Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe
-
Size
1.5MB
-
MD5
fcf8ab6a4db6e358d362e728b733896d
-
SHA1
6f91a840b3fa7906ab3364e4f500cd3d3fbced97
-
SHA256
371d1815cc24c9f26cfc3d457b675bbdc3e7e98fb25ccde17c66ba32cd0ba0eb
-
SHA512
5dc658687ca037fe335b5ed4c8040ba6810d592c971d770280ca16f5233d0d51811526dfc0aa85d7b2a6aa24148b6b48e21d99b55b52dba793527f23a156f287
-
SSDEEP
12288:SObXA4LWOsvAYFTvcZRXPiqwIkFPqQKj8DkBIHCP2sEMLRv1vIVq+:DzL3UT+XN4qLqEIH7sTrvIr
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3824 alg.exe 3272 elevation_service.exe 432 elevation_service.exe 2196 maintenanceservice.exe 2068 OSE.EXE 3780 DiagnosticsHub.StandardCollector.Service.exe 4108 fxssvc.exe 4944 msdtc.exe 4676 PerceptionSimulationService.exe 3580 perfhost.exe 1756 locator.exe 892 SensorDataService.exe 1628 snmptrap.exe 4004 spectrum.exe 1096 ssh-agent.exe 4060 TieringEngineService.exe 2928 AgentService.exe 2436 vds.exe 2732 vssvc.exe 4620 wbengine.exe 4444 WmiApSrv.exe 4592 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dcb6c105205991d4.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a863321cb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000603c2b1cb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008afbab1cb385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009302111cb385da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c28371cb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004eb1401cb385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e85aec1cb385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052db091cb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac1ff11cb385da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001079071cb385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c15f8f1cb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006715241cb385da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3272 elevation_service.exe 3272 elevation_service.exe 3272 elevation_service.exe 3272 elevation_service.exe 3272 elevation_service.exe 3272 elevation_service.exe 3272 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3640 2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe Token: SeDebugPrivilege 3824 alg.exe Token: SeDebugPrivilege 3824 alg.exe Token: SeDebugPrivilege 3824 alg.exe Token: SeTakeOwnershipPrivilege 3272 elevation_service.exe Token: SeAuditPrivilege 4108 fxssvc.exe Token: SeRestorePrivilege 4060 TieringEngineService.exe Token: SeManageVolumePrivilege 4060 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2928 AgentService.exe Token: SeBackupPrivilege 2732 vssvc.exe Token: SeRestorePrivilege 2732 vssvc.exe Token: SeAuditPrivilege 2732 vssvc.exe Token: SeBackupPrivilege 4620 wbengine.exe Token: SeRestorePrivilege 4620 wbengine.exe Token: SeSecurityPrivilege 4620 wbengine.exe Token: 33 4592 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4592 SearchIndexer.exe Token: SeDebugPrivilege 3272 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4592 wrote to memory of 448 4592 SearchIndexer.exe 123 PID 4592 wrote to memory of 448 4592 SearchIndexer.exe 123 PID 4592 wrote to memory of 2872 4592 SearchIndexer.exe 124 PID 4592 wrote to memory of 2872 4592 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fcf8ab6a4db6e358d362e728b733896d_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:432
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2196
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3008
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4944
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4676
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3580
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:892
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1628
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1660
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1096
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2436
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4444
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:448
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD586fbc23d3524b2ebd3ad9d36b9561496
SHA16d353ebee77102f126b4708d877a560e653b871d
SHA2564b6f80572fc991984e43d1674b76e64c37552103b0220c402941c4892fe80814
SHA5123c3eff7df6684e10a28b49f2d88862873bab22bcdc7ea06dbe1407d1e197c2553e33bbcb9a98a09c07b1e60f95fdbba717292fa0223debae38496946ea0c3f20
-
Filesize
1.4MB
MD5262e3ed16f9e72765b2a223028707913
SHA124d2d2f8c41e2ab6c1c9cef58f864c6f8e01583d
SHA256b25c065861af4ceaf7d73618666309ba08a0719d59b5934789b21e8d2dc32bc5
SHA512cdd68000902e7ee02d0a986021e683d1c68a421b066962cb30a8a41bfbd86ede88eef1f27893ab149301eb69a4b16286937fbc782a6d3df4723f0f27e728ffad
-
Filesize
1.7MB
MD53e716570f873de1f987dd4eee6997552
SHA186927828303e15bbb287b942fac5d2080f14de55
SHA2560518957263cffc6b446a426e0fa8d2649676f714070d94b1b41edeed957ad42e
SHA51212ac18910e0e3667d5358991ec04c3719c8e9c9dbc1c0ef9584527053cadb691685be9c806777e9f794b3638004e1d775d024d50f91aa16beb6c3b03a237508d
-
Filesize
1.5MB
MD550d0e94a4a23cc2975f33fd2d69e4427
SHA1df20fc09a7e9a1d2703706fde24c1a76e8494a37
SHA2567c8200dc03e3189e8f8ab49e17ceb0615076dd68003db1c8fefa668e41a21a1c
SHA5127298d46a75bb01498f39d4e72ba0c416ade45a94a2782a4088e3469181483b6720b0f59d74535d100656d553cf9fc2865a66e6654f222c14cfb2e3ea7c78306c
-
Filesize
1.2MB
MD572b1a882a7c584975e11944a41e36e67
SHA1e116db8eb2ffd7d65f40e20b3e8a4690225d041b
SHA256735aab02322c778cf0c88258cac504e823193519643230b08d7d420fb25238d0
SHA5128a37f9f2a2b9c0e4ab0bac53eacb79359b1dfd66683359bd213c7155fab99bb8b8af6ace11d08b97cf5348735477f16658a4c24c59c083696eb9dbf39e6f5811
-
Filesize
1.2MB
MD533ab8ac2008cb3fb7456a7603c766d89
SHA1f5de67f5cd1c244d9cf352850d4e7b2decdf2bdb
SHA256502dfbe52422991c07ff9503e1331691725f9421e5f77e13947a2cb2be5336f9
SHA512232b28fc93d310a19cc3cb548f1d51636fd014e72738dce48c5938ff5c0519452c827e15e8ded24a14e60deff42b36b1d51e2924ddad00959e447a37490f682b
-
Filesize
1.4MB
MD5361b20f693c858cae7db7f147d177ccc
SHA169928f5fbdb9ce74017ff1970806d91e8d6914da
SHA256f4671d58fe14deafa167e6c1e835e1be2f47c7a15e116eccfcf8edee510e5472
SHA5128485929ac6eb160061bb64ee48f2608b2777eadd4827f5d17563d1d398d4078ff0f7aab145cdd50297a20e1f5675f6ba4449b3673e0dad7eb76c6e356e8f1b70
-
Filesize
4.6MB
MD58673c81f40b9bf782dc9075bba1b6b0c
SHA11b24d0eb315307a054cbed3e15187b1207109e92
SHA2563a0a5460681b1202d51c4b2685f0384bc73f1e77f0dfd0227aeb917d01394ff3
SHA51215f440eb8162872b0814baf6cc1373349727c7d59f2c11744d31590bb3c5427719c1606ade140af86d0ea5c7ca6f2affa5137c3d47ada1fce95bc63bd9d93af1
-
Filesize
1.5MB
MD5b20035a34796c46f571375c8ec2b9220
SHA16132247a0301354a31be61d66923f346253ed8a7
SHA2561954ad85f4c87705c893b5cadf5145066b179bb818ff921ace2807a7ccc38901
SHA51212a77acbf872ce6009ffd148c650d4694449aee0ca5bb143380e1e9cb83e073d8628f2b67cfbb089d4d9b65df0e8284ead9bd46919f6e756d22782e1ed606c03
-
Filesize
24.0MB
MD58b8b84504eee7c0048dcd2f6befb5973
SHA1acdd982bb07497c2c7b6021f2cd06a5cb917e645
SHA25638d1f1c5e1f12441b7e6f2a5162d95ec347d4bac2a496d00ea0cd78a5de9d521
SHA51267b5c03f6a92ed6897d07cfbd63cebe9f02b39c5f7e1284a822ec710af584c403888583b81fd8176678e9de9d62071514ece676a0b953095032dbae14e65e87c
-
Filesize
2.7MB
MD550844c44fed7706b69cef1bb62acc428
SHA1ebab9f312b3f7a0aee7bf3187ea4a46107f87933
SHA256f53838516c6a1394c3a20b170332ed541af24cb13a2092e45b532ae323483243
SHA512e9a337f04dab2acf395c65d471ceff7fe961efe3ce648b0b999b67f9d9e577f90377a97ab7c22202e35eaf754c74d2d17f197b3a3e2a93ca1899832031c97dae
-
Filesize
1.1MB
MD5f457e38010fe1621cd13910d9977652c
SHA1246922a7e61b620e311bd8f7f496b381f9355796
SHA2561d7f13a51683b8c65fb22fb22091c745a5bc7d5af2d2c457cccb955c81df0cd4
SHA51255d77dbc0a1c5b7dff3d954040211f73bdcdd0f38bfd9fa6739712b3f4f8a6513801dc777e66c76de94f393172121edb8e049f959d96f32db75916d191032e15
-
Filesize
1.4MB
MD556d40d05125dec9d503665c2a948c321
SHA162ae953d4215f07250a0e14ded099cbed872cbc7
SHA25600813355706de362630d5a68fe805d40b6f6fad72a88569f26e883c889ae197b
SHA51218aaf924e1ba7e763aca1ce91857f7051f33a38913cc215172501b7dde44f5da13015357f987f0e89c2a9f5aeaf2766c89d076fdd8322f5f75495cc9041e05ef
-
Filesize
1.3MB
MD50d51b6c905887b8fff213378cc012e5a
SHA16c7c3ccdd204f5b03200424a59adf47c82e50d71
SHA256efcf4314f56658ca2d60b67dc59d66f026d3efd95afb75066125d86259838d22
SHA5123980547656d04eb30dfda982bac2a57dc27e9a786f4c7a8cc3a5b6826d5fb556fb148d0363ffc8ee78568abd8b371b8d83a893868de0dbe6686b51e6a2aeb398
-
Filesize
4.8MB
MD5ec5f56be072e359bb53a7cfd6f0a595b
SHA13b537a577bbcc968a7779449fca180225621e1c8
SHA256ea8173d4adfe504417342b67571bf4d556ceeb773bdcf9eee9db1cd0de17d33e
SHA512de74ff283c0b7760bd5d8ae9300e88ff1f0382ab05c489f7e2f7aebead9265e0b78de3317ee7ebbc9125b87c2809a232ffc11e5fd001a71b78de2805f9246125
-
Filesize
4.8MB
MD55c074a715b3799d976ed9c3b01227066
SHA1d011eb0ed14f123e19c8aa802f57094bf4ba9f6e
SHA2565a85569825410997e84b794a87b7504b213fa297cd70bd3e0127291462e91be4
SHA512e2763b6bc4d81d4e542acaf3937ca574a129202ec28476f203fc21961016431d634e0c495a2bca4f3ad69708420ccca5afc8da5a5cacb3a248648485f18b5f6e
-
Filesize
2.2MB
MD580a85fbb46f42d05d517d93dda8f033f
SHA123933ce25832d84de35013a7d783f24695bf974b
SHA2566608f3722113332e728b431a6e55976c5005ccec24ade6a36a4034d63927d142
SHA512dee2112dbec4953fbe9de0b9f8ff83e25fb23d3b3ea67f1fe5e853efb9797d7b8a0b6c9165261104edd20b0503f0ab89c620558c091020bf62cd7168b3340002
-
Filesize
2.1MB
MD519a59b022636556c3ba45b3cda713deb
SHA1212dad50d845e251b8fc64012e84d2f42fc47a49
SHA2562f5c94874954d78d022af33948945391550603b592f9f1403b42234da835a195
SHA512208c8401df9ac2934b49df86448a7a810795590920549ee1ff91b62cd98b9a1c9a5d7c3ef60312cddc7200afd4d80195b2518ca881c21e766971250b0cf340d8
-
Filesize
1.8MB
MD56b50f80b43831ca3e109cb9d33fcfdff
SHA1f4f3d4a65637cb8ef6ea711c53d3843c80af170c
SHA256f35d31bce237df5daab63b7da8f6123379ae3b046fb7e0dbc540e68ef3e80c57
SHA5122d0e35f9eca7d286178d397b3920587a61940f76642471e6d79dcdaca475248c23772c0145f4afad8afa535df11c4cf68667ef41e38ce975aea626cf04ca1dbd
-
Filesize
1.5MB
MD5883d9c61fa8630f79003cf4d23e9cc31
SHA162d8860559249c506022379371de946bbc96c36a
SHA2560569908716434da39bb8117e1c508b522492b6ef88a5e613df7d5edc4235a955
SHA512f42fb73147c7e3c82ea5fd2932eececa3f42855ad564160ef3041129490ef6413b8cb3f64b1b0ee4f55ed5462056ab2cbe7f15f6507253df4b5b333ab0f0419b
-
Filesize
1.2MB
MD5c66a3cf89a98f03e348ab5dd196d4024
SHA138cd027cefc495664f3271b837f5e0fe9391d817
SHA25677c73bf75748f9aec4a4536e7ae5377a080b1936df4ba31afd248dc8b71a1e47
SHA512335370209a0ab78254ffad91e665e8aa6fcb7b262fec4683849d007cc5157c4864d5905b5933e065a5c04be1718536d153e9871823a2b11ecff75d2692ac18ea
-
Filesize
1.2MB
MD533f89b3111873fb0abf703fe92e59969
SHA1575f4369fcc9488f6e09f9b63a2f91171a3d35a7
SHA256ad29c321541d7769496d3ea9ba341b663f1fa7359203b3f16e6208414dd89151
SHA51257b14d9e2cc2e29abf562662c100f344198e29f29bed3d6cba55b6396a2173ec7afb9ae0d6bd766845264080435ca0daee2bf2df162a488a44cb95ab803d4d0c
-
Filesize
1.2MB
MD53a2c2b0b688b0899d33cbcb635b6086a
SHA198df17dd8b3fd5ae3ed37042836a755a7a62ec65
SHA256edacc44fe946dc0760a9040c3c05271cd0e4c396cbc33d60af68116cea31be71
SHA512d1157aab25b6c16b3008a8ab3110623b89b0015e9fe30d1eaae2082d21ed34638dc6a3deb7a96eeb28c27a64f574f454d81d9ffd5931e739b4056ec1288742c2
-
Filesize
1.2MB
MD5829769ef1c5a1fbae9602d0c300bd375
SHA1a50102544d8d5c3ddc812b75e0bceb0ff6f489b2
SHA256f04661e5a169b9926094911a3c803f774f1decc725183fa84bc759c6effd511c
SHA51255f84a7fc14b6258918f36f44f6959b1ee4f855feaeef0b15bad7a4a7cd8d3d3072d4cb045ac8d5068119bf5633e643844a6c33043c12aae2f96aaeb93182809
-
Filesize
1.2MB
MD5d9a3483f34b0b7d0705d0d858847418b
SHA19fded3d01c366993604c6964070f0d3912aa2c4f
SHA256b7a8866df3afcd931cd78eb73da74dc3bc4fedb8bf0bb9d3433fc49678b64f38
SHA512ab6b9cc2071b7e3376185f281849ce4bc5c0a13aff1ffb865de9002a24f1421c6e057cd8ce551c259d0f8215d23b4c7a9c1d490e1ab61de304c04a94cb54147d
-
Filesize
1.2MB
MD54e5773251505267111ed9fe28f85d813
SHA1194dd0bfacab21867695db1bb4fb9947b0ec465e
SHA2566020f2dacad223c89ef964feb87fb87a5cf1caf62f1507c69c45d0717a946984
SHA512a0f985e040af2b1678e18f6398d14a54dca4d422b0d911f79ed335249f438bbaad23c40380ac16cefbf5ee411cc37722c3d0ce41298cdc4f0e2718f3512af7a5
-
Filesize
1.2MB
MD53e724e754def8ffe2faf05b1e618089b
SHA1d4af13059d61af1ebba048d0bd002f461cacd1be
SHA25628a3c1a6166f4184bac1127ed7b0115b7ab17bfe235e9bf055ef29899491589d
SHA512d7b2cbac92db4677eb2fe9457dd48af562842fe567e06742ef87e577454de03745a25a56d4e797400840d55ba1aafd51778676dea72eb949be3d0100117193bc
-
Filesize
1.5MB
MD560da630ed51fd577db9bf287044ec314
SHA1b71eb6d2722a904f7f68b342c316dca00cf840e3
SHA2560a8ecf9276d3d954ddbf340f4d36cd870cf528b5b8347286d4fde1afc9acadf0
SHA5123febd3c88ece35c2cd2f3d3b1bcf4ed7ea9cfd8e98547914def27091f97e8ddc2f8a3bf856c5723ed9c92e1083d6571e9c6d7ddc38f5d8424ba2a6304be7b343
-
Filesize
1.2MB
MD508db5d6e89bc08729888018a32cb5c1f
SHA1773aec0fe9c95f2abd083be7dc116d0063470356
SHA2566d1643533a2df6a24f9a30adf4776c8a3e40a62feefc394b8c486284d6b3e243
SHA512041261c1633f9cf13851a5e596e168ae824c960f3407175c4df78a76678ce17c201601205655f73086107974293b8bb528ffa9ed64aae4325a243b03106f61f5
-
Filesize
1.2MB
MD575d7c24601f107470b3c0fa323315fbb
SHA15196593288606825763c7a8faeea706f1a2ea658
SHA25692d55bea89f1350bb391f62516125e163cc44d643c845442720b9b58cf99f9dd
SHA512d8cc9761361e186e4a0ee9f79f27967613688c35022053c269ccb865eb60acec9970c3447121b8ed93c9ccf112b3621a83f5437e22395656023f45bdcf295a08
-
Filesize
1.3MB
MD536fc465ef7a0eaaa77e6025c90ba5232
SHA162b40a0eec0f9f5e77928361367de03751229f60
SHA25658dfc1f4690b07ca67f771ea3be1d2a42831a68a7fce2319f1e2bab81de32d53
SHA51263e4897d1ae6ef89f3afb6a05075d6c2846c71c216879e49f85631415e0cd72fa3f0eb245b2b5359bd9062c9c80f09caa8167138487f903ca6d922386b1d7a3c
-
Filesize
1.2MB
MD50f139a8d1316b561476c2ce0382f1e75
SHA1b4c41aa0c12e4951d56d2e3078465adc2f8ded8e
SHA25693331be1fc65feaba2e42da9d2c51894f7e05329d73b8060d356f76efefccc77
SHA512a9765455cc70f4946ca7f9db21d4380fa340f2d332888043a36c92812a7a02363a17df96b102dfff3db8b128941f11204c432e588db78b17daefb315f91b3188
-
Filesize
1.2MB
MD59d8605e1d71cc1f4b424eb2e9163dd72
SHA19cafc88e8ea39475a9bbfe6b12967d79b91a2c2e
SHA2561f4b2bd20956a34ab63b4f63eb9406f13a36f3844a064d55ca417daad076a7cf
SHA51208c3d6a05d5a0ecec4e9e202d3a967e7d4fa7ecf263e6b35127db3c5e5029aafa48edffff6e296a53acf1e415f6c64317b3d3edf12e24a21dc69f631bed8e424
-
Filesize
1.3MB
MD52c2eed65eebd83f4dfe5d4da28374cb2
SHA19e2d75a45f00d3338446d8936d0d0d5c4a670063
SHA256800593104334534da8216f558188541ea520d9453d2b344a5960e2e1bee3e32d
SHA51285c760314f439559bdc9106544a40bd9ba24497f8a2e19930ff190c9ba5c6473bf4dac81fc9e9e77bf8028fcfc1e7c8a49210f7802517e0cc4bd5c3f5efa0325
-
Filesize
1.5MB
MD59e1dc5c9c82883b84d8a4f2f10912bc3
SHA1cf7352e6fcaad72f863392a815b11e595abae597
SHA256222da900c615809df13b19a36682497cdfce332c2170603aa913745d7a05cbdd
SHA512181b9335fd4cb2de2e77488940bded676847cf5490e5250b43db2ab805a109f06e9bf924c9eeebad4390d360a5fcdde43ffa0fafef29a11698c1f8b09b8b061f
-
Filesize
1.6MB
MD5f670878343fba42470056e8cae6a0f88
SHA106132a64bc77006ad7098069898efc473015f5d0
SHA2560a12c1f29b8f62d43ef7b7aaf20cdb4215a57fef46e61e2cd8c239c31769d1f2
SHA5123803d6f233811ac35e87f98e1576fcbb0f33d17a9630804fb482f1353d3552098af668a621f891a087790741e81e82604fbea7941cf6915726e9b0d81bba8017
-
Filesize
1.2MB
MD53b8685c1aeddd2224d6f130421e46ad3
SHA1acfe0114445214ff327027ae4b07199e81ba1148
SHA256b85f6c876decf9addab6e1de9107a1dde8ec66f956d62450f4ae2f6f872e0774
SHA5127c81e46e22fcf3d55a1b146cae9d91bd68a0ddc3c947103fe698980fd87eee9a2dd39a85eddb6600d938fb3600b355076869c6880fc6b37e3c0fa0de4e48392d
-
Filesize
1.2MB
MD557e9a9298f21ffea26bbf507442dbde2
SHA1b976f48d91f47b7607590aa758f0ffadd714903d
SHA2566c66dd66536e22d81205dba104bfc8610f60e278a859574975c98679208fd76e
SHA512c840c1c0f5ecc1c566cd68e5ba46e8dd0a5e2b1a57e047f7f9a8cd014a33dea2ea15c94817a61b7427f8d68411eb275c052948c68d80bb984b8b3994f818cd1c
-
Filesize
1.2MB
MD5e0cd86e43c4901728384da007da84b00
SHA1d6bb59584c3fff1ac8bd30708a2a9b0ef14a1d77
SHA2560ba8b1d860ca5248c750d39cea2dbf8a04b759c0bbe93579b0c681f7f9151fbb
SHA51229cb6e05968468d504d8d686eb00746d3fe7e222a67bce1ba5ca4b8b8485aa6bd3e591240827bc683f9851b5b7e31250fb7d4e5daa6c569c745869ad2f006c0c
-
Filesize
1.2MB
MD5adfa12fdba7720bb19dc7b97f0bf9585
SHA164fb657b8585dd585e823a8e771ce001013f2390
SHA25645bfbb060cf7b8c64c9f53c2f18ccb2553479bbb86611c1db61cc250b1752112
SHA512cd4d44f4fb662d0439fadf8d75422dd84371c9261f7b42f81039ed8c1aa16ada8e15e49490920f78a2afa782110597ddd77d00b32d9aef205f1f64fdf166b8ad
-
Filesize
1.2MB
MD565d08c327551ef33ea0b2c4bea591d15
SHA1a3b4875f6b7d14389e59cda5000563fb3eaa1d49
SHA256e1394dfedbff04a1431977b78282119a8d0f596d9ee7304be2936f12eb2efa0c
SHA512cf5f0f02a1a9e83b9d73aea67b8ee6662e23756212f4b2cd9c58eefe8eb893c0f441feb5d98fe60fdfe0353befdb2ec0992b1be96ed80dc18e70076d1301fd00
-
Filesize
1.2MB
MD57ad554ce4234d1559983c37217560a37
SHA1787b894e9f98e855a8c8760a6849768c0968f10f
SHA256e5d5435be2b5baa58e00400cecbb628487eba3e77f7693d50fb3c28ccee4df3f
SHA512a0d0d9afebc4d86b1bb0aa806230dcfaf7d269b01d7690c7bdee6ba9746a18011a5375dbeb799525b2a9c4319e840f37fa99af4110c0ffeb7f69a5dcb72b6d45
-
Filesize
1.3MB
MD57761910d28c0747a6f101e3ed201b4e8
SHA135c440f08ec20a4425dbadafd3b71a14390a10f3
SHA2561a15eb5852c25ba4407218dff828f1607a4d0a8d827d3da6a8ae84bceab93aea
SHA512cdbf62da3631083c94bf7d835581cd9db9e466a63dde71b40cdd37d42fa93c919a4d7448fdfa95d5edab6d0fdad2c72ca7982f2fe26b92576cc9775c8b74142b
-
Filesize
1.2MB
MD536adf8d693a46fc0a93bf96ea3c26ef4
SHA1c335977fbe82b7ab9e97bfe612eec31270166c84
SHA256712a525d03053c71e81b444396258f17dbaf4679e21b51b218fa994926c09ead
SHA51256374bdd1882da58e1b97b2e9d2a105e4c7f9008edd1da69da6f06296661cdffb5958f4af2b26ec4c3798bce61956f3cb14dd0c85e21626817ea6ae7dec14d51
-
Filesize
1.7MB
MD56867cb45efbd1bddd5ee32e6b6570919
SHA164f8a948ded4700ee61c2e1fc913fa57eccfec92
SHA2568a36161a86b1fa06fc46c3aa937fb0b8fb9209669c3b045800620607ddbbfc70
SHA512c3d07f7f9c1aadab9d1fb8d62f2ab8ef2a3a3e0cec0ba5a8ede2a7432b130b2d528d697899c621e6143be9b969e8c7df11bddb4ef3f87c3418aca79fb4c713fd
-
Filesize
1.3MB
MD59fb3c591b1d9b43591fcfe82aac2e332
SHA11c82548d9d1e482f741efeb901a727a933a2cd55
SHA2567daef0ea46c1b24312895b851aecb6b5a5f57575fa6749f98ee9d0626eb8b145
SHA512045bf31d7ab947ef5f0954274a4bfaf302a1d6c4d983f9023cf6838f2f6349d08e603c4c1aecbd4fa1c386755502d3c45412f95441de104479c0ef7a20886b7e
-
Filesize
1.2MB
MD5d2d99719efa16e510784403969786c0c
SHA17fe2fe6e220665927e6cd53f5c6572d5e8515513
SHA2566ca55ed0374e8be7057426b6bbfd2e8c8d3d145dd56b8a576a5ff6423bd6c733
SHA512bc830811ae0defaf1b8994806643149b2f66829fe5725cc8892a818aa3bc683b9a287ef282c6c0d1714fe0f85632e43b642e7ed0378656d2a1dcb3ab0e941eff
-
Filesize
1.2MB
MD5398ad2d4441088f9014af1e3cf9ebc51
SHA1923b3944307fc474b4c54076281125bc2f2637a4
SHA25646d8b0bb7c2b930cb63437cd638984f3be6d6005467929a897072a565a76a25f
SHA5124a3291c241fd4dde10ec9e1ef5ef2dfca75feebc0ad88a4d77566d73c32d1c0cf6a3240f26a78a4c9aab4d15b4f93e8afa5ecfaa35c314d17e98b4bbe648de90
-
Filesize
1.5MB
MD59cdf08e317abaea440374af50f398ee8
SHA17ef5ff2d55f7c65807619d8e727e1f4c937b1ceb
SHA2569acba89eeab3c994664af67db7f256d41d2db78ead8bd5353cda110f2b071514
SHA512d698a5b81418d221c3306e2e47238d3835a6b02916a2f49993916b1ee0cf974adad79c1a589d16ebd5bedbd50151943608e55d577a8e13e17750766923022ab3
-
Filesize
1.3MB
MD5349c1157d4e9785f0ccedfc0f1219a64
SHA18579cf8524e570cce8e0311fb00173bd7fe7f89c
SHA2561e06a52031389ae95393f426cb82d07f892f8dc7120668fb941d6c61318fb618
SHA512a9c168eb1d7b903f64c265294f9800de03de7b4719298c3aa66c957a43d8f49bb8c59364c030976857c97647fc28e1b207d83ba8f79bce80abec23ffc481cb6c
-
Filesize
1.4MB
MD5a82d6aec2f3b6cf474d920d990b3bf12
SHA1553abce09bffcc2c215edef84c97f2e07f0bfe69
SHA2563e6334ea43c472ebaf82a1ba08458e720a82fa4ad32604137d9b37685a5fa437
SHA512442d1f5d2327b16f1ed052f0ea126b100de188da9511d76dc7a1ffbacfb91fc9b4aabde17bd0f617fbcbeafdafea0cdae7cf40f47911197d67f939ed709dfa9a
-
Filesize
1.8MB
MD5c471931752f9186163ac2aeb4d8a70ef
SHA1b48fa2a732a6d679062a1ffd4b1f0b86653ac5d0
SHA2563907713b9e6a4f10acb2007f125c544799fd233c664c6c28ca0627196edacf6f
SHA5125703970921ac42f53dc109156d360f738d4085f942cfbf792fe3c6276b7f8447c85015597706b2ccc2d24ec2881a0295d42e8f1e5513c7e804ddb7f03312f301
-
Filesize
1.4MB
MD5d8290b60f308768e2df4d2e9e8890a0b
SHA1686d4c67ab24fa541a75e8a79beddd63c920a205
SHA256c1d1ea07d323d4daba61606c0bfdd672bba4c9efc38159a9c5443088cf4973cc
SHA512a7f5fedc2f45192f210089bb73b9782bb83cc4678ddd08f6cb4e36881f7414aa2da580d101e7f69ab272815f610d9a831fb5b3fa1d07ab7ea3648f1e57e1d375
-
Filesize
1.5MB
MD5b9d1fd9b8864c07a9767bcf8f18dacfb
SHA15b107e33bd6e68c792fbef5bcda8b4866874e9f1
SHA256b59a340fe838f7d8706b182665bc36800b1e903a9f5cde2d3bd6cbdf679df5ef
SHA5123d29384db3b1782ab64105507236c616b73f4021de637fbba311a7e765e93b1949fe7a80b6592e31f86927122946e108248dff13d60db4666b0476edb8c15207
-
Filesize
2.0MB
MD53ebc92308f16fae412a89d209497af51
SHA10cb635a8c6f369333630705bd55fe45912079db6
SHA256b6a0e0e5019a408e0a716302da7994608ce4ba971a53f539e7c5dcbfe1332176
SHA51220764039a01593cf5e6b4c54f85de85122e824ed78f05db929ca74c8b2e604fba658561e78b1928c8297b0ca7e4df1a5c0f1d8532d3ac21d6a30a6997e83a4ff
-
Filesize
1.3MB
MD5f66a1de63cb5401213a3b573929fe544
SHA13bdc15f5c7ebbdebb08e14d0cd99e6649b6ae9ea
SHA256e16bfc888414ffaa7772b8818fa173c578a79adf92802daa74cffc7f4b2ffc2d
SHA51299c5d229e5292efbdd4becd43dd663d1ea0c3ac944aea51abf8f84c3483f0203d3bcfff9d2eec3522891d452032dd5057a80d8cd44d381bd8e0358c143960ed8
-
Filesize
1.3MB
MD51fd04ea607f1168e29d3981446430db7
SHA151664a18a5c49284ad9e52886fd5bfe5a20c1728
SHA25689a50040ccb1a0a394db45b737d1344ff2dce3c48e74cfa3ff93306166ba1f9c
SHA5121eafc4dea4ace080fbf94cd76156ba2f9abb9d2efbbb0e85752e125d21c80152719a7cb315ca5fffa4e3dedb8e0aae2fd4738491c22e72992456a2138eb6ab13
-
Filesize
1.2MB
MD53bbdc9204974ceefa297707c900c7931
SHA19e7ad005fa13e73602e558e2ad79c155e261a939
SHA25656e00683a5539294fe4cb6069b6ff2ea6512c63bbd10d7c665c3796fc067850c
SHA51275326f0d7079875452fd57b0c67876a80890dceb9cac653889b78e354417ba0f537ae43987e7d04de8713e5bfb567092310d055936485958a981eeb4963d8beb
-
Filesize
1.3MB
MD58665a906004f7257f092ae4e5f2a694e
SHA123cc050e172f247c40343b9fdf69fd9a77b4d625
SHA256b5366fa375d7bb9252e28f608e58d872d95e311b9c224cb6ac26d7482ba0149f
SHA5128086fb6ce07b33ed484083ef9d9d62d89fff5f9f8f33603105afdb15e82719313e2315f7e807ed1ee3afe20b494238193d652392857db99a710d0b63a92b0052
-
Filesize
1.4MB
MD57a89564d5afbd296721993df14e0e1c2
SHA10d1912fe816a5bbdb0e7c9824faf970cfc3c3127
SHA25617b3a3bd1b755d6538462cf8e807400f12155d3cacf0165fb3f95c9738b8244f
SHA512b4e6898d8e155630b6ba901ef15752f77d52371ebe4e23b91fd53d0804cce0410a9c489a1567e9324014eadc61b3a0b134fe98480232f996167d10bd25365435
-
Filesize
2.1MB
MD514bec35b1f3933256a297a34eaae0754
SHA1b77607055b0dd75c082e3b3304607e6f6a30baa5
SHA25652c3e9e87bf3370d8e09e3c8b82f7c90f5c7fc5e34574cba25e86883c49d28b1
SHA512f479ca353808c2ec5eb2bbf3ba50b9f143a2a93e3c58f65a2d91f406cd785cb4f8fb0f6aa6801fde08c30f8fb094c33a5e622d23da5c67a39d5df26e727c1614
-
Filesize
5.6MB
MD54381a106f351725f7a1de8fe7a241204
SHA14d7b942b682bc72a394e00fbc270311ae295f2c6
SHA2561c52bdeb7b70a7f4e32bdec423a6f899c687a89f2074a1beff89790900c49cc8
SHA5127072c24cb8a066a31e108d5e67ed9eff16ab2904e3c7c179ee382f8e0f9ecc99e73374be52252f477d12fd9857cf0b8c08e41c83eace5204b5fb4826f127e566