Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe
Resource
win7-20240319-en
General
-
Target
2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe
-
Size
1.8MB
-
MD5
fa8e1be240924e506e79d468a917d168
-
SHA1
6cf82a7c8abafcbaa63b070f3da3ad5ac3c1ac73
-
SHA256
9dc0426d14aec9386968d8db3403a824c15a0767f18587c7053a0dbf80bb46fa
-
SHA512
d2d414dee4a19c92b6bb7a75dc61f3a283c7a505789df3333cc013f27b3c96edad96afb7b4e5cd1d63fe08619ec8d4d24fcfa02bd36c847e9edfaeb9b0557f9c
-
SSDEEP
49152:CKfuPS3ELNjV7IZxEfOflgwf04gDUYmvFur31yAipQCtXxc0H:Fm9sZxjghU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4636 alg.exe 2192 elevation_service.exe 2636 elevation_service.exe 2820 maintenanceservice.exe 2272 OSE.EXE 4712 DiagnosticsHub.StandardCollector.Service.exe 4040 fxssvc.exe 2432 msdtc.exe 5112 PerceptionSimulationService.exe 4628 perfhost.exe 2060 locator.exe 1992 SensorDataService.exe 3896 snmptrap.exe 3416 spectrum.exe 2404 ssh-agent.exe 1980 TieringEngineService.exe 2232 AgentService.exe 4448 vds.exe 4808 vssvc.exe 3780 wbengine.exe 4784 WmiApSrv.exe 2384 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\17660a1c4ab059c5.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000777dfd00b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef107a03b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e650c03b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd54f902b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3e1c100b385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4060701b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5bf7c00b385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2192 elevation_service.exe 2192 elevation_service.exe 2192 elevation_service.exe 2192 elevation_service.exe 2192 elevation_service.exe 2192 elevation_service.exe 2192 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4812 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe Token: SeDebugPrivilege 4636 alg.exe Token: SeDebugPrivilege 4636 alg.exe Token: SeDebugPrivilege 4636 alg.exe Token: SeTakeOwnershipPrivilege 2192 elevation_service.exe Token: SeAuditPrivilege 4040 fxssvc.exe Token: SeRestorePrivilege 1980 TieringEngineService.exe Token: SeManageVolumePrivilege 1980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2232 AgentService.exe Token: SeBackupPrivilege 4808 vssvc.exe Token: SeRestorePrivilege 4808 vssvc.exe Token: SeAuditPrivilege 4808 vssvc.exe Token: SeBackupPrivilege 3780 wbengine.exe Token: SeRestorePrivilege 3780 wbengine.exe Token: SeSecurityPrivilege 3780 wbengine.exe Token: 33 2384 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2384 SearchIndexer.exe Token: SeDebugPrivilege 2192 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 5480 2384 SearchIndexer.exe 136 PID 2384 wrote to memory of 5480 2384 SearchIndexer.exe 136 PID 2384 wrote to memory of 5508 2384 SearchIndexer.exe 137 PID 2384 wrote to memory of 5508 2384 SearchIndexer.exe 137 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2636
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2820
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:81⤵PID:4448
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4068
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2432
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5112
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4628
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2060
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1992
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3896
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3416
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4040
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4448
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4784
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5480
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD58079ba3f2f7db4b2e61c7dd1d3bb6846
SHA17c27f6c41921e0c6af556d9e6ef71ea5ef505059
SHA2567ed423fe1dc5364db35477b26accfda756f291ab68a57613565a9ca8a349c727
SHA512ca296bc4ab1e7e4f0dd3afe7a869ae65f1a75713b3e94964eda865e4a03a032fb4f00e6781c9809767a1b44babb2b64c6d955c25b39999860f9daf19d1c2cf0f
-
Filesize
781KB
MD5750fe2226f20873e7da797986007df33
SHA14d8808bf61cb064193e1dcf91003d55c40e5239d
SHA256aaa74634ae18870de8841a3ee368111fa3123f2438ec7c6442b7b02c8f8fcca7
SHA5124c0a0a941249caa8e7b44ab194a0da106576fff40fd49711ebf049e3c2aceced4f4e5cd48e1c46e3d1c102656eaef076ccc68aad5dc401c03795eefe155fdc49
-
Filesize
1.1MB
MD5766d140f774c692931c0dc93ed70df59
SHA19034261903d085fa6319fef38d0825c8a7347bda
SHA2566af3faf9848bad3905095afee6d63ea8d7f70728cdd520f23e5fe19dfa112357
SHA5121ec73ef001de1de345407b30fcc85023a3c6c896599e990a866c53cc9542f3c6241820a041c23ed31acbae800c469a7c979e695f04e5757aa864f3cc3e7421f0
-
Filesize
1.5MB
MD58ccd96949b494de8ed1f41f0da05538a
SHA193db07d69deb8a2929325396ea42200949d8aab1
SHA256ec858e94f1f38209a60f0aecbbf4db825e3c69cec2f5aceddb058d688d0a081f
SHA5123db2860197205adc2d4761cc332f1f542944baec8da1d7359c7835c68e4b8fe3e08cd69e11be360c41a3d4a0fd48aec5c8b1c531188c7d05f54a5e191fcb2f33
-
Filesize
1.2MB
MD5ebdd5daef4eb59e78013867e59ccd8c1
SHA157a83d67fc166d13385210ffd0f657172fd1e2d0
SHA256565f87fd8fa6ba6ffbc03cc3be307cc36152a1d7bdf70fd3996f949ac0d9642f
SHA5123364638d5dee86ac70f74e9c875a13031818ca669a4ca3984ce9d2e12d4be14a073bb8e61034cea1cfffaa989c508bc63459d228018c2665812fba421ad0ae6b
-
Filesize
582KB
MD573f53c1f9ad4e7e6c935ab1afeaa22f0
SHA14d3cb457cab24ec0ed479d7c6a77f9c94e150bb9
SHA256595bbb003c77581ae1e03c6241e5e7e0afc0e33195c935b7b969e7652863a49b
SHA512bff02eb3e090fd88d6c53b96f4605c9aba72e2137dfcd639f1c03772109c9769b45cd17d12002f3d949e2260cadd2440d8952677ff9f69d6e43e8f46784c7544
-
Filesize
840KB
MD5b6befe32c0cfbe03581ce275060da796
SHA1774fb176ba79f66669c1e11fe7f2201d86f4c8b4
SHA256853cb0309687a7dd40fe9cdcb28c179ba85e015cac2e9eb589850302aac4dc6f
SHA5122cf4498d43c0f483eba929793e8b94a22180b8096666e4b088a6c5d20e2d590841337cc5a5fe6813dce6f3f5740a7f78cae70a8f2e6f2fde2254ac97d5fc8aca
-
Filesize
4.6MB
MD50cca99ecf985028eae317bff55fa2f7f
SHA19ed3bf655b29d714c4bdc8eecc84513b4ccaa970
SHA256991b3d5eaf66174a74787da09f1b7c7976f84347b7634a2fc687c6ffcc54f7ea
SHA512f823e8af0d395f696ec1107ab652c61ba606717801004cca22ecaabe732cc15d45d056959ce3947616f760f45eae8e6ef231709035f0ccc8365004f9bb1336eb
-
Filesize
910KB
MD50ea8a1e5ca4038e0cab1dc7524629f0f
SHA1a3b6ee5464094ca8ec7a0656de4c0949048de326
SHA256253641503fd145d6d21789b38b1d31ade3494c0a72dddf1a4377cc1f07ff2524
SHA51280b37b90fdc0ded76a37ca99e2e8c609f3c9a02a78e7be779ee1f17714e6de69efc51286324b312ce51e91502a4608e55debaadd1a9b2d06a2b76353b135a413
-
Filesize
24.0MB
MD5baa322a3cad3be7da68b052d8a248298
SHA12c0df2a05589a69d0a40f7869a721b3bc32ee588
SHA256878d40e5e860d7e14fe63a34c1a7a4a86ca4833a69d144584d3f613c22fa2c9f
SHA512a50b559e551969c1ad76c20357bacd5ae9d66f71cbf94497ebad7f2cdeef9c42db020bb11d1239e2d448edab9812bf584a9de61f22f49ff058eba1ab9abf14c9
-
Filesize
2.7MB
MD5d91e0700b8f52372823ff05091a6b4a8
SHA1c92a5bbe64f29e067c747d9a0d6731a0441a3e6f
SHA256328e03b60b19396646c7bbbfc9af76a984c60cc1dc256ea4332714b32217a795
SHA512732916fb51262d11bc47e7d6a0b84416175a71f5f87495fc20c3351c26933ef691adbd378a22307542486342e1826614ba9841c29c812b2bbd94bbd4e9b79ad1
-
Filesize
1.1MB
MD553e2605f85e7f9dced7eb91c1c7bd67a
SHA16652f9ed0f82c20b153076286a3808d52f02d24e
SHA25689bc36e1ac64c4793e304f2aff19b0fbddbb791a171792adf24197788f9f744b
SHA512a75e42867093295dd8b36b6234fa7600d9a36e9ffc0612a6f3ddae4c14dcc75f13b6cb3d8b7fc4b45f55ac382e90df920f957ac3dd288daee3d5c1f8a4c4045a
-
Filesize
805KB
MD50101f08c4b539ea2996af01ef385eec5
SHA1a1459fec162c3ac1e782c73f55e847ea5f8d3a4b
SHA256de7ac0a407ab891af042439398abe864e7b7a04512dfd44388c2dc97aa86a303
SHA5124f1ea4cb9639d1521da24b8b1e7377d6dd1b2aef2c7feee54f571c11a4779d113b39e7cb2233cea049b7b9aa630a790566928f0a4cbc9d36645640c1e45c595a
-
Filesize
656KB
MD5efe8d5cc785c240ca893ce8d3583ae45
SHA14a2065131bc9c00a1fd6b821c9f45941ed90ba83
SHA256dd8483bfaab16051bc6cb1a098eb4239ee9184405d502be9cd2e20ec345de1bc
SHA5123cad8412ec40235a86f82939f136543e2d846e24ee1447715c1c347dbb828ad5735c4a735c8628c6b1629108075bbcb0275f5a4ce3ee9ccc945a35e119c54c46
-
Filesize
4.8MB
MD51e40d889f97d6f5892c17ad82cf399dd
SHA167667190fd96f9aa50dabc3c9b1864b27d71db0a
SHA256d3733ee5cbd1049816cfd81ae4cdec9706aea724f397bae40df2e4a289b05374
SHA5124c48ec393fa92d382a402d617984dba88137f7531e59546d1d8f5ce2a63b18854ad50463dfbaef02101676d39b41e68b0d27649a6217f85fd70f3e0d1642aafe
-
Filesize
4.8MB
MD582d8ac882eb450966e0c3ca0a1e0b362
SHA11a531b72e6cc7ac32b344299bd9be2ce8e717eea
SHA256d5c21214ee0973ee3eae96e0b968948ffa90f4b107e2e2fe88fd6a39fa866bbf
SHA512f2aa2c21f27c0292eb5f5d44f115fc09117eebd6fa0edde899a7124b590c26ce516275f1f53287a4de86c31b640072855a032fa58e96055b1a9af6b6fcb1c176
-
Filesize
2.2MB
MD571fd2b8cebdf9eee9f067bf0804cba39
SHA1a1780483b5c6c32b2373573dd4912ecbc9ffd84e
SHA25653ca61cd4b5e5a7adaa1d88c37eb3bf03ba94a17fd4ff251c2116956cc13d2a0
SHA5127f90429ffe0866df20ce68438515ac4ad6d4a499cf93431e8870511951608955dc9a96a976248c1a4da23acfcfbf1bad86b37b10d3633ddd94b7f6db67ece2d3
-
Filesize
2.1MB
MD5ffe8e253df706bbbe2b1ac2e792bd6ae
SHA1907bec2e047391ac8a1e17336b4d25dbc9cd0988
SHA25634b12e5f439435885f3ff772b012802f20e382675b9960ed86fe7767dd126717
SHA512b0552916fc29afcf6dcb9f9dfcc79ef2c011d9bdf58a836ce0b4ec917c9631299b90d7e4833e3bd836509a0ec3d43fe51ba9efe287dffbdb5efa64f0dad1785d
-
Filesize
1.8MB
MD5890a701933b650d75a40398db3341e8a
SHA1187751d1f092b7932302f5a0544bb1544239b08e
SHA2563f254e0cba4c83e2bef9e71c1f79a1fb92b0732937b4e2750932de078b2cb080
SHA512a7eaae2c19a3ff10f631d2f0106c01168bcbd30c334a52f137f66d33e424f46d59774cab2b35be74edb532099b6d3a6d2328d6fd20ab536e0b8fadef7180a4c4
-
Filesize
1.5MB
MD542f441e30a876c281cfd21e30bcfd719
SHA1f4fbc777c6b00f64faeb63eebd7a80502ba8430e
SHA25698309eec7a5d03d9d132149b80331ddb9d1d7aa261fe471f4f095f823a117800
SHA5128dbdd1bc87e317968bad103aff32229e6a53181c91642a817a8d7f653791924a9a7ed18c60412f676864a3396ae7fede4dffcad06ebe5e5153796ab323b72017
-
Filesize
581KB
MD5be38fcac45b1283ba261879f6814c5b3
SHA19f86cece17a0cf8deb0c5f80d7e0d2043df4525a
SHA25686ff6378f3bf90e7bbbfcf021da557affa2ae0a7cf9a92c64c58f312b50cc4b5
SHA5128860666488de8f15ee7088ea69f67b6383cf20946db11de648aeb673ddab14b013ebf5f44a111be53bd41e6fa6d7f250aa7c5fec8ef735137d99e822fecef78e
-
Filesize
581KB
MD509b9a246edad0912e0d671733acf6771
SHA12cb15844b5af5334b4f2fcaade3b929f90b15c88
SHA256e2761f501c1b42019be8af2e941cc393d5d63cd3c010669d61200b492fcf9442
SHA512bcc29359c5fc401b85d61f4c1d21d2354192225e895b8527e991832b779d8e4245b2def41a20cb156ea60ecc562713fe5be739cf482c3d93a514dc9ee6a905c7
-
Filesize
581KB
MD5990acef61067daab59b01bc78774be83
SHA1138dfa2f510310b79e5cba6b878de35bc119ac7e
SHA256dd04dec32f47196a64a352e4f33d1e6181425460e5db58ea8c0f99071f404bd3
SHA512314baa4eacf8dadaeb17622f34d385fcf7e4001aedbf33a5292d388293f17facdd648e5e938b217657a6091359e376479040c1f7f41177078eb7dbd9e5e4636f
-
Filesize
601KB
MD54fc0f38e63890fe13a9cba644f3c1ad1
SHA19cfe27da40d320e3aa3469026bedee0c97d198da
SHA256dfa6d105b4398630215d5e9e2558989e91727adf4e0e7c241238b3e0b33ac846
SHA5128cd885fb7b15647c9b5d1b3de699052e4a7527d94efd8ad2dda717d7e2f4374a57e50f10aa0d947821ae5167c71fc448580166ba17236eca6c4e07cbe3c911c1
-
Filesize
581KB
MD51325a35ff262d784f3fb0443a923df2e
SHA115302b4a4aadee12d6a28348818496cdeff30ce3
SHA256a092ffcda12785c46e1aac1f4dd4e7845be8f656385f13e9a7beaeb487057b05
SHA512f07495ab38cb832898d5f91e363729f1636fe84249ab7c17228c421cacde0b269cafbc6b1a9c2621ce50fc82816b01d65c10048128adf9de8d4efe83922978e1
-
Filesize
581KB
MD5ea81d3a5e9d03517c6ce867a76d1b30d
SHA1a359505fa2c78333b410200e3798943c45c589e6
SHA2565449473cae14048ef4af96f26ac62b94aee6e2624d77578d1955229b9b19970f
SHA512cab5caa3b8012683fcc4b82ea726a9d5e3f27b2d6d7371676d804b47d839efd8e08b4cc3e5b69cd0a7ee398eeaf9fe88fcb0f46674aaff2adf3fa55a99647409
-
Filesize
581KB
MD56cf3c8000eda2f4322916e40bf8199ea
SHA1cd4ae02e8a60eb8a0f0832d622d664ba4c17db4e
SHA256a8b04e1fa65b6c07b3b43c54eb45ca22fa769234f275ae10aa011f185812b676
SHA5124c865fba033176fcae1f10ba567710cc628863a625216a005441b50fc0e264acc512e34c606bf49adfdc2b48fc5b0f1e3d9709c00325faebaa80df2355d04b9a
-
Filesize
841KB
MD5c80cbe7bcd789c61727819b7ca2a6075
SHA12d503a6b2d894fe19ff0d12e0087c33cdc2d85d5
SHA2564c2831220d303b4ee3ec2636bf91e3077e2664a5a01293b2dd335d384384f12e
SHA5120647d455ff85183c84c17226b5f9d74b811174e50e3be94972f1cfeb5dd994346dea459fe4fdbc9a66544ec711f5e88187733645690ddf83469c436f5c384c44
-
Filesize
581KB
MD50bd42f9c519938d92123bd34336738d2
SHA1a4b4ba04ff3773d4b96d089aa10425e46143ec5a
SHA256a71c2fc2af78346147ff54f1cc3837b561e44691e41036afa7d7d7d833aded19
SHA51298b5ac0f0c0ea11d971cb8417db0a64e5012d91ceda1e3a535791a3a30f072a6f6e33bfd54df381c1c9d10d188ad3a3045594cbe0bdd85209a613835ce0de470
-
Filesize
581KB
MD589102d279e96a51225f391fa9f17df01
SHA15acdf9babb3485d157cf0833f48cfbf2fce7371d
SHA2563c0da78abd08da3169ca1718aa4d2713d3e79f8063bf8394e2563c946cd2d020
SHA512cb25367d69c720b62d4ae8cac697d1a9c222bbcb8d332780154747798ed40c2e6c7a632f5fcf62621683b55d42b8f66b0fc548364de5e21b10d8806d058e8f02
-
Filesize
717KB
MD5c188e9f694fc2b8f58903cd7956467df
SHA17ab98e190e51021669e1dbc1e014171db6f8c126
SHA2563ec5ba8210f9780188b9f92502c7409de100246988e0d92d6940057b710efcca
SHA512a854bf928601cdaa8960f2529d62e0c278e244d3ef63d844c0d371665d3eb95a9114b2dacb29222924b56fd7c629d7bcc1fae840185dc2e2777ac7a8879bb200
-
Filesize
581KB
MD527f84604296a8ef8f01f4881e00786fe
SHA1dd90f5909736fc99d7172267596bda6e3657585a
SHA25646b71043a1c0d89e38ffef9b4b0418ea956fa287a35c5fff5204d3c80d6df7da
SHA512015293ff7d06384fc9665ba39d86ebb178491dda8af55c0bc0854af20d7ea543d78d4eb118abcce7b0280c639bdcc1c42709d73b70e93dfd128f2d28e79c4623
-
Filesize
581KB
MD560740ad8864cc38a58d134b6c68e8ada
SHA1b7206cb45df03a5c439690abf44e56e621e6de0b
SHA256195dd5fe0c66d822de0735d388232293aea5b9326b0e51d8046d3e0190393930
SHA512ce33a427490ff07c480034131095b48609f32986c2e38e9810bd0efa37208772e3c747063d5767be84e956f6eeb85b6661e05746ec7805d3e41f0f8c82eea4f2
-
Filesize
717KB
MD568f7abb12c286c3d3a0d2d20f8d8c8eb
SHA135cdd00cbcae52589f9ea6d6601f64311a7ecdd5
SHA2568641ecd5c2d5dc8d1f52b944b54a0c07832fd31f5496605bc997ab55769db5d0
SHA512bd7f209004c955b7ddc75a8172a28e05af925dbdbc8049b1d3dd4ed6769795c07711562250e1c9367ae5edad710c77acea4204fdfe4b6896909e71c738d8b746
-
Filesize
841KB
MD5a8d439ffb406b14a5b41630ce1a4ccc9
SHA143ed7d3a8db43e09c5481dbc791decb26ba959ea
SHA2564667abbd0b5e3a8cef406268c8011f1e97b80af4d053397b171ce851c0153fe1
SHA5125cdfd8aae5325f4a7264afdd61f7c986480544f45bf64c73792442fe677bdb60225e8795eb086ea0d7c548984e0cd85b7d7b0d8e21e3c2d55d54c86036a36774
-
Filesize
1020KB
MD5232476c092a4c56778d57d78ab2af14d
SHA11c4806e270944ad1066cba6ad86cafa660d7b620
SHA256e120ef197d9298c0bc736991a44c7841bd407cc8766a4f562415422e4ab7aefe
SHA512b52c3ba3be50e60660b60b552aeabe06af0967a8dd46e09403e6cf1a281051f7894b0657cae620a373ffb433407e9445ba485afb7c0e5367bb7328e085fec67a
-
Filesize
581KB
MD55c2a3fc3f8996f07523938c7962516b0
SHA13808ec73e2747d26592b43324a17097445466326
SHA25610ed4bc2f3e5623ac0db7f7d06a95e49be07c791609911beeac79b72121c9477
SHA5121d97aa12436d00264859561663fbd507af75ea6bdbca267135852de8793f8b41390e121b58dc984a3d686dd411c5bb7da0d86c24bb47e79e8c302c5ddb00f791
-
Filesize
581KB
MD5ad6c39ba3b4a08c1ed9b74663b6fc5af
SHA1d036fd0e7fbcc9b1d9320e8ee22090896baacdfc
SHA256483720dfe38f95ed3f4c7879c33cc08781b59cc57d89c0c322ed5b2ea40f0268
SHA512f3024e6c1f7c52f1efc49f6608bb418a70cbfba6fa2e13fc1183c16a54275b403af4d198037d2f2c8723c7bfea383b5d997271ec271b0d5daf8672a42a2da16e
-
Filesize
581KB
MD51751ddf5bd3a10d278b68a4c1a1ec98c
SHA181e00036ee184eea479b24de503340005a4a673b
SHA25645056dd6fa8915372aa5b73a9e05a379f0b49732850bae33fe81723509388de9
SHA5121783b23acd8fe0d71f38f496be4069a7bc4d8a2ec3dcc00e1e7f3fe476ee646008a9f286fffcd9f16a4849ff66fed200e52c922b3a8b062e9b05873408d6ea2d
-
Filesize
581KB
MD5aa1df53b4fd86fb73681981d29fe9c06
SHA1805bef0b51d2f29fa732d9f1b703d8ee98542aaa
SHA25665f5d61ecb571d17c66ed00649957f6a2400c29d58c901c74bdf550c7473a287
SHA512a35ad1aa943afdfc3ac416a3544ee86f6f7664cd11085618fdf035c29bda193734dadd14b42f042f634ddb7015e8e95295573751ce3b2b241afbf94438f35445
-
Filesize
581KB
MD54f877a75c544ec95047152e4917c48f2
SHA1bb1e0da4da28aaa86c0ec2d68463c380370a80c9
SHA25600e94307b030a4f0dc5d763038dc841256dfdbe1cfc46e4b8d0ec634918d5353
SHA512986e55ce5f8d1a324fed92013f095f998d45d9bfbbe69ac19f9826a687d1dcab7d912cf3b07d392622e1ff7e1e8bc78208e25b78f0c4baa44c48b0c3275718e0
-
Filesize
581KB
MD5b57b892b672e3ca43a9592ab4979f9da
SHA12f42b8c5e883249ec438fe063d0ae01f99c32515
SHA25692f8787c009cfba833301b20f3e04b13493a96ef6fedec9ae6f1d505fa93f963
SHA512c2378c24eee856e61f3e7bfe70b295012cecdfed52367c3f26527599ad9aa235c52adb6118a4ebc43742273d91f90a5949a80e4de9222d7194508a551e84927e
-
Filesize
701KB
MD5f4509665050abf152a178a323f65db17
SHA12648f924249ce4fea913f829780ca3ccb2cbb87b
SHA2560ecd1e2c898995ed197f9313321ac8b5cfe61864d19b1f78a8851e3f75b9930e
SHA5125ecc9510d00084e77f5c2f4ee33c061899584bf1a48333a403d5ca492c0f60d1855ab0dd8b991d4af042f4d7f1690c0f9d876a93efcd87789d0a41b5c15227c3
-
Filesize
588KB
MD5e1728b757980ef73340168d65b08f2c6
SHA15ffb85565278016fe88680d14830d11983730c9c
SHA25676618031bb83b05e0d034bcef9e8cadfbb3be1cd37f4e29b15c175e0403ecf27
SHA512ee6a9a8ffb7a60b0d9b53f882ff93cd990e9a4081d82744b572ab6846824de6d385cb47799f712da2c5b35d71a7821fd3e0bd03177c24ab4c0125bd207b81ea5
-
Filesize
1.7MB
MD5a0b922c1b9433968e28702717d3c56d2
SHA1e427c9c16258cbba5700534ab1334bf45ca2125a
SHA256e0be37724dc53c5164ce3c08b4cae8bbb837cd0f3ac96895832323f078c0729a
SHA51213d08d801c91187222e1c1a6c7d69143f4b690bfad7c5a08fce93602b500bf7069845cf6421829d704d9225dcb6c80f334dce245297bc566316ed36f59754f35
-
Filesize
659KB
MD53afd9ec84f9d494ffac5cd4a36a9fb2a
SHA1b4ea48f14a0b3a127d2e9c8535501cdee2dd9d90
SHA256266a7f76a9d8426d0d49a4e46892f64c991095a1c82a7850a5d752bf44db91ec
SHA5122977c516248d2ca95c95c8e1c1a609ca3bdb0615cb93432a1e4e46c253e9246962d300049c77f384ce4d8f28b137bb0e0286b275617f0b7b3f538bfc389b4f43
-
Filesize
1.2MB
MD59a068f9fbebb3286138da09d38fb6fe8
SHA1c88aea847fd5881463e731ed56d3b33a690791e5
SHA256609e9a8f331bc6e3fbecc90ebcd22e867da9a81e5ef39edec1cb92dcba638bc2
SHA51237cc45da5393f3931affa7b02fcb05c9bb29416861ebd5e3916cb0d61615defc915f64bc3cce8e7ca38adf643d35c140addadb91597a5e2b1526feb44105318c
-
Filesize
578KB
MD54e962635b2d43d224da0351dd979a17e
SHA194c6582259c3b6a1d62aebf9f9a422fea0c94d8f
SHA256a3bee81b448b8dc0bdce750ce891076528fe3cdb5ec29c32e5dbbe63f675ffc2
SHA512150bea1b2f69e4b9942efcca3ab21d71d51dfebf19a7f8954934e789dd7f4ef64398ab5506cb81a1316f97a29a1bcb60a75d4b2a9fb51f1de76b084910ff74c4
-
Filesize
940KB
MD563785035269d090e596b4db9189d8131
SHA16751d56d3875ef6c8ab03ef83dfc141eab619057
SHA256517776cdd33f510a3616b433f0222e51098b54b6d05baa9d2f8add93e165491b
SHA512956612f8a8fcbc58557bcb51b6efc1f3694e374ec8a8fadbd66de5c088fee210473efcda4a10194b71ebf25041e62cb4be2d372ed8ee2fa36c42f693dabf5b85
-
Filesize
671KB
MD5ca230436f6746b2e55447598967fe075
SHA11c2b6e311388a8dbe67ce37866c5932e7cd71fc7
SHA25665227ca353b8481587e6d60383bcd41b334d50234911a6eb0bf29f41a925625a
SHA51202f0972a75672ff509a631bd03d52fc99b18d2645a466bbdff40bc519447a5f5b63fb9df9f3a269ba6f115b8cfc82f5fa2128322b06a335a3512c23fbb9e44a7
-
Filesize
1.4MB
MD572fa901936aa9ff3ea88a6090e0db5b7
SHA189580a44792f187ec42a31bc7b4c246a692552f9
SHA2564509a56e091317a72e5925615fce33a372b4ca991e50fe55c99aa02f35a581c2
SHA512305ab4020bb3ecc2a70c3c523d5cdeeed38d47d56167933e3bedfaeeea56c0a3be1681d2f1c75d64285c89f05b55fa5d13c4740cf43b6edb91f75b55836ca456
-
Filesize
1.8MB
MD599c31059b6cd1725c7eabc71bfbb3818
SHA17a1fb11b62617985b5d822aa1c738477cb91f7ef
SHA2561146d3b1944933d2ed9eee017b70d7d4cf49c726611acf1bf7242a7bffb84c1e
SHA512811134d4435a189f7e4be6545cd28d7e40e79bac0ee56638afebcb45639de48262a04c6531ef651a33682065c8e861932ccd6a63416fd55a16c9e5285282b163
-
Filesize
1.4MB
MD53bac6da567d740206798c349ebe285a0
SHA1d7ffc37abb6a65314d0aa94646884b0cec73ad85
SHA256022e397593bef91bfdeeacc69b7f528b95a1adccf492f5ec2755f1a3813c4e8d
SHA51261bd8e735eb90ba9ece26c2b0c1f857bcada30bf1e3a1d7af33a3d32ae9120de8aead3e9a0fa3dfb9efeac803e3e415065de6334274e6e926e6739ad3a89c4d7
-
Filesize
885KB
MD5ffa9ff10cd72af0aacc022a5df249ddf
SHA13d1decaf56770d5c8d6d6ac33fb34f9c650d8a53
SHA2564fbf35ad656c6eadbc9c3d4dd0bfbac1848a76399499d967cee98df4cbf0a5be
SHA512000a9a9f396a550c20755ab6a0b19d620f03c82a04c5bc7d4fa1b4c606e5621807685f0f14607728f6f640c2659ba65df1d331b851b6356d95112e780e38dfe0
-
Filesize
2.0MB
MD5e7dd6f93214156c7249a77ee9bf15e62
SHA11522380b8017e5c05361f8f81c4eb1ba7059e27d
SHA2564075c1d3fe74af78345b008b041f688ad77115d691a9c55fad0505e5ddb10839
SHA512c5326a37edef8cc1de9d7f8288a366c4c1ce1bc31a8dbc7085209787315acac68d15dac3d423a46f27d8b81345edb9cf94fb265d5250b76a63cbc47d2332154c
-
Filesize
661KB
MD583dc252cc44861041ead80e4ccbd6f47
SHA1f59567584d087fbf464d43e629d7db50ae3e3a45
SHA2564c195604b7330abb098975fda9502c0437825a26571e6fb39daf6932249d4cc2
SHA51273103ae34fae9e1a5542ae17361322567a301435c55e31ab2a7bce5613b1074faa44193e3be731770f2c9ca224939ef50abb34c415e4ae84b53d2901dbc1c061
-
Filesize
712KB
MD5139eec48d6e1bd34fa5b2d232f1a6a98
SHA12b5e111394fa6768607214ab407f46cc94c2c48f
SHA2566b1cece09fc57c636e069ac0c1de3c11e178ab58b8fde08153e28962dc80bfa4
SHA512f8bcb62b5b68c206389a6a8c38555c6493cda97704bea8d33bf4e0c3ab707b5a065ab38c9435730ab8935dbf53ce160981a44234636b4ee9aa3a2a3057c4b087
-
Filesize
584KB
MD5d26f5b275d23ade66c5ff0ee81d0b421
SHA1ca7746f9e5f27f0ccf73137dc6c05ba8bd30946a
SHA256a799f02c12e416ef9c0e252e471e86421fa7a3ff1ee0627dc3e0fc453973da6f
SHA51217a929d3b45d2fe271fb807a6ba77869c20fd9259704314a13681ee54b78a2451132d7c7ad07d79096bc9e75a96411c2d8025be623f9117b1cdb1caccf07e981
-
Filesize
1.3MB
MD5e7681188e0d4d2aa8db1d90a1cd4da65
SHA1d1d39aa65f0bd68d9c71d2449f328c39c4bb0b2a
SHA25680ad708d285cb7343bb924090ef95fbd8d9cae97eb7d6db3c67611ce14ba6cfb
SHA5123b4624d18516a74ca63902bd2003c74b0d3a59559b751e99a830a41cb053a9ab3c8e1cadf3936bc7c7580149a3915f2261d474ce4bbdd451d3b80305c669068f
-
Filesize
772KB
MD55722b5d003278a8a955a3f22f5e8c892
SHA1c28365cfb1cf2a1af43ba710089f0696900132ce
SHA256f1cf4575f174d4da47048c424eb8fb6c107b842bb7b4d91c5be95a7de37643cb
SHA5122085e17808e61c96e0572934131bd1948bd4f252253cb4b08c81b32822d814f4c9d545b570551a7c803c72680e175d364f2d5cca51c3536089b5c5104d4ead6a
-
Filesize
2.1MB
MD573a2d5dd157d43b27d1910bd000ed912
SHA15418d5d37d15830ab7493e798cbd21797e28d384
SHA256d5d7b1ec94180bfe0f369f002ffbbaa7a9e0c7cad3962eb7e1719d19ae20d9f1
SHA512d3c2a16c42b11c01798469ed29585f9a347634a3113e95ffd38af919fd883c22d8e61e230f2d3637baf152d776d2e5e6163cfe2c45246dcc15501174050775c1
-
Filesize
1.3MB
MD57233c46eb14b2aae2189dce621570ccb
SHA17946997f163563cdd7f20d98c8fd8a544c42fc2b
SHA2565af93fb56d6f20449a3a35eab704db9a11e9fff41babc889a99a0da0d284289a
SHA51290c4d2c4ee6560126088dd2d19849965b18ed35bba692d87d379bc97658b7f8a42bedf06d58fd24f83e46bcde1a9033e557ae7903bae33aac1bfe2fdf7f27ed5