b2b1792f381fe7
SHA51208290dcede956c8e1d9018617acadec1d5609ed1741d96974a8afae3fa1500c9ce282c9ade70ff8550760ca9ed2aea965a0c8bac0afefc147e3266a64568cc73
-
Filesize
581KB
MD5ab9ed826cc6e1213aed975d09e4d2d59
SHA1faffaf59a5e51b99975b10bb460d7a7959dfc008
SHA2560acb09b6c5a7a3fe7cbc6f4dddab8a6f8feb70f09c2be2fc68a6596477347542
SHA512daf37b412fb74e6ae9bf13e734b302efe241e83206ff6a56905ee55390568c82cd91cda8a04eb4b76af780a0ab764ec5fb6949f7a1c1305cd39d8cf7745b977d
-
Filesize
717KB
MD506eee95f2602c353af0c9efd954c757d
SHA1d9eaeb7b896e34bf0fdddc7848bd9da08f184405
SHA256a24b0302c0dd0e58e4810a833d6d38436ac6ed73fd8025809558b56edf5e2529
SHA51283d0b5b487ff9dc683e68cfd1760a29ea246c7cea7ac353b02012ab85dc7673dd2e9442bc7453285db918c6935f9d9f59836cd48c2656748fb25e0b765444636
-
Filesize
841KB
MD5836dd55b67918f92bfee95d3ee5074a0
SHA1e110f342dc60ff8112c0ca6aab9e4470c3e80699
SHA25692021b57305ddaa091e2a499c2f5b12fbb8bf7cea4b73b6da321b56e50bd245f
SHA5129b1dcd49648bd2a27c3b38a2e00d849585f0ce1b2b207c3ea846293f5bbd4c4cc7c6d556ebce9aa46cffb23896e852c339cb3db9358aa6aa58d4f08004ca2c42
-
Filesize
1020KB
MD567125825d7d945efdcdb94e13d43905b
SHA19e8949581a3dc54a3aae17ae000a0517b191d534
SHA2565989c3a98256c7903eef7a911397905da50e116065fd06c7246445c7accbc75e
SHA5129312d468ad4ce198fa7a5f9232023b59fcf4a1f968b256a8b3db825df97f6ae40394052cbebacb2e194a58da3fa33a40e54fffe288d906301f774e5b2523cbf4
-
Filesize
581KB
MD5d60f84fb561da5d0614d1773496c4a67
SHA1fc2615a7d63a557bcce42f08f35030a30b4dcfc3
SHA256d1f5267a0849263c4d858e02b90108e924db37d7c8c793208cc903139393e748
SHA5120fc68f9ddf029f906bee9913bdedc0a68e5af2beb0a6c2fbf41d201c92610d83911c86f028bab8d48aa5d75ef7fcde14b4e4e88f6abb3bae2f7e6d707ae1590e
-
Filesize
581KB
MD54b22ae799ce24cf4e3f8b321fce948be
SHA1dc8e118f4e03f5b9005d1f37f4b123e8e5009091
SHA256fe73a7ab6ffd4ae164085626ed5cd8fda2fc5108ef8f17b8b094852fea55efde
SHA512cd311392bc291374942b309ba02ec145a4e2e63e2fbf4aa48a80365682938823c8b6a09a932852734a7c132ee14d40dfebc3ec6871e5ed3bf193e9b6dfffb703
-
Filesize
581KB
MD501c2a10b8a41a193de2204e9f7e8450a
SHA1a5c0169de5755e7b363f103e78a6c3935001d6ce
SHA2568327730834d78d27e41791eaf3c4a3f76488871edffa960cb86f8ddc3b7cfd9d
SHA51203769e056e8d18d7266f07ba4668c6735c91322231bb791e0fdcbff5b5ec1725f247b091d112be033a9548534ee6f93708d88c9f3e60ed7295b5b01b8b0d9dfb
-
Filesize
581KB
MD527d3ffed8936074171a8d921f6444a72
SHA169fb3d17fcdab909727c01aac51f51279716ad8e
SHA2565c093221b9eefacbabaf9f8413d50228625a186b14a195852afab915f3f60562
SHA512f7203be6ebfdaed0bcdacdfeeaa85b3a6cdce6860d3ad1b276cafb262476bcd90589550869f40ca1a6bc199dfefa88f056b4cd183a17355797ef9ec8fad8e4d7
-
Filesize
581KB
MD59ab644587b34a59fdca8a49635ca9354
SHA176f5cd0ae81338d2642a424ecf1a2c73be752485
SHA256748bde1a80e35cfa1a59f02bdfade0599dc74c72a34e8a44260633ee9eef44b2
SHA512134c485a9df8527e855cfc351e8e7b0a34801348b7c19550791fa2eb930433fa37f0865a66af7f74520da1bbbc95c9f569d12b64de49b59bfd357e58ceef5677
-
Filesize
581KB
MD5bdc8971f118d2c899ae93b143519a7a5
SHA125f1162c23aac2a39572c671f85e9acd6c45fa7a
SHA256ee89e885b7cb531a83bdf1bb7ac1a52675531a0239b4bee68ed24bbd43fa8c26
SHA5120172ba09089d6682113a1cc4823c40a9b153f8997a462604932f321caf3efb089c063ba6ce8c9123dcc25e2f21b0ab67f7319a603a15d6a25da73c981e1e5d6d
-
Filesize
696KB
MD5901069f729b0989ee1af37fa2b5af955
SHA102615dd411a622b98d92f0508e769b8d0d247fd0
SHA2567cfbe1d6a585620f91ba536bbc5ed2c0d4762f1094b354c2841a8899b5713239
SHA512cd753fbf35cebd53b93f93a14b4f800a7602481c247e4e9a0614287cb7344e67b670ccfbf58d08206dc2477a0774889711803f1f4993b2e28aab3e1e370de262
-
Filesize
588KB
MD5a444c1c2ecf89bafa6a691ec9a548b54
SHA17a2993a2f0bb55c88a3574ab73b5688aa123d8e1
SHA256e379778c110ce26187afe2171fc5df25f4c37c23a2721c6f30557c5060d072a4
SHA51238d3d2b93a8f3575ae49347e0dfdd65760faf9687d568c6b670891a7464d7cbae2f21195128cc427588298cd3d6f1989d5ae2f77b5a697eb822b83f5e235447a
-
Filesize
1.7MB
MD56da512b88d79c3a3e9d3ec7d0050df4a
SHA1e7de352fef0f3a47d8932be751b9a1eb08630e8e
SHA256f89bc7eb89008a6a93d2154918ed357a7df9cce91cb2c75230f2e65d10b69d2e
SHA512fd1b5aef0104e68a942db5d756d428f5c737b0ef3cdd6e1dde2aba3f0c4bdc670c2681dfd19b7e73b176adae9c451d81c60f67c3558ac6ed59a5a47d6ac671eb
-
Filesize
659KB
MD5adb649a1b50cacc7a60e2ccf5a562333
SHA1d6a118221dce0cf8d3122b40da3004beadda8c5d
SHA256c40d6bad95152885c968ab6256a9e778d5ad7572273c99c75c14badc4f8766ee
SHA51254d4a0908028e3db9dfbc2e58061d0ce2de3fc7b6d14f19a2e9766b448e4a0cdb24ee87424a3d3b43e7923c7b1ada9fa919c42f7bbb46dc0fe2f57240185dc55
-
Filesize
1.2MB
MD55e6cdad113ddc3d7b6fb56f6545933c3
SHA18e40ba3d6d8c928957bf4277348ce1429273cb8c
SHA256822ebe555a954b21fd52ebbd2494ef10c87401e571f7e919cd581bc5cb3a4534
SHA5129f4aafa2d1c722d18bbe7a68e99f7da173d6191c7bd812d7969dea09ddd4d31e2ad75c7d963450b4e670d977a3aa414ca4b48744511755ceaa6045ea2811bb37
-
Filesize
578KB
MD5810f2c7f858b7c5a3c7cee8ea77fa680
SHA152730a757b36d6a56b973f9cbff1aa5e323a80f6
SHA256989889bfdfd4e1369488f8773fd82f5011ccf304651b950b3dd1cffc32737c17
SHA5125ab75fa7d80c0cf8645da6db13f5243c064cdcbdc1361729d3fd1364449198ad55dba3352c88b5b55b9ff099e4a52be123e5019c414f9440a5358f067036ba08
-
Filesize
940KB
MD5dc53c9c2fc0ab541ff9f74a3e03b3c12
SHA17ad2bcec32b307368d85ec058526370696714b25
SHA2561b92e12c566b632e70e7bf2c361ec8596469d48f8c0979f2a5f4564f8005161a
SHA512054617e693e7e9a0a4aa32cab5cb80ed753ff04371a4f4c1c87dc26c853cbbd9d597d426c403989f40df54bc7dace6ef52cd72ee272fd888f385dfc767eb7d25
-
Filesize
671KB
MD5e7c7201e80c45c7016799ba03c7e9584
SHA10f0eece84853056e39e99d92de7cee83fb2f6f65
SHA256aa60fe05f40da4e63a60ae74df8ce819fdf15e8f738190e2e9296754d6c2776e
SHA512d6dc19168c30f0c740d20653bfb3c93a1ceb84fd230104f5b3eca1a25b672a360838003108892691155fc78ba9f588d6577e2775b37fe5355c3656d4403af55e
-
Filesize
1.4MB
MD5bff33bd9af3a59d49c45b7da3a36d603
SHA1105356af9506853103c7f646fd9fb8b3e8b6bdad
SHA256ef17baad5bd20cc6fe90fa906153fa90092d861f433d2b62624ac72a3697b9d6
SHA5127cb438f2efc0948f636b49e047e9ff793548686ac8123aeae07cef7b0e59a091924c7d1b5ede4d81fb9d8ad45d20d971f3febe9dac537db1b9d2fd2b1eedee85
-
Filesize
1.8MB
MD5cdc5aa000f336013405fddada1c2867a
SHA17af028fa0f8701096a1d7ebcf5ec6e898697a601
SHA256a62fe00f96a8998922494fbdff0e138dc14709d09ea6c6b27e03f9740b1787aa
SHA5125002cb0dcbcfd0666c4d13e3580261afac6268fd29316910577f5555e1570bdf7b503004cab7212c906c0e0d495b95809d0cd3682b2117f143931fd3333799da
-
Filesize
1.4MB
MD5fdd4f0a84876588e08577740d566aef0
SHA1ed4d104dabd313547aed853e0de458619ae0fd05
SHA256a76d505271bb4adee987e86e5708d36c63103e5413fb514d3320ecb5929d3e6c
SHA5128ea5fc7759debfe810fba1ef1c5ffaf36930ab0dcb7779ce1e205f8db50d40ab491186f7e99b74f8f8409fb70caf0a6f5a415a851d2b2cdad1d0df8b98fe264a
-
Filesize
885KB
MD59d526776b36a7eb12e9e55f80b02d7d5
SHA10df89bf62519344163b062cbb217f90bc734e4c5
SHA256072e4512c15637848c12f7a5bb8f8f3188aca3cfb5aecfb58d7b9659f670914b
SHA512baae0dd8c5f8e8565157920a4e5fc078b9677489ddb05c99d40daaf6f203007b9f4cc88ae136db8af5fb8f9933de86f63356a4159a3e6ccd8c34c4715788a85e
-
Filesize
2.0MB
MD50280d9947544c717fc9d0e6ae400ea01
SHA16e9d3da411a120ea92490ba0789c942b738b1408
SHA256a828b2e17e49cd090b26ce7a0856873e391f24429dcfd290bdc2e66174e2310d
SHA5128455d60aa4878316e3b87e7be993e9e56e5b9693aeb0e090eb6602c60db53b78d9b96e0c506402a0a786c6a985a31d078e1d3e69442fbdc8e9e092b67aa1a4d7
-
Filesize
661KB
MD5a6ec3c87f210c15234aad69bdb818d01
SHA117977cfae3030353873612a3c9615088966eb48d
SHA2565f9f355733b1d1fb48d314dc6beccf6182982670a26300362f471b6a30bbe524
SHA5129f2174cf2f441829f693ccd0602148a1f1542da4717467f3e123d1f739cb1bfef344ee1d424db7e4bd406a5288b52aeb2d4eca18541aaefc45699df2ceae03cd
-
Filesize
712KB
MD549f1659c23ece2fde8c4cd975e2bd6fa
SHA1a7afe48913c7e3ef04f9ea22348bd08f504d48cd
SHA2560d0f03dfbe5ec4fbefdba586c41fb8a714c29d1aa252d9db3a587a7ed0ad520a
SHA512661e42744ff7ffc4ce3b63f2239ea9a3073c02c0ad0b60367dc44d5a66dff37ab9cbd49efca3270370fc2085e5cd0dc9fd66740df2be6b897c7a2f456bbddb09
-
Filesize
584KB
MD58233cdb57eb20d19a7297f677e9df9d8
SHA1d61268f0ee1ec737a160ac3917a5f398f42aa745
SHA2566bb1224a8e599f25f61c34e51506acec89004f3dd624fe611d09e70031d53977
SHA512e5d8c2d7e9a2f570bfcb48ccf8d05bfe62631a98177b0686afbeda6208c04f9c3a6567f1dbe98d7b80603779a115a0c7a68b62a685ad84eab9ac88f70b1ec857
-
Filesize
1.3MB
MD5b7427454c3fd35c13fe7ab250c6a4582
SHA162c76b456cfb285be852cf0e21194be93b68494f
SHA2564b7706781f58b08cb5c057e0f86268e861ac1e1bde44eb0ba6ab2b118a7150d2
SHA512870d59b0b1b21342e2af5fdb5f23ae012017ca218f7dcc90407c531971e69197c6bfa962d1f7dbaf0d4facd268b141e65e8872d113292fa6b480f00cdf223d95
-
Filesize
772KB
MD5ff406597e627b62e616cf5174aa4eaec
SHA1889428efaa58e84e7adb0103a620bc47eab0238a
SHA25670b99e3435954afd481a93b8b919339782b1bdb837aed6dd3e04a38901b17e57
SHA51245f93761e0da4754c40b6983e4fc25d96d1ed019e6d61ebbf396d4d3cc57937c54c9cfc61858233f804d005114d6161c1065429cd4166b64d4e6634f9950bb9f
-
Filesize
2.1MB
MD53a2cdf8a028deface46e300e73515369
SHA17046bc6fc232f2f7558a1d52dab3b97b8dd9c8c1
SHA2561348f6a77a713253ffb3f69b799ba9d5ff58b5882051136df1b4db4677e1a2db
SHA5125669259464c6a31d5616a51745beb7fdd1d53cc3a78f17dd15c92753fa32e7f083e8f56d63513ec1fbac0166368af3498870daa24423f0ef0e68caf270498407
-
Filesize
5.6MB
MD5f3f17b2bf0bffa934edcd1414d2e5d6c
SHA1b2c2404509eff263203e5c719bf34282c7889e3b
SHA2563b4886715b4d29b6d7f19297f6f40be5b5a3565e4ecfe9fa3bec31fdda3ec280
SHA5127a689f2003bb065b32eec7f8e7dabc0a2c78072524943a74da7fab8b78ed16eeae74d72b628ac3423933c0c1cd4c0c0753ce5acadecd4eaf37683dbb83d92959