Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe
-
Size
2.1MB
-
MD5
ea27a9156c97e178301c0ecfa1b2cc0b
-
SHA1
369577aa54d316e388449d7a588880cb76778689
-
SHA256
2ed5b80c398769acb861b6b70b3d24b2cecf8d0689412e710f1e2b4fd30e6d8e
-
SHA512
4c36854357f1a89851f27194422075fafc40383d178eb9a1b0e223e231246c013b1d1b458be8fd88ed0c21d193aba7ecb974879166ecded8864e0f429b2147b6
-
SSDEEP
49152:UsOwbb13ntb+g2nxDv1PZ1LTbEd5/IbsT0:UI13tb+Z3A0bs
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1348 alg.exe 3796 elevation_service.exe 2608 elevation_service.exe 396 maintenanceservice.exe 2988 OSE.EXE 4840 DiagnosticsHub.StandardCollector.Service.exe 1792 fxssvc.exe 3756 msdtc.exe 736 PerceptionSimulationService.exe 4756 perfhost.exe 3180 locator.exe 3232 SensorDataService.exe 368 snmptrap.exe 2404 spectrum.exe 1644 ssh-agent.exe 3136 TieringEngineService.exe 4612 AgentService.exe 5012 vds.exe 4244 vssvc.exe 5060 wbengine.exe 2692 WmiApSrv.exe 3192 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\68095b4d46f975ab.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003521c4f3b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070a80bf4b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b34d7f3b185da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013bcfff3b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7fb9df3b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d732f6f3b185da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053f9dbf3b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3796 elevation_service.exe 3796 elevation_service.exe 3796 elevation_service.exe 3796 elevation_service.exe 3796 elevation_service.exe 3796 elevation_service.exe 3796 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3984 2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeDebugPrivilege 1348 alg.exe Token: SeTakeOwnershipPrivilege 3796 elevation_service.exe Token: SeAuditPrivilege 1792 fxssvc.exe Token: SeRestorePrivilege 3136 TieringEngineService.exe Token: SeManageVolumePrivilege 3136 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4612 AgentService.exe Token: SeBackupPrivilege 4244 vssvc.exe Token: SeRestorePrivilege 4244 vssvc.exe Token: SeAuditPrivilege 4244 vssvc.exe Token: SeBackupPrivilege 5060 wbengine.exe Token: SeRestorePrivilege 5060 wbengine.exe Token: SeSecurityPrivilege 5060 wbengine.exe Token: 33 3192 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3192 SearchIndexer.exe Token: SeDebugPrivilege 3796 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3192 wrote to memory of 2736 3192 SearchIndexer.exe 121 PID 3192 wrote to memory of 2736 3192 SearchIndexer.exe 121 PID 3192 wrote to memory of 912 3192 SearchIndexer.exe 122 PID 3192 wrote to memory of 912 3192 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ea27a9156c97e178301c0ecfa1b2cc0b_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2608
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:396
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2988
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3964
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3756
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:736
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4756
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2404
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:396
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2692
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2736
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59181b2d78d0c1de669707363f3aec9f6
SHA16f9427096dd32d82e21b3d143b962c7237d7ace3
SHA256aeb5d28bac5d533aadbc4bd042c1bf46d5cb816e69a301112d43aa92c877b5ee
SHA5128c9781e977bd3bc4b5d02f6bd793788718b8e6ebe4778e62ccdc5de2ff117d36b6c3c9c101c208610bb438077efe0e66a3a84b8e97efe8fe08de02a61214e210
-
Filesize
1.4MB
MD555760ff2f6f1133c78d52018e300acfc
SHA122be5576268d0e0ad61ee255d7baf0472875662a
SHA2561e68b5ccd6659090a23c86e2b646140e482357a97f60d82cd81a2ba77a7d4720
SHA512f671a79f615d211c14585f83e1610f64176d8a23971b092bb6aa50bb3d84220652c80fefd0afa6890e9a0772e24d329fdbe5239b1950a8ccef245997d19b077d
-
Filesize
1.7MB
MD57bb6bcb885f45abd973fd5b60f1e94cf
SHA1673d0837db941a81976cb2d02b1d6712303edb71
SHA2569d81d5d7fb3cf19f9aa3217f31ca21218deac905a203e663d8811eeb6a2f4e6f
SHA512db3d01ecf37a7cc2b38248b4f2f0cc3524a471c6aa861ba149f3963a3d743823e25592c849bac5bc426afe907a16036bbb5add9cd9c97efaec045f3810b14ecf
-
Filesize
1.5MB
MD58ec461f9b39c4e494da3e67e2fdb3dc8
SHA12435774b2a3d56cf705e1e36bca2f74ab9667276
SHA256c2238d219e02ee42554b41c12983e9890a97cf93aaf278cb45dbad474b9f27a1
SHA512cbc4a54790a3dab2335808649efa92e8b2a9e644022945dae8d7e2b036a81cced7154cd72351b9ef44fedd914f94004ac4688b32c0d6d079080f6f0ddd9ba7a5
-
Filesize
1.2MB
MD51d1ac18f3ea4c2099b2db5963c36b4fe
SHA15cf8adb40669b0bfff214666b5914d3032d4bca3
SHA256a5a18fb98a85f752b0c853ce281fa21f0615a84e9696e2e20e2b135e584674d3
SHA5127e8e4f90a15d7e257b3987f3e22502c1d202de6a39462f676665f309b84965ca761467b3f9c6c8dffc96c80520c6e9ecb3c7e448d76f8e262cf410f496e653b3
-
Filesize
1.2MB
MD5dcad831f63a5827dd21e19e12db9522d
SHA1b3e7fc3bd8ce3c3dda4e4510127e65b54685e7b7
SHA256214b8949dc3a26ded57515d9e43a78a06635d75e0ea5206a85e0ec6f5af5dd91
SHA51231eb40ae4897885b1897f40bc5f94dcd8c98dc1c4370f25d7a714d02c9a4e32dbbce9a3af1d582bfdbc55065ed8144ff3590da9d95152846ff2702f8d4919ecd
-
Filesize
1.4MB
MD5eb5e37312c37dfc129c24341789ee12e
SHA1d0210cb0c1f081efd1704a5828451c0eb0c099ad
SHA256863e8b8b0cb755bdb9ece667657d92a013bc238c76a3bfb948d770719055b7fa
SHA5120b5ff18034921bee7d0e1f2527363721ddb0d072ce47035d5a85bce8f44c1128308d0f206b726896f28317a7196f303fd7eed63cd517b027977332518ea42d8b
-
Filesize
4.6MB
MD58367bf7b272955e1c7fb52be1c49d2fe
SHA1fa8edbc51400855e928eae8eed26ca4a21a6612d
SHA2565525852d66ae570c7b6f9e7cdc543daaf06fae8f36d481f3cffaaaa77105324b
SHA51200b85af1ee8f2733d6dc313269b25d38a050259640bdb7c16dc2a6b0730c761882986401a3fb3ca76905a20401f34def54b5c92a25a45f230a084cad6b839fcb
-
Filesize
1.5MB
MD5eca7974380f0de20bb481e5af775a89e
SHA1b9acccc4afaf0cad8595f3ecfddfb6914f3abd44
SHA25666c07e610540386fa1dfa8722a82c755053ef7d33c2b1fcb93bf1b3ab28c4653
SHA512666a4abe1beb8eaeaddf3f1305bde17ac86c5292f14464a2560f600752d25d8d6e0a14e9378547cb554ce0687b72ce49dadb5eada14c670d8537a605a4a4c787
-
Filesize
24.0MB
MD5fb11a5c10de3068749f97c44d5014a02
SHA14d44603c59820f46c898317a521f75d21dab0bbd
SHA256fca1b9a768a3e92abd6c7cff081173fb8431f1337c2e9cbfe926f72f65b6fe64
SHA512d5bb47133d34278599c11b44d0dbcfd3a45362ebd37be70e84b7cf608a1d1ec6307ba70c8fab7c8751a2bd42f6403b90358c8eb65bd362b5fdaad9d5443e98ce
-
Filesize
2.7MB
MD5072ac2c0114982434cbaa9346356275f
SHA119b5bc0259a863a5deeb96804bc0b3682b06404b
SHA256ed99c74d58c2d1628a2e6348b11a7a8d51db5797afd8cb9d6b7bc6bd3ffd340b
SHA512a909e2bc2a41963355f78820a0bb0a591acdcc17a59f31d8227a818c51d648a0d28cce941832e1c4ee1f28d37dc43dfaeda06ccf6149cdac39e9bd3aee3d3cf6
-
Filesize
1.1MB
MD5390668d30f0a6766afe06ed444bdfae1
SHA18ecfbf435c5258aa37996057dcb65ae048433f37
SHA256909d6eb884913737d88edfb8b0ae34bda33c67489e47809f322999480e941047
SHA5127c6addb49ad8a500181b20d88b9c028b9156e8483c2bda72efc3929a2ff9d72fee7cbf1f9048895509ac8fbf8fa9da4a2c2d1053f5fecd5afb339aa5519aae5b
-
Filesize
1.4MB
MD5770d49d7fb4f5b820d0296e63704d4bb
SHA100bfe80e090e515e146957acabbecf75a79cbcea
SHA256e83f651dc609bd0b6f6e7dae7bcf9e7873dda78ddcb208404d5720a8d2dd93ea
SHA5124a07a7866186579a90e92cce45b89163e31c908d82d8bbba985648b9655180de544ab3a1771bf12a2832e550cce1f1f4d4c86f1678f84815ebf4550fda6ca5d1
-
Filesize
1.3MB
MD55cce51752feb4250c0cbfabcea5792f3
SHA14bb1440ea796c8684d4445e858f06e5b80435bde
SHA2564fa1190ecc6940d69d60be38f6f19ca4155f9b5abe93a6067528d1362f0e0d93
SHA512fbdd14028fd893fe2a3a94eb6a3097903c65d92e4119a1167a812e3543d297876c9f9d641218382175a157954d3ad661628ae08de678afb1417f2b3e5d5a38dd
-
Filesize
4.8MB
MD5787df45e449dc1d4db2a328908415483
SHA1a914ed9bab3d933682d224eed725ce58d44ef672
SHA256fa69cbd5c8baefa28b5ffb56bbc426979be3a8b059e458c9ba3a07ae07a6283c
SHA5126bb5f33681fcd933e5bc992f1181b6dadd3f7e49320723f8c4b1ea9667e65d884afa795d51dfa81131a69877da1a766eea7a0755266e055b018ff611bc90de97
-
Filesize
4.8MB
MD5d8e64a5c13f38b8403396f900c7f380d
SHA18325b1f069d8c91350b63e306bcbebf321aceccb
SHA25645d27fe94da8aaa7cc20b904e4a15cef941e46440f3ac6db4f1d16e6911f7ccd
SHA512d46cf96950c059f8f44e3a01a1cc23dd88cfac1036219cb8d64e28b1c0e351793c6edcdae5e7697bd8747d9eb31b5a061d0c2f3aa151ba87e4934b1303648caa
-
Filesize
2.2MB
MD54ad8b2e41cfe22a37db384c6efad278b
SHA1f662c1c2db66d5b93b84c1559dcb4a75ac29cb56
SHA25668e701ec76f5af709e9433858ea9fc3499b0b80d5b0bee40c1da26890e43e254
SHA512852096ef13d29763900f9ede7419abf9a154b0b89cc1ea28c96853fa9becc4acf88bd3d4e51342939a1eb2f9cdcadb8df185e084efa73a6066bd17659bf122f2
-
Filesize
2.1MB
MD5f9888e55c5dfdb2a704704725098d2bd
SHA1a8e04afe5acd4c3fb8d3c77fee48250a2b3b4cc7
SHA256c4c9cc504ef5c75a4c9c031d882223c722cafc2d21e6ba326f4c0c97788712e2
SHA512cd895113cb7703a0861a12afe475e07c21f6d6a4900845c49152ca6405a0d2233bf8b1ee2b0e91c48090be6864c2b68208855ef6ddf6e0d2cd5bd3cbd59af11c
-
Filesize
1.8MB
MD5047b8135a60ddd40b707d82de66f9fd6
SHA105cc7356c56e2f0383943bd52af64aaa6357f4d3
SHA256767b69cc94447127ac41b47c4fd7000968bf2a2654ca0a42fef714922767a3d6
SHA512c5ef0ff17553cdcb0aed2ca720558436058cdfe07979ad48691f9721a4ae6eff517ff63f06e660a3108505ef0130149a37977d331ae8ca000f4c313d07cfc406
-
Filesize
1.5MB
MD5020be04f41167806e28e7f8e129ecdf4
SHA19cb1102ea4907f49a746d88c5d3bf2c5952c6509
SHA2562a67e4fdcf840103d6efdc0fa901afaff4970f1630b5c4735e6b12f04fa77592
SHA512aef482f86a82eb814434679cbf742573bfcdcca0890202bb67c8a86742cfabe4a19fe4b30e977e2c25c610803b84653e2f56d87d72a60b2d2b2a8620c86da0c0
-
Filesize
1.2MB
MD55d43db53c0bd745fc7c91d5fbbfb7313
SHA10f67b9bfb71b7b5c5c0dc375e710f485294bfcde
SHA2567b19f84f6abfb6a7eeea90b73d3f7579cc93ae82208ad7fb1ae21b83b60e2787
SHA512e2b885e348b4bf68822945238494989362445f396268af846905a5ebfc2c2c7be03697ad3355c2436fc103004be3d25d4035ab237cace676bb8fb4c396c16e4a
-
Filesize
1.2MB
MD5e565c24d92202924a71d29f7c7bd135c
SHA140c88a5e3ec5e6958f9f978639dead103cdc7d4c
SHA2562180437d3d09969981eca0004b8d47f71f7e2460473d0faf27dc7f3aef8101af
SHA512cdbb7451b4bbc0d1a3b3b4faf7ea3715fac0c1060ccde6277fe97a88102b4093dd2c7bf6b5abf5800fc669418092720e7de227365750a4830aa38a8347a16ff6
-
Filesize
1.2MB
MD5b0b2b3f194b4fcdad816d73346bcb356
SHA13c532dd1c96cc4869abe6b76de6166eff0681cbb
SHA2560654441ca7ee63bea341d2cd18abff0b1cd1fa63a25447222fc263b8990fd042
SHA5124186e14aa5041de09255da72a83f29b0072082665510d6af2a1fe4eecc5f286700f6490bf6d0612edbbb1b7668ae994b38a991b70a17d4a58d8bc574621e71cc
-
Filesize
1.2MB
MD5484e7726d12d448e42500ef86cc7a578
SHA13a97021bc78e30ef34483b9a82865afc48a7eb2a
SHA2564bc4670cb7a721c9bd7678af367f8b73b3cb751364a294418b4b654908fbc25b
SHA512a996922e6efe51c4d8d83e9497d2838db5ae98d17aefdfa70f2436d92a371e244e5611819881d709ff6aae62eee7fd63b927c916231735fc09c1bca97fb0f0d0
-
Filesize
1.2MB
MD5fe923372ee2a3e12652883f2faf928bb
SHA187c2df94ee2f124952a55c2d4c954bd1741f16f3
SHA2566b22e4a1b0f4b1fe30949a96ec73e1b102a72a324246afcf7806232be87b3b45
SHA512bffd7627b876920d6217bd1eba2edf10864ee690227b83343a28ec08e12e797dd6d79b0fdd438fe071e3135549a040a3534f6257138e43283d956aea115018ab
-
Filesize
1.2MB
MD56786ca3cfc3184b58cd8ae2074b31b71
SHA197dc5a110816758218712e6e2cec514abe2d379d
SHA2564b1dfc129bb56e79645a34f6ba29b46e5fd15f6663f1ca77601c4659401daa7e
SHA512694141bf793683a232c7bb1aec682d073ec71138b5383efee8fe84e26b8611549675c03b68f2c591b10853213cda15e1fb52fc3e76b6edc21345d932b749ea55
-
Filesize
1.2MB
MD56b6975557062c1d478b2d683644c0ab1
SHA186dd1fab7dc3d0767a4709e61fb865c564d161f0
SHA2564617eb37808d9cf225920152d944a4778197f3035145c6e2c62f88d40b576416
SHA512aad3d6c049a3c13de930ac7972885a29bdfa903c54eaea20bfddcea1be1892974de8a093c89925ef24bbabe899a1d6200cdbbb681faf1ffa410d71244eb1c9eb
-
Filesize
1.5MB
MD54e29132172d253e2d521972492484745
SHA119bfe86a6c592ebf4cf52bac60895abfbe54ae27
SHA256ea46b6162c7d53b0177d09bf02e2e5b4bf8dd8bf5b87d241b3ac877bd4f02850
SHA512bc3f2f07931a3309bd9fd334037da179d263cfc65a91ebf28208bdb74a11a9963d63cace749c101ee800074246453c240b2e0b6c5994ac77b1e4a00701e96324
-
Filesize
1.2MB
MD5412d85839fcdf5a11fa4228352869bac
SHA1238442e469dbb112bb57b21f52d5e4fdb4b22e50
SHA25656e0bdfb0af1ee1c15501528f1741b183a269d63918376226786b8bc5536cb48
SHA5129973bd1a06ba93c5d33d1bff4eaf8e060face20a4fdb490efb66f5381351304cc5a050bbc3a2256f711ae3b433ceefc5fbb5cb2580d89de9b2f4be0e29937ef5
-
Filesize
1.2MB
MD55b1a6e2e0b3bebefaaaf4438f030b113
SHA1b449364c6246c5ecb3169a189998212cecf37fe3
SHA2563c1adb63600231d6fa853e691b2c7cc7e68f03b1b4cf0c44687a8b80044ac648
SHA51216ddeb0b36089997b7183171e541885ad48e0a357321ad06608abea0c07e2353efb128b6f09a39fc7aa47bf95e1cd71725a1770674e84cb40f92eb89ea0228f3
-
Filesize
1.3MB
MD5f25f32bc0f14c5351e0351e7a74fc7a9
SHA11e1cd2702ff4697b48679c6a937d03b61b2b64fc
SHA2564cf23d886f4e8f88dfb3b86029731979c5573835f45df382cb967dc350c24d3c
SHA512ad138da0d0f6190f07626ac2cbc57073d1dfd83e8ab38fab031985d789dfca4e3ec491f8ad5130013d1f9027a37f9f697a74a4f9401b9dd5c32aa288caf84ba4
-
Filesize
1.2MB
MD53d02d4fbe9df2d6a06851cdba52df0d5
SHA17c201cd14eef3839622276f92c8c98422c691306
SHA256a060eff1483a336661caa3010545094a721f50cfabaa3f24fa1ab16aa064a3b3
SHA5126fff61ba48a569cd7df741f4dedaaa04ad630a43eadb44c94ed45ce4563d3fe639e7f82e79a6fb73737ce2ad9baa3806fdb26ddde5529df76f73c7cb8b0c227e
-
Filesize
1.2MB
MD549a40e4f9401236b79b1c3500b2e2d1b
SHA15ac61a902f62d37be18a4b12bd988de46e01ff11
SHA2562c14efe03d249f4f9e28361e6e67692f338d39275b2dde97ff9cf20f45c59e79
SHA512245204db579332bcdfa04c7abd1c487a0fe89db596620263110577b1b87c6564f88d82cc830bc74d0a64f3adba24f9ac7fd695393fb0e62d9a688db3e88f2042
-
Filesize
1.3MB
MD555afba925ec4d003ff8448b4a6a37b0b
SHA14c19bf5244dd7bebcd01ed1e8db61e160a72d2c3
SHA2566d3e47822b562e845a84e3d6539a970d97850384c27bd077c0461884596a8bbd
SHA51224e6cdd94a7c24b6d8f117c1f9f05cf8fd55da9eacc26e0a40b35acde089a4c42a500d0c5e22b1e9060db60c70017bf68846f4db6b2ba600ad5d9c3c97eb3b37
-
Filesize
1.5MB
MD59de92c22b4a08bb2877099d6844501b4
SHA1a483409bfa4c5f543a01961b030931ee4d05e697
SHA256f98905a47a36b1d9b242729ac9405b84d2b88fef5afa4b093e03c6fac244435b
SHA512c2753aff2744a483e75687c04b00abb979c5762e92a053ceb3e0876ceb64d4cd20b111ec0887cc2f2847e6ced435ebae9e068ad871e06e3f8c8e5fc6dfdd7391
-
Filesize
1.6MB
MD59643aeb21f48970a73496e35c4b78f33
SHA112972369423cbd1a15e678c464b4364c829ab728
SHA256ebed7404b5eedf0105f26dccb01b13ca37d68aac6078026dec12f8a47cfbbbfc
SHA512ecbf171e577f20be961f31883ba6c98ef2417ebe274982254bc98fb958162cf62cc619cfd0b647a58bd81d4fe7cf44f96332bd82885ba178fddb83d6f4c3d2d9
-
Filesize
1.2MB
MD5f3c339d0a70cf42374b83dbdd0d85754
SHA138672fbcbdcb95685f2a27adc5332d62ea7412ab
SHA256247ec4ac43855eac0f93a4a160bce049624432056c4f85842c8bdedd1e245921
SHA512a01354dc72c7c3bd2f6cca9251850c46b5411390d45660d91c6c7aa5a7ffa970354967135097fd729b7b6b2b2230e1f5f5a5a0119c4d9f674334e103d6035b58
-
Filesize
1.2MB
MD56a4823ca22d0a3b75d0391c60fe3ab39
SHA113dab20bbbb8b6a3798abd4bc8d3d7ece9a75ff0
SHA256458039952b8bb7f94dc94abe9530bfcd0e769785c90c942578b39601728ddeb0
SHA51255aa442bf7ef0e4ccc2e01d34ff8b213d385ece249a00ed382fc29b5ebc30ba04e79da6d1314af8282950c6aacbfd1dc21c28b59e9d53da26f914623ea0ab775
-
Filesize
1.2MB
MD57db01c54b506fcfe3775f5962db850da
SHA14f4fb140a5b3618e662de42ac3189f6458908492
SHA25662f5babf9f6a2d6e7328731aa58ea308bb0f2dc7014df4899ee16c753c63c37c
SHA512865419d3bbc50828d4166bec321cd7a9db5a2b2aafa70d51e8448e98261a5135d1a10000e5ff7ffbbc079176e00acffa561dad11bc309a47be7282069c23745e
-
Filesize
1.2MB
MD5d6dfe72fe19647d50a29126ec1f3e106
SHA182235c93973d3b853187c257ea72afb45642cf53
SHA256d5cfbb6244f7de39e5fff5276648533495ed4fffb931ab9252d0e33490edf9a3
SHA512c583db2f29e9ac8fb12cfccb5058b970f93789dca6b3d4681b1f8a07f6d26e79127f304b50d70fa32a88dcec09bf30799abff4c777f9e92ba6c6a318eb1027a6
-
Filesize
1.2MB
MD51cf23b0e09832a64ac19e5de573a6920
SHA1ca7f6f9cb758ec43d985a2aa050e9950b41770b9
SHA2569456da2945a5994b1b51e2fb3da5a8702396e765b013ed59b4b954b9052fee5f
SHA512bb6f107176dad0719b619a4f5be448e1b413d84bbd9b70f006e519834add5fd9f0943bfa43691d208635eeb18ee35343b57c3a16c8bb5c8212a19eade4279a1f
-
Filesize
1.2MB
MD50310c226542633924d9d5e7ff78a99cc
SHA1444b3a3ccb904d01681715f1b13bb78ef96d22e1
SHA25635a3ab3e45771884b1a04b033675af9f738b11edee8fc0c34359a330630bf2ca
SHA512390a549305c193422c1957d4e65714bc8d4e3f48628020e2241f4c84baf3ebbf0030111c39b3c22d478c632ed02abf8cde79b7139c1dd165885d88a69dad017a
-
Filesize
1.3MB
MD5f3c668953d105306b77f3080e6419f28
SHA1f97c136187ca8049c193bdc26b26bd73692eb5cb
SHA2562043a76324c3e8c01bf274ac26f9c33890773e84b76e6a90a27ad4e6ed87dbb8
SHA5124cccc97caed225fc79c3425c8424837dffe735972a1d59d2fccceb04964597e4b3edb5b59519167e280dfe946a85619e0dafdf1bca6cbed28bcb1523b56d50dc
-
Filesize
1.2MB
MD508225804914eab19a412fd8b4f924e0f
SHA1366e55eb6f4ec08656051e578873f798ec661e75
SHA256d29e0d48fcbc4dc9a95bb364ec842d6ef7dd8db7daee1d40e1a89067bb9a5d5f
SHA5123d1c75e095edb5524dcbd794d902f7d03c820ac1f2a94881c9e0aec51eb82479ff7fde9af8b787618af70fb77cc2afb5b5b4de65aa2f7dfc0711b1806937df2b
-
Filesize
1.7MB
MD5fc1b5e1925875a3d5684456aa9d9546b
SHA1109f147422a3e2ceccdbafd104c5e699a7e306ca
SHA256555cf60d7476d97d8dca93658676de846c93bce2a2c0ccb2ef644210cd7c5277
SHA5124ce797ec4ba1345d6cab138ed76760facd339ed91f49fcb1fdfe8322224e70e614babcb79ac0934bbd1f95f6edf5cd072bd264bdde4f6bf7bb81f3861a2fbbf9
-
Filesize
1.3MB
MD53279df4e1f46d2f4e9425cde222ef031
SHA1c467ea8207e6b91710e2ae33630ccaad9ae5af5d
SHA256d6c94e1ad55e54f22158e9d61e70f82712801b46c267d66e18b8184ce236d540
SHA5120673779d65c6eeafd3d5a3457484355c1bb1ae6877e3e741a0122fd2ebf15791504ed7479e2826d8c3b0f351d6923803f930e72c6a5aaed3f86167ebfbf426e0
-
Filesize
1.2MB
MD51db28c2c79fe5d2422f47a6dd2e70573
SHA187f123ba0696c418192409290c956a0cb4b1d3cd
SHA2561f469fdb346ea9eabfef1098c7787623eae6473526a7c7b0771beda253fda5c3
SHA51230f33e38a62e3598edcc4c6a8c2bb74a188fb3ffc99735bb95b59624864c6bcfdfa3eb3526dec608319becb18cd4942e136eb9ce45b277a0d8f434de333cbd1e
-
Filesize
1.2MB
MD541e24287f0d33404508f6b1853b49a69
SHA1585f9f5cc4733531aaf211e3c44d7e6ca55187be
SHA25628b49d6f710fe76ced68729a985485f57a74484f898a25e5892d1219f335db49
SHA51248f0f00c390857820c089380ebfc8105f5cb6d3bcdb924548b5704511af0d483bc0b70744ed31cc11ce37afda631b3f9e7f4ccda2dccc52f7c14f4eeb39702b1
-
Filesize
1.5MB
MD535d6b1984be7c947746f239f37aa337a
SHA1900a70b073318fab5532401e60c351602b5f6f5f
SHA256671d628befbec714b97542da1e42af795f65f619cfcefcf42cb90782c47c5e6d
SHA512e38591718b14ed278fd980112e0680913e4e717c9763f13be423ae208f3d79462f1e4c9ae879923c15ba2d664c67a3918118a4802da079cbfbf5fa603d530bb9
-
Filesize
1.3MB
MD5629567ff66c5c78b3ec159a787227ce7
SHA19f982324bcce44c5bb1cd49aa96a4f3d797aff7a
SHA2562a20513726512601ef1b04e461a8c7a357fd7d5259334f48681bef102c5af472
SHA512a6f002141f6a88a80ac14aee05c98b21ed7edc45802fb9ba46dbb7d28182c63c43b39fd3fa3d9caa513c8589dcbd4aaa6ce906e0195a849fffcdabc09a61379e
-
Filesize
1.4MB
MD5ce81ec05ce0020e8dd4fd7432a648a62
SHA1a36fd1365d939248372279610e29b17be052e51f
SHA25697f4ad991c4b7f010eee0bea522c2a6552665a2338103b1dbcb0c652b514e3da
SHA512f98cc6aa33872acdff24425ba8c5e3568db7523b60765f6afde2bf0daaf86f5d3ec71784e3df673e9be46a41ec4e7d28e3f5e95cae5f727f9b1cfa037d2fc718
-
Filesize
1.8MB
MD5c42d999e936621676bbc54db2753e667
SHA1add7c2c34bf628512057510c62cd8145d76b2cbc
SHA25686a9c0d5c97c35642fa23b8dd01bb33ba6bff1bc1d9502d25d3f500738f3037f
SHA5120bed3a2753b13606fcff071a7fc9b8f0a9ccefe3310564ca1565840c956e1afde087d9096f65dfcc0dc9b79072792176357f1fbce34edcb7a8513b762ed8f40b
-
Filesize
1.4MB
MD50aa23b4eac22ba07a0c3fd28226f7896
SHA1cc3e1450e1b6b3e53cfb2e51328f8afa2eb65b15
SHA256a44c68b457a9c971d65dc3aba7badefd5e36539415caba328d5477d59abcf50c
SHA5121b76ab7b1ac67345a01bab27ebfe319025aee9fe67dcabb5eff04e049663fff514a8f9d7e7411d4103b812dd01086f137bbb5dc874e6bef7f312b93afb0e94ab
-
Filesize
1.5MB
MD52db8d55247c64d2c10cb05d76af0e730
SHA198e6e37679a70e0edc653d06d09e3467b21cad6a
SHA256c12ce6f3e316f5f3f710bacb9eb7d660037d79d4008063164108d7365b7b01c5
SHA51292809dd083e4f6a4fcbd51b1ced3707d9710572677e1403f9085f02270ffd8a9f853fabfe0c1bfbe3f8dad7458a63a228cb2806ac25a7c8ade5b19408341bbb8
-
Filesize
2.0MB
MD5c83e2edc197c6ed25731edcd848dd452
SHA11b8cca1f4b568f13f22e6d66ec4d59b03cbba860
SHA256effacccc828d0b884bff7757daf224475400f2221f6630c609eff9295adbd0b9
SHA512c8ece335720dbec1278e9bc7703fab66b37417aa76c0e63f3514bf7a566e66a99c822e1d69d3c903ef30f1dd44262a9224539b955aad30063adb4880bc5e0ee7
-
Filesize
1.3MB
MD5e5131df34ffc4412a9f559c713edbff0
SHA10000f96cdbe47cfc384c3be8971b7927114e336e
SHA25606a63b6b40821ace2028c1f8de0f12dc5c86a286133d360d86835cf7545a218e
SHA51235fed7d1f109d6f9b52aa9fddd851526b71aeb5cd23a303a6ddffe04a86973e58a0b0b43ce8d58044d06a0284c9b64d13438484858d51463bf6c7206916dff3b
-
Filesize
1.3MB
MD550aad64735e7cbf6b7f17b2e3943fc15
SHA1e4d59f8f24369496b5f6069daecefc8648cff2af
SHA256078767c72b04dad6cfd1613e384ba57944d0617f123ed3efcfa375cfa770732e
SHA512f99bf194bc7d24260eca2c9834b65803833329b336e12590d723d03dbef41095775da1069b16b67b370b072aff6c4321296303ac7a5d770d29fd8fbefba7b194
-
Filesize
1.2MB
MD5fced93ad16e0af617d616295afa8f2e6
SHA1c14fe96994daf237fadd6e37701d27adf0d96a94
SHA25623069e8fec3c476c78bb2a4cf35d521000346404d47deb92a2dc45333ca802b4
SHA5125431f5d7579da98d5fb7e96ce23687631be0b102dd24ce92411ae0f7eb0145d1f5c1f4bb320b62eb62e2cde1fa35afdf8eaf7dc367faa559eaff7de8b3d38f54
-
Filesize
1.3MB
MD5c4bfce0bb80058d6e52394d271da00ec
SHA18731600d8cc28c279030833aa1ac234abe7d6a34
SHA256c58dae0dea38f2f4a4f78b1374eed77911b2cc439ab158b1adf49aac6c597e00
SHA5126db9629787f76d4ad84d89ee4004966324370401ca35dc83facd901849350ed7c033dfbb52d3903ea058725bb642b443dd404be90cb8a183ed4a0c51bcef07d3
-
Filesize
1.4MB
MD5ad524a2c12f36439d7ef25379d704064
SHA1aa6a24cb8243236bf98aa5111a04e36d552bf4b6
SHA25625efd6d5406ff5d7a6bf853c7b74dabeac3a50b696312e008a7b1e7cadb8bf49
SHA51212bff194bec6983658aaffe0e17406591abdea67a681d55f853b25416fc31a14974ffd00d3175bccebedda7b9609b2c0a89657d86c91d1191a2f634dbd418744
-
Filesize
2.1MB
MD5d5e49a83c9e1244c14981f6b3300f81b
SHA18e361d674e4f24b02dc600b846c55adc5e8a1bfe
SHA2566deacd7e680e0d3b906c31b5b795c2f7387dbcf11dc4fbe9d0daf9bd12f027f8
SHA51242c61439c09b1479111a3a4b605daabe251538c78b40cffb48715765d22098385701d182269536d92032e7dad38785ce8cd3e51434af51b7afe0326440a2f8ec
-
Filesize
5.6MB
MD5eee74de443c872601b7a4abd85aab493
SHA1098805908e9ff4cd92cbc00685cfbab9860061fa
SHA25654ac890a769d85be8759c5bb64b32ab742951c957740daa4e573b70309fd9952
SHA5124d39a4451899c09be54c60ab7b8e57e68eb3b458581c49ff7feb26e97e4eb9e926082656ac8fd85270f938f3a4b3b01b70cbb93d1e77188a91b8f90d125c0d56