Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe
-
Size
2.2MB
-
MD5
f31ef8175f9b79650d775487c288e561
-
SHA1
ebb96a53fbe89c45b787bbf288984254f6f0ffdc
-
SHA256
d71315f5cfe9a94477821c755425459015a40beadacd3c68359329634b34cd07
-
SHA512
68a3de5db625a06fb21933ece7bcf6c5edc7c608beb72820db9062a7f85215fc99066d32a48d2b8ef623eb81b71e7855cbec3b70fc0b69c1aa9d27ca935ddde8
-
SSDEEP
49152:KWWu1zKeIxNj2bchBluP3GiyBKDKd5/IbsT0:KWBMNj3Zo20bs
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3208 alg.exe 4900 elevation_service.exe 3716 elevation_service.exe 1280 maintenanceservice.exe 1728 OSE.EXE 3268 DiagnosticsHub.StandardCollector.Service.exe 4164 fxssvc.exe 3180 msdtc.exe 4592 PerceptionSimulationService.exe 2664 perfhost.exe 784 locator.exe 2140 SensorDataService.exe 4924 snmptrap.exe 3808 spectrum.exe 2976 ssh-agent.exe 3660 TieringEngineService.exe 3320 AgentService.exe 4896 vds.exe 4812 vssvc.exe 4916 wbengine.exe 3744 WmiApSrv.exe 2204 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8744afca46f975ab.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6A1BB60F-884E-44C2-837C-FAE44753B873}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a99a4e9cb285da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b376b9cb285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b05c919cb285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320ea29cb285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4900 elevation_service.exe 4900 elevation_service.exe 4900 elevation_service.exe 4900 elevation_service.exe 4900 elevation_service.exe 4900 elevation_service.exe 4900 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4228 2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe Token: SeDebugPrivilege 3208 alg.exe Token: SeDebugPrivilege 3208 alg.exe Token: SeDebugPrivilege 3208 alg.exe Token: SeTakeOwnershipPrivilege 4900 elevation_service.exe Token: SeAuditPrivilege 4164 fxssvc.exe Token: SeRestorePrivilege 3660 TieringEngineService.exe Token: SeManageVolumePrivilege 3660 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3320 AgentService.exe Token: SeBackupPrivilege 4812 vssvc.exe Token: SeRestorePrivilege 4812 vssvc.exe Token: SeAuditPrivilege 4812 vssvc.exe Token: SeBackupPrivilege 4916 wbengine.exe Token: SeRestorePrivilege 4916 wbengine.exe Token: SeSecurityPrivilege 4916 wbengine.exe Token: 33 2204 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2204 SearchIndexer.exe Token: SeDebugPrivilege 4900 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2564 2204 SearchIndexer.exe 122 PID 2204 wrote to memory of 2564 2204 SearchIndexer.exe 122 PID 2204 wrote to memory of 2732 2204 SearchIndexer.exe 123 PID 2204 wrote to memory of 2732 2204 SearchIndexer.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f31ef8175f9b79650d775487c288e561_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3716
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1280
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3268
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1252
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3180
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2664
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:784
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2140
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3808
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4988
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3744
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2564
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5728c97fda2d2223726a3eb0f51bf2e34
SHA143e9f487bbaa3227f9c9ec4ef44a8c985f1245e3
SHA2567fc2efd2208fef0a953f82799d35226ef134c364f07d58c34f57691338b7dff9
SHA5124b847c261fe0b5c882bccf8172d43b476514712522466d92f5feeac3f19254dd82b5d5e46aa180d848d40a238848ae2dcc459cb4723ee499c101d7d25bbd0c57
-
Filesize
1.4MB
MD5fcca460f24aa4267abcabccf00d63e8d
SHA153c55baba30488eee4222b83b8e9a69ff11bdbc0
SHA25612fc5cea52174aacd23f2d74fdd9269c3c8f4ed9dc16d8f71b333e411d0e9669
SHA5128aad726edceba8586bd6c5022f08cba4659464fb34feb3a7ddf64c67e413ffdced3f725b029ce9d94f447b276cbe681a62707742679f849904bd410de3a0a997
-
Filesize
1.7MB
MD57219fae8fcf5b0b697235149f86f07f4
SHA19a085f5fa32716a406effb6179e4b992ae282348
SHA25653e63a5a0906d222c0a8d51e12a1843401b08f88d919a0051adf5cc351df79e2
SHA512c54e505eb027fefa6855ffe2a667ab86d624363e475a6b92269d6f214f707270cfa3c536b6378a548ec414fc3e67aee4182e7cf16e0f7b9b168766200da2af1f
-
Filesize
1.5MB
MD516ad1401085b1b6675a60a6e50da88ed
SHA1af703295b96d8df9f8e0f1ca39eba67a5d465c71
SHA25660048b0e481aac7db18680c3cc9215843b68d3c28871359e94d93d7735ac70af
SHA5124c84058b7810ff034a6b3b1d2697297dfc88a15d05fa099b1245cb137cef288d0c332ac68f079aa1b46eaf1f8175bcf14e580873c5fea90f5c3aa41dd059be90
-
Filesize
1.2MB
MD5e5bb1ee5d475592a721cd2f77ed5c1cb
SHA1dd96aded831c9cd23f3d4f3b9789ed88920c80d9
SHA25673bd065c850a2072ee9cc969eb1ec9e984dc69d5bd5d395c56ca5b7b8091e76e
SHA512e6e763e3b3f30cd0c200b0292930be56c0e3354b2d35133f78695d3e0a18288e22ce9e6c3d5729880e33d0da7d2e65479c4a68463ad5b94dfc2d735e48fa1312
-
Filesize
1.2MB
MD58f9c228ca82e199b4fc5aa535d8ee1a6
SHA1fc8466807f739e222d7203ca8f5e8db1342964ff
SHA25675559ed067807f613dbaeb117da6b121323467389913735a1d454ba1fb9837c2
SHA512b4e547d74c0fce8686bbe76ccde139e09a5ddefff2fce766f04deb8a4e0ddc6feea8845093f35425fffb1ec657dc4a4b408ba94e4a3d89438701eba3605454ce
-
Filesize
1.4MB
MD5e9a4bea9d0c5c60df148878eb3ba8144
SHA192833a75399974917616fb9aa4634ca669d2406f
SHA2569f2053ddbf832ad4f96b3e6797680a9710c2e8e9dd00a6dc7ceb399e208d3bd8
SHA51294385973904f6d148e9460e65dea9e1718b55be6481dfd2c5cd6654831ac971dc2aae0eabb0be191fe5713e0179cfb9be0a510de63e6c8426bbdbc040ee33352
-
Filesize
4.6MB
MD5ac2c42c60106fde255283daa191013f4
SHA1990c2091de2c7f1243a55abcb89784547f0aba64
SHA2563a9a22d6a445cf6433309eba0c3946f6e58c326bd554044fdd675f1053f8a5e2
SHA512111e47e8908fbbb3471819859774fe6da1c042288fe2017a1d09d392cf5077f2e4d4fe3fb9008201a6da61ae8356478e6218555e41700d3c2ca7f647032013ad
-
Filesize
1.5MB
MD5873a88975e27b12de8dffa8b7e60102a
SHA1b7b125fde7c3a46b3e5515d0faa3b11a01e940aa
SHA256205966c9960eff93bf37c65eeee5e962898d89a39eb1464b9cbca29a61882a0c
SHA5127958eb40441d575cc8c6a03c0c9ab60ff156fc3905162def886d08dcebb11984e690572dd156f1364e07eb56c1e03fa6e2d70d191d811db11343c83da9b09b89
-
Filesize
24.0MB
MD5ca5d3736f5042383f272fc7280507793
SHA161aa0a1587f9a739fe491b15315ef85e5dc5b18f
SHA256cf4fc546601f4e988a9adce2ecc9b0137410a6f8dcb6b979cdbc6826dfb6a690
SHA5122ec8bb3419f7c2529fa319ee070e96222820678e15061f22a83206269b93b1ce37ca4b833230fa7fb97ca2400b10f3174ed1f2c3eb2df56db48461ec8138f426
-
Filesize
2.7MB
MD5635e6e808fab0b4ee42c8073fcc0744e
SHA16525e467d36ec935f9ee41a1d571cacd6fedbba4
SHA256b10226d8bc2f280681cef28ef192788edd8c50bbed1ddd6537616fc1643d1c34
SHA512ed10939e19eafd0ec73b691432239f63646745d3a5ef8c9dbaab21af66079e35e39d8bbc6947a939f0eba08455a43219cb196a01cbac23c96438e16acd694381
-
Filesize
1.1MB
MD557a481a64317a039b76c00cde91be4ec
SHA1ec01a10cf865f216be382ef45231b50198877cc1
SHA2563d1c17f278b49d881ff18bfcd9c8a97e1f7d7307f69d2a200aa9f09e31bf324a
SHA512cb540a983c9987deb470ce166c42ac2a3289818668e444407fb80f41f7ed6237a7ee6e273b172fcaee07220d9d370138a5a632064e4d994930a5aa68aa2aa4e5
-
Filesize
1.4MB
MD5f0718e01d0baff042139e98eb17a5b8a
SHA1585c8e0a425fd90f36a749965928ad082527bceb
SHA2560873d1b5ae06e97cde1d6d547823f89abb948a929446623f2174fb20ba4e022f
SHA512d4924c0bcc49ba09f7aa76a8c6fb404945aee5d7b03b0eb8e6e8d71b57fdb35190a970d80d49f9146cf639427394f50a5e068ddf489cf2307dd2c5def54d45fa
-
Filesize
1.3MB
MD56ba598724d4a0d1e1155737989505f9b
SHA1513b29f9bc9a9c13b83b270aea8aa68c4c482ed6
SHA256641bb5b4ff47b8f1d83a77407e8fe36be3aac2bfcf05a852c23019a69b38477d
SHA5122078088ede2ac0a69e9650be9a4d0b959b24b603e6087ff7d2ccd5fd858dd56dc78743f2159518f86a45ba0779f2f5ea8589ba604812666c1d8e6b0dc0a84635
-
Filesize
4.8MB
MD54a8118d775650c5c10df787839ed317c
SHA111f59f856919042bbf801ba639d44ecbcaa5f8b9
SHA256d293b6de7e3b56346443a688b1f380067e40826bf205a3c90a339d41872f12b8
SHA512b1c33bf859ec27de4e3d2a7dbb022a960ca17597c41476478ae443cd093b96cdfce8c25238dba17b3ce6e1007d9d4ba0d4059a8c737764c80a3b61bf6e94d111
-
Filesize
4.8MB
MD548e87d486456f74e4a9cd44f82e601e4
SHA16351bec3c1c0f601cae6f3905cb0a5cc4590cccb
SHA256e3082640db282aa049a4245cb1cb2dce5330388c7f2ae428d7db8cc02cf13906
SHA51280b19bd9fed247f07b3904acfc2587d85e3e12771fdaac94e94f5e34791b780fc46b4226e4312720e337c278ba0b47ac51afb31bac78acdb4092b6cb0a6fb93d
-
Filesize
2.2MB
MD52122416f679d01e79a19935d00c8b1b7
SHA1c87927c3f6a1d986a981184761cf29fb234a6993
SHA25600f59d67162d343213d232b8bfa51a4672b860a35f2c1b592399ddf0e431d360
SHA512b9f5454703a83bda587205ca6fead395a141ae0d7b590b61d651ab6cee7bd55d31b15a2781cdc258716e9c0b514312a1aa86ef36fef7b1efbf5f1424505781e3
-
Filesize
2.1MB
MD56fc12a6cf19967cf3e62efe2ac00ba24
SHA13202c1d49e066d8e438ee6f28e610cf500031202
SHA2563a2d49d826713bea64087c8d82daf4e7c9b3c55ba0c51422cc06ea557cf519a0
SHA5126bb5bc744655b27504b9310521bd3d1ab151a2dc0d948bf700601bf3c351eb14f34e6d255e7ac8854762e3f6030b779be882b03ea7a64ca8e3b930fd3395a6a7
-
Filesize
1.8MB
MD500298c2d699656cc5e870f8c04629597
SHA1e3637f90b8c30a1dce1fb0f38e31260817882de5
SHA25635f65b5c26751c41b7f9138fee25654b8c0d0418919e9b1d4d8e13e0553eea4e
SHA5120ae8fc85d8c550b486f0e782e7b00e6151338542c6b76c48e8dd8f4196736e285caddaf53f84ed5a634eaaed783374bddc3c4203c2634ff587d318f827e95d58
-
Filesize
1.5MB
MD59aa5ad8cbe64cef8f3d34296a3954ff2
SHA1508356c995a85cda611b7be8815dbaf470ca4b5f
SHA2567b917e5451c90ec1d61334c83cc0392aca314c754eb17cc6efe32f70f44e71a5
SHA5124c2b18ebfb1b37827982a2be0557c1aa66bd8d65c9fed719763714f828b3a92233fb79a3f4e81728dd9e6fc7cf859f226c15f50916cdd93fba7c1bff17696b36
-
Filesize
1.2MB
MD5bc009b90c47a207cc3c85c7e81ef6801
SHA16ec741573ed19ddfc262d22b9818964569240f6a
SHA256b664e3dcdb30c45b6c2c78485884a17d58b2c9140de071b8088e2782ab02f85e
SHA51204572f807a183c40eae34b3017f467a898e38734d5d85bbd3b34e5a08aa777bc2e606e2b24a5db37536cce5601a71931121d572afd3e0a50a14ac12cefc2fc7d
-
Filesize
1.2MB
MD5485fb551e97d2368e48cf9f0cfef614c
SHA1706b9a93edb2b2aec38e47b71dab79a3fbc1dbfd
SHA25649314986db68447ab3cd39af478ac225555aea8f6d1e66298ec6806d11aca985
SHA5129fdf22cd531f243de5afa33f6feb880f96fb8a968fb4ea33737370aea57b056d1cf19a66762ad9e85107fab8892b712cdfbac490ecc76dd87843b30f7149d34f
-
Filesize
1.2MB
MD5fdb3e6658bde7de94006a3d0343744a5
SHA10a44cccf83dda807cfc6d81e1fc4b551ce5280f6
SHA256605ba02b930464dc570dd7b9223e91f1d6b044c7c9f543564a0255de1f8fd9fb
SHA512ac73311ba8619b6e953409b3566a82c629f49baa2a0c8c665a467750a9abec7c73f430ac25bf46559b92ab23949e6d4d86aa7f9e5723331e5d7f29100a5e0b8d
-
Filesize
1.2MB
MD58c47df06dc13497950c0fd9ace68fa66
SHA16a2dd15f1d21dcc99dcba298776b0bd5c26484b8
SHA256faabe0d92239203464d98c17c2f0fb7c46e3d18b29f344149661616a6885d288
SHA5126b3996e307b6a608d3399af90a3e2471c70c24f40ee2d524fac44eccc77874256f1bc66e82a87f76c4037c974b15903dd5211b686f2513a92b2a626030533364
-
Filesize
1.2MB
MD5caf5df6db773361be7b296c504d88579
SHA1657871ddafb36e1f532bbf9b909f47547427d2c7
SHA2564fc50e4aa4e842ab26313c49b4844b91aeb263bd93f164dfec517f0615545860
SHA51262c855baeb1fc2cf5622f6e7dc939899f71e7d4474e4ed89a57680fabf936efb342ec6321f24c8d09bf06be4a9dbcdf1a3437686002750d2427f55a425b996c4
-
Filesize
1.2MB
MD5e62e20e4a0ab307bbf4a9cbc95585b7b
SHA1d14d6811f48124e56524bcba15978215be643073
SHA256e131816e5f9b4fa6c146a61825752614b5e9d1884742901979a36de85a5061d0
SHA512efd5a6471635e54d20b81baf71fc82b9c97a2ce89c6e69372d48a94867255ee00c8eb3c9a4767d9948fad7159e80ac8c23da79ad30375a0343332e93a06b3347
-
Filesize
1.2MB
MD5226a6c2004fd6a9232fe368566992b4d
SHA19399cff91865c6bc5b956f660564f9ab4c0ba866
SHA256befb53fb34d17fad1f3856e7e75e20c08d5dc10a6880c38d8911be4c417c5a3e
SHA512ff9534a9d4d7c06f429b6739f1337f6fe3b1db6d7af9653b581eccf511cf1f8d116ecd0e1147cf90c1b8ed1ed82a7ffd680adc0567f3751774cf7a5b70ef0d55
-
Filesize
1.5MB
MD50465c9dfb797507c3dd61bac8c19cf81
SHA1c2ebea6f5d7d16dd829f1654fc57b70c57609fe0
SHA256e78145a1d63be9157d34b4e41c3295faac6773ac3bc36ce62dd008402f3967d9
SHA51227a63622e9e7edc8b3f9ad85ff3919fa0778d4ec6f0c424e8566b0a5853abb9cbf3cbf4c9cc3ba04f4d67bb37944147ba5b1e13f83b200c3c9a8a8ce02b7a99d
-
Filesize
1.2MB
MD5d64a6f8c6f89bf21e3a3e4663a06d96a
SHA134d7c39b853c5c68f26ad017f65228e035cce323
SHA2561d2e004a374dee305244d767104ec53f68715efd053b3ff3c2c58cc3b8cf61ec
SHA512cbe5985b25e00e2b27dfd89a15eaa80eb37488d8bc008f3b5e09c2a30de9b6a7ed456ec676819be8a84c93ed98ad7b1c4a2870c7137122eec01f46804bbfe2c3
-
Filesize
1.2MB
MD579574a22aa477ec9a688f9928e8846b6
SHA1da6a2558d406e3177f4b366f2df8d8b4e642b595
SHA256a5df9de44a04945ee2878ff947c650e88b2e5053a71ea02e90a31aafa5e05f3d
SHA512922e3c995f51a463a203923adfac2798b1b688912b45e3143a375f852d67f561307464935038ecc0140cc72c8941696c0c468464c4cb65d0acd24d9db53c816e
-
Filesize
1.3MB
MD5916ef77c4104d68be2eb4f00cfdd688f
SHA1950ba9ad7c882ad476060cbc08f939f6da9ba3b1
SHA2562ceb4c47bd491a089c52efd7fb06975316eb25deacf11d8d099280e6d0a378d7
SHA512bfc17b3466c33df25b0456d8fd19a98da1b099dd0b997ef329349f541be731b27660273316bd64fd396291745829996b85fe3db20a6faae97da9d64c879c997e
-
Filesize
1.2MB
MD55df5ed72990adc3ed9e80c9ab84bce88
SHA18e20ad08cc5e743dcf89ee594ca4cdfae8ed5761
SHA2568efcb4b056f5214c6310cdc9b2c39faba6e3c978ce4cc3323f87eb867ad9a143
SHA512afcb5ccd287cc923cfa56d553f789904bf26d368434fc67a5ea430f76b92d1ab25e3bac753e556ee674c5191283fc54ea8662fcaddedfc0c7182ab746ae737e4
-
Filesize
1.2MB
MD5f0f6aa30ed240703f8e425f3e922d6f7
SHA17040287ac8987c3d7f8b2e7f6ee5a42ed5790c7c
SHA256d5668d97e3263b81240728c55dd99867b6523ff41d4f426e9716969b2d0de6de
SHA51274e162f4f479cef5efb9104ee3cd49d87c461373a08d7792d9c9a7fad8602efd9788ea85c2f6392ad72cb416afe8f5f5bd1b4018cecc4c428e395276cee8b916
-
Filesize
1.3MB
MD534487c1941d1db4b141de78ca8d0b2d9
SHA1a3175983300a6d2748d6864048af7091a9756b6b
SHA256ac18ceb9844103b3ae5809ba11dd6327fc1d2aa005fd0e83208ddd8d808b4fda
SHA512097b801030e288e77480e65b7a94acced7f4f810ad7f64451db438fe319c0f8cb6c83b9b1430efbf5ef991e315d0856b62c8db7b79c36891a6e584db8df9d7fb
-
Filesize
1.5MB
MD52475006e536667e2e622bae9487119d6
SHA166864a11fe63a72dd7248ab68ae1fe374650ac80
SHA25665865acd3c56138d428cffe3d7be785c24cf1631115ae6c69338f9b14006b380
SHA5128268b15077d72d7c4e4f4e0a02c6420ae507e4cf6e0a82dc301221e4d8e84f4ae87f70b12c305561aa4abc26f31bed091ed8afb7bd0d0b8617f816c70cd4f750
-
Filesize
1.6MB
MD5e671422477d1ad4d2df28520de3e0908
SHA11af8e9075eab99a1d0b192e346dea65aa9d0f196
SHA2565f8f15122b12c8386582f6bc5d1349b260a62a1997e3381cd6c7f38f5c82c0d0
SHA512c399fb9ef2e69767fc5516a9b98872b72bcf459e51b412fb4ef2aa160ca98088a5a99911d868a55d1cb1365df686e35b9a06ba06228525a2a5ffc8ff8bb99790
-
Filesize
1.2MB
MD5b303862f61f813e22f35ca6b3bf56c96
SHA1c3c58bd081dc2a5c30dbccf1702545ae4ef89cf2
SHA2561a3188305bd1317a633254c6f737021b4d71a139ef08f26e1995602dcccd94b4
SHA512260db4e614192819139fcea88f025feaf2b00cd681ffcb282abca82327b1806f4531aaa43ba6853af76374f3d028d23a5bb9aafad4a11d54ed19078de3f02ddf
-
Filesize
1.2MB
MD588723d82f4019010d7a975851e544e27
SHA10a4469c7be2ff13dd50ba0ba10e20ca9bab28891
SHA25650c9eff28579242201d2abd46b308ea836f851c3c170ae809f3281c5b9f4a0c2
SHA51215da65b0f4fcec15903f6603254f60f50e5edac56a2e29f28d7dfc4157991c228efdd7b0524115dc748e3b9426a4e798f8640826a6e311cc6d41a4be4d7655de
-
Filesize
1.2MB
MD5ad3ced3b34e631775061367d7bef2af8
SHA1e4534adf5847702a825d78a57cea550a3f95a329
SHA256fe0a513d705e112bdf6e2aace2747280981df9f78f88081c723501628e6b392e
SHA5123eb1ee0ba5068739df10aeaa62ba5d6f401e7d37cb03342b4d18d07f5273c25840471adb6c3fc251ccd32f2e904049c9cdd2808adb75b3c2ea34c80a38df2223
-
Filesize
1.2MB
MD587a68da1f99d21a6a3139cdf1d4a7062
SHA1887f6e3e6d74c60e234a76e3d6cb14e0f05b64f2
SHA2569cddd7091f122e1d8fb499f7f337678873ff70eeccea740e5e005a00c636928c
SHA512c07357270a605c497d3d1c5e0f4c8b5f6755a30a1fa158ea4b6bd93d8fe53fec5f1614f6baa68aedc294b6c6272d4a3cc01c12c52d4f49ed55e252508f860536
-
Filesize
1.2MB
MD52486d66798a4015e813894e6efd222e6
SHA12e6d11a291c447afe468f88c7eec754eb1440aa0
SHA256725d8c8f864671ce3e55031f5aba99d466f6db6da7eef8ad64532182eebfb6df
SHA512c2f5cd20d7ab9e8715dbad773f14bec9bf81fa902315ff3148b2a4525219e60b5b5f2e8ef423985f0c1d97060f3332b6f006538bd7a6993278a31313898703c2
-
Filesize
1.2MB
MD55e91714d830c5b991ce056634efe26dc
SHA165d882ca2bdd5c5d42307d59e1ef45ffb3011d8d
SHA25655fc9ddfc20b1b0567ef0529328b03c47ad998858df99cc0c5c038d8a42b5d78
SHA5120315aaf5da25a629eefe15efe02c845ad68dbb99101eba40c3c4dfe2c6a7cccafce5c09c3a3124d9a2eca75297e7ec8fae6ea811d82258be97939abb21cd746d
-
Filesize
1.3MB
MD563e00d8c7ed1b041dcfe6327445cb772
SHA175707974b7976581971f00eb813b0ff983d2be36
SHA256552ebcb46aafe2fdac551d19e1ae5e0273cee29322cf0a96e1961b874091b8dc
SHA512519523cc66af9741539cea97fd57099074884c71544db26e067210118fd7fb6e7591bbbadd8090cc0ba8ee4dc498e78f1fc47295db5476286686ee7eb2ea187f
-
Filesize
1.2MB
MD550f9a9cbb41bae84918a78e915d41bc8
SHA1fb8e8f79ce0d98826815c1447321f0a0dd58c5eb
SHA256a681b82def8e703729b48ce39554a84e9b616176dc4ffa66e6bc8ba2f9e5014d
SHA512b327c575c619237de3972020f088dbc3282331affd3b964f8a5b09d47bb98eb29b7bec64a97f95f4e9b2448a82a45d626f7721c0f7b85363a5922e8ee5f8015b
-
Filesize
1.7MB
MD553b47db6f91835efd64a3a6805758cea
SHA10f41a9c1b3a7791883ac5c62ac238309364ec74b
SHA256d6ad4362e42c6100667f1c622b40583d93f8bc0d0d7aef4546fa614dac566621
SHA512564b0fcb22e4cca5c66c6396501d9bd04ec9af7834ad0c3a585970a88784418e354272ab7a4853f98e457585ce35f91bebc22b3734e2773c453a735b9729d01f
-
Filesize
1.3MB
MD52983c7a728792ca7f9275f3bc2411c75
SHA189e417d4525c4d56b0ce88326d17572c20a9586d
SHA256ec83f11cfb4161186c911ea1b20d701d015cb9c80b4a9dc13dfd2aa89e16a740
SHA512145bcf92ba81e957df18af6867a260b2fa06dffbe0c4e75b7a773fd185c50cd244245a1c79bcf2bf257c6e9a0516bc7003befb7cf799ccc3628b9acf77581cd6
-
Filesize
1.2MB
MD5dfcc2e1931841392900b4abda006f2da
SHA1e6af11dcd7b7a17ac175768cad5ce897b82903a9
SHA2568e0f65a47156d643b0e6f40962c80eede5675f6da7a3c2cc33a8104984440c0a
SHA51225c5dbe7a9a7beba1750536646e92db6a6a01e38276faf54892fb833fe14710e4efb3a68ab7f38834902105fb00a9ab7ccc90c8ade3c29f4dbc32f4aaae626ef
-
Filesize
1.2MB
MD507a1fbdb16ff89be379f271041f10f83
SHA13f60d8e097bc057461d0c0d43146c52a1a2aef46
SHA256f3d8d31abdac61ef83c0f314d30088fb6b9c3d7a2ea2a01057dd044a32ed3ba8
SHA512215b2b448d08aa954b8ebcb1b11644f33047b3b0c2c40e5ec7d4d57c6b6effc86e52938e7b48e72008a9f39e262d69a2e6d0a0347d547a0613b14a7cbef128d5
-
Filesize
1.5MB
MD5a498ac5b48d49b762ae83be234f80f57
SHA16234e8e80c9a5db9a56281fce2769d18c11382a4
SHA25685598933ce2a67dbd1eb37b264e785d837fcf8db11be692695a2a60e6556d019
SHA512f33e19909c223561e91e10372b0c2582169b4c6eff4b848c8cd713a7165595efd8202439df11ead2f49621a43e88d538d77e6ce8eeb100c205e541f6679af3d4
-
Filesize
1.3MB
MD5da543972385e0dbe11f7003dca54babd
SHA17b7618ce0baf04c2aef75c731be5bdf2831faa73
SHA256a132e212c62002bf8b3bf59fa604fbb60164732d1c3c1f55e82355df4779c67d
SHA5120ea8e69a4c92c3402ef9c5ef33600071b95d093b3670532e3a4aa6c67b7e03b423fe79a28518ff88f52cc7859620924c3d01061ff9d3ba053d79348a1b640a68
-
Filesize
1.4MB
MD5be2684cf3c73a05ac998398b6e53049e
SHA1572a1ce8062ff0a8953e5a1bd76986c552ae1c59
SHA2563aed84e36fac76dafa3ba6f3b6a4d5bddfe6a4689b72d86b1b8441f64be4f449
SHA51201f356c64cd3d2d3176149772721fca618c1f313a1141e5ff37bd9b6b817a4b0e0e2b2d54fbc9d1e98b701f8e083bf0eb6e665caea170c717945fa9650ca681a
-
Filesize
1.8MB
MD5e44f972ccb5a8ee41666876e57dd3271
SHA127393fed0f77cb6fd161d21a2f47c40a085478eb
SHA2565816c4dea4bcdca2e0fe7ba11eaf0f7d1b3a8518bddc0fe5c3af37c5d5dae929
SHA512d28e0059f16baf1e7e5f0a0dab68e2dbdfc5056b59898861a36513f1bbe44f5ff2e974100e0439140effe4d7510a082b00d4ad20b2ce6a3ae69afbe9a84022d7
-
Filesize
1.4MB
MD56dd998f3e567571bc27ced5cfb8da181
SHA1512324317bc64399a0d8ed341170d74e92483900
SHA256f203eaf9ee2932fc476025235cef9744800b74c6cbf630c2a748e8e28b7e8126
SHA512c23be147e10da2a287e7777d931829713cc66c086252ff58b243ff5010a212bd0092b60f14430c532c3ce14e7fd54a396324bdfbcc8181d236b227be54b541c4
-
Filesize
1.5MB
MD57b07a3308f9977273b5fa5926a77fb97
SHA169de3111d91dfb28c1ce30bb061c01edf880d7db
SHA256fc821292e4e4e6f81b0c7f2d9f202f6760327dda2bcb1040abd72dcc5bab4c5d
SHA5128d30c27ea15a357aa15113e5fc6b430663b34ea819cb0e91b5b75e27d29288467e64e1b5ca0fe4932b4f5387086391dddb3276c41a7f1735cf8322f627411ee0
-
Filesize
2.0MB
MD55b2c7fccbe8a14c1ce2e24890235dc31
SHA18a7b80c75445ffd613f2ff92e85bff425eb0a6b5
SHA2565a95b7a935e173ec807802ea33ad55299cb2d1c94317e7e9f5fd700bb1be7401
SHA512c2c0bf1cf3a4b86ac4576ae649f4c060709441e0ef621e1bff19a564a675a84fa6525ba3ac6e40eb672c0c21aef96e454ccceddd6c5d140abb2a03e09716acc2
-
Filesize
1.3MB
MD57a215abf82f2605928efb15ecf3e0d0a
SHA193581a433966457a3647baec529baed570aedc44
SHA256f1fab62ede3c3188b5344ad22050ed5185bf073f69236dfec02b9aacd6ec36b7
SHA5126d821c103fd4895f623fd602937592b574a43837f02201af74f335f6ae2bfadfe45b9580cd309992730410360d84bca35f445b48d03df3f976d39611088d493a
-
Filesize
1.3MB
MD52753e28d3e0a932700b0a143e3db4495
SHA1e01fd76a4cbdbdd72d07bf7e42f834199c73619e
SHA2566cd9dfc02373cd9f0896c9a4dd4cae12a077bb1740ff596044677f048db496c0
SHA5123159138380d9b615b7db977e7eece06f11fe83bcbea5e4c0eb28b61464f6d15a8485a319a3fb5112bbaca0fd000825ca790bb4689e64ebd4701dc8944cb7ba71
-
Filesize
1.2MB
MD58cbd2bd0055b9c0710b3f2ae9df10fd4
SHA128f5ccc0a309c79e289743cf482dda17793b2f4d
SHA256f54f80137c04b68d1195aca22aa13f1ae085be6faef7bc0da4e1417949f1aae5
SHA512aa9fecd7c4e2c363b2bdced77d0972fdefbc2d538d2a2dc62f3b4c1873a0453fa74db999af0c0724806e40fed3ba1a5173f8985755f164082afc24861f5724af
-
Filesize
1.3MB
MD5892f01217a81ce4d36363796da754dbb
SHA1929038dee001a81ab45446d88e695ba96b7120ab
SHA2565f5031c8f425b617fe9f48b57bd5fe6b7ec15f68da811d404e5ca69c0eb749e7
SHA5121b5cb039ea6a5f27d5ad10faf75e8effe0d87d99a0760464591e742d1f9b606f44c26a33d3f5c6dbafb6ce87cca9ab3804f7da43598a271913dea96aafadcdf6
-
Filesize
1.4MB
MD51025781acf6166a93c42707fb0f9e821
SHA19bc37bd7b79ad6988fec89ef4ca85b17e28f556f
SHA256418dba331657fc80e2aa4a16d7d6ce19b48b4642c2573390e2f5beb6eead868f
SHA51271b2505c49edcedf17b70badae8132f6eb871f62938ab6a560a3f2cb260d3871e1b92f8ce2811f158a7a762425cc12e16882ecbf43be762c51cefcfea73166d1
-
Filesize
2.1MB
MD545be04c517bc5d91b779507b33e6f32e
SHA14f0ca21968cb29a30ee22f0f6f590ee15db291fd
SHA256b61b8a570d5d977c05f8f4ad241dc763f889f6f9932e82b41ac123b38d3a3dab
SHA5128b55e778d1896aa6657e41c22cd4fc8a741243c83113af5d821d36dbabeb0bb18da5b1696468eab252b7933e2811af22fdc3d87a1032ae635e9eb6e7ed4458a9
-
Filesize
5.6MB
MD5a1b3b6fc61239cf6b7d513a59a6a768d
SHA1f8e2f05c04133539933bf73386e9b3b246054228
SHA2560ca4de33eb8dd5f255d2cc8f95fe00a283762f24b5a56c60fecc5d11b447471d
SHA512c41c1b00615d1ef82c98d8f72683d2473590c8e5ceaf189c22de9357aacdc83abd8dbfc296854ec28b113d503a6141e36d93d1ac530932091a71da748bc2e64d