Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe
-
Size
2.2MB
-
MD5
3fbe63741a27db999db3d93df77c3bad
-
SHA1
c819f9a98c370f99d9f2a685db001767ae5d9a6c
-
SHA256
f9a356e424d2679758c95214b66463344b077767e591853516d6f623fa55f375
-
SHA512
31cbc802383cc92ff45a830e121c806ceb28edf7311744ef390977cffb9c6a3d2b716f1911cfd91222325eaf99ed8480a622734d9e1c6c5f0698bf4c1acb3855
-
SSDEEP
49152:dOOh3aN4huLbegmtGVF+iK9bkAVFPdvLo:9U4hu/ctyF+iY3FPdo
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1720 alg.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 4780 fxssvc.exe 4876 elevation_service.exe 3112 elevation_service.exe 4924 maintenanceservice.exe 4856 OSE.EXE 2284 msdtc.exe 4824 PerceptionSimulationService.exe 2240 perfhost.exe 4172 locator.exe 1200 SensorDataService.exe 4048 snmptrap.exe 2736 spectrum.exe 4704 ssh-agent.exe 3952 TieringEngineService.exe 216 AgentService.exe 4552 vds.exe 1976 vssvc.exe 3036 wbengine.exe 2232 WmiApSrv.exe 4008 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\10a6ec7dc4fd1e7a.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c109eb0df685da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2ac6c0df685da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6d3730df685da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c109eb0df685da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 1768 DiagnosticsHub.StandardCollector.Service.exe 4876 elevation_service.exe 4876 elevation_service.exe 4876 elevation_service.exe 4876 elevation_service.exe 4876 elevation_service.exe 4876 elevation_service.exe 4876 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1764 2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe Token: SeAuditPrivilege 4780 fxssvc.exe Token: SeDebugPrivilege 1768 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4876 elevation_service.exe Token: SeRestorePrivilege 3952 TieringEngineService.exe Token: SeManageVolumePrivilege 3952 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 216 AgentService.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeBackupPrivilege 3036 wbengine.exe Token: SeRestorePrivilege 3036 wbengine.exe Token: SeSecurityPrivilege 3036 wbengine.exe Token: 33 4008 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4008 SearchIndexer.exe Token: SeDebugPrivilege 4876 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4008 wrote to memory of 1312 4008 SearchIndexer.exe 124 PID 4008 wrote to memory of 1312 4008 SearchIndexer.exe 124 PID 4008 wrote to memory of 4984 4008 SearchIndexer.exe 125 PID 4008 wrote to memory of 4984 4008 SearchIndexer.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3fbe63741a27db999db3d93df77c3bad_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1720
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4380
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3112
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4924
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2284
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4824
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2240
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4172
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1200
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4048
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2736
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4880
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1312
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c26bd97a3cb9cc699e8efdaddca92f42
SHA1c351d3cc3480fcf1e8e8af474d8ec6668f23cd09
SHA25675b587136c50c96976b096154d9f3e5ac6e4c83d1a2edb73f1e8672e3f165658
SHA512ea7f9489d75f41113e925f6adbd87b7d59bba46003653f575890325374fef4240e4eda3cdac1753739068ecc6217d3e6a950d42721b0799bedc5f4196198dd1c
-
Filesize
781KB
MD550064179213ac4e38688fa5097dedb36
SHA1fa87e098cb300597ca91f6d661ad746398ec2768
SHA256effd7df3882ba8942e30f3a7d174e996d1abb16ee5b955c20f6384911e7b07f5
SHA512fc4965b378eaad4cc8e61ca68d7c7ba6a1bf0028394d78dff06979f19464326b051c9b36ce5d7e79b8d91dfa04061abb3de42bbad9b7643b9f16b8c83af4a5ef
-
Filesize
1.1MB
MD58c62cf0d7f7813a295c33ddd86c5cd6b
SHA12dc177eaa04ce0cf2be690facdac4b68f3155f1b
SHA256cfc4c9a59c5e212561df393785426ed9ed33abce2e9ef15326cc4fb04eeb8b28
SHA5123bc7bef4198e8b41d4d118da7565bb07ae6a82874e89d061fbb7c580729493261fbdb69b442e942968bcfd6a9cb6b0da69df15ecabab03990372f341dd71980e
-
Filesize
1.5MB
MD5a07949f5d57bed5ba7024823254c86ab
SHA110c26cddf2ae9e58dad4ccf92debf54efe5d1639
SHA256d5f0ca4e0fbabb20e4c57214be7f5feb661e7ec018be9fbead6f6ba5fed1b927
SHA51255d7e600c5e1d9248c3d453a2515716bbce2f72a230ce449dd8d03e49a4c8931e3700469843001767fbb9f1c1872509da0a1a04aac04b55a96e4013d77e2b8c0
-
Filesize
1.2MB
MD5755c8520eb201021c0c350e5d2a70740
SHA1890d42af68540d4ca23873d33583b65f57c30aad
SHA256b2b712e87daab58302265ac97d2c206f6bb747b2e138c7251d7f53e26201dc18
SHA5121becd4e9e379a7615daa5a205fbda447d543a3075592dca0b415e9134bb3efa1ba0bff0ae89127471ad1c52467eb8bf1e475322cec57b4840afab892ab6419c5
-
Filesize
582KB
MD596f4f072e9d7a0dfe9abc6b3655ec02a
SHA1ba21a18f0a6d6825a4182a87815c1fea437218ea
SHA25615f71201c6bac123a4a0c5e7b00bde11f0085c899888bdf7af625c45a91412ee
SHA5128d8d893b06442249bf0b48113fcb0344cf2b92e8a48d693e930d8414d8fc048581645edabf961ac6e10f16b1c6ae75c03a97acfbe7d98fa4db9c4e0b8243ea4a
-
Filesize
840KB
MD54083db405e4a688ec043bdc0b9e49d3e
SHA14b1216e41bf7103371202d1c073cb3f06a42b058
SHA256a4656dcfd08fec1561a373e27cebaebf662c2af1db43b5debf81d4382505b11d
SHA51205796f63391b7f0af60eef3c0b5ac350474beba1d0b59bc09e225a8c284605985e7be8ab22c9bcfda93c10b8d8b93cff52996d0fcdd6540cd277584d0ea8cba0
-
Filesize
4.6MB
MD5a862cb059648d3ab4ad18a290834c682
SHA1b1df6f97a70893d3d431da4df8c38318be0edebf
SHA256f745c4b6f6788c4217d2a37bf00814b7e6a82e0480a0b24d9392618457914035
SHA512215b4fdabac398b2ded4f099adeb508ed167a584a07187835c4e8af73507f63ced329dc73e72e836fe507a020418984aabea90100296ded5c9a3447e87ef7f1d
-
Filesize
910KB
MD56c176f099a10b50dc3b122ebd1918158
SHA137bf7435e0b8cb3b1f589ec04b15379f56c07007
SHA2568fa9f7107b646bc36bdbf33580c7e5bcb04089d6f18d6c73452020b826e88b67
SHA5123350ce63ac32b0d7cc54eaba1be2ee1cb699442956f6d43cc07c558af427791e216c8682590fb8c296c703830e4b0c1fa13b7a4e005eb1d14024819fa4c61c42
-
Filesize
24.0MB
MD5da9a6948fb7beb76ed361cf3d1c29f1d
SHA1fb96a68814e47ed44d68d65ff56bb224bb9565dc
SHA256de7b43be946087deff71b17e77869224f5bfd2caab7938731d008c8b2ebcb426
SHA512742fd3b0ed4a39f8615ab60baaeb70744383c7c592743685f7c6791f5b9d4c86a5c8d4fd3d2afedc129b04a5112e6ace8cbed113ef13a0beaff5318b0f3914e8
-
Filesize
2.7MB
MD57844e6b0e50beb362342b1ef39cc648d
SHA1e6493e98a6445e8c11055cf1042530b37e33c779
SHA256493c06b9c2133376c264ac289c66cb2dfc3839af6eed1185f2ac78547cfefcd6
SHA512a208e1d8e0325647acd5d34853b678f37aa3c266fea740a8889a5dce1b89bdf04f6b62afdfdd76a7ee8b5ab90defa562dfb1e5564c9db69f28a890209af178d6
-
Filesize
1.1MB
MD5623216710ad9d888c353c6aeea30ec25
SHA1dc310ba97fe7c2348348642ba1940680ffd52591
SHA256d401d05c32ee582328120edb28c51d5f1321dabe5f59283dc839f1de9dd39503
SHA5122f0f129afb2c1dfb0143af7be1c883536c8aba65930900a80763f663629e66c2ead42b484468ab1da4093bf0b3f3639321cb741a2f39b462dcb26f7c59c14a3d
-
Filesize
805KB
MD5c284b839e228ab7a307f3cc0fc88e660
SHA1099918c1b8d4be58f17b10f05d42e5df35c497b3
SHA25615f8610391a58ed91814f89d822e9d770968e00361b95b14d94b4228b137b0e2
SHA5127a6c5aef08718fd3ebde83a3a97785cf788b149a491765e9fdb37a8e2f0fffed5ad457e420831d23b664bd7617cbd8c68e4cc7d6aa3e87704eb8cb26d18ab96f
-
Filesize
656KB
MD505f9252f38722cf67ed282f2a075727e
SHA1a611d969503492fb08b7d407858348dded1367ef
SHA256b21200a011a530dc4d62764f0b115c7aa9968f90e82a2346d7f61613b671074d
SHA512bcc5059afa3ca0b3fd1f5006278bc37c88efd4fa1b19c1f9325a631552a0df063b2031c81575e0d514a51094795a1bc5133690cf7868f6c2aac1e04c3fb24561
-
Filesize
4.8MB
MD5c51dbd874a539767c52168ea358ec0ab
SHA12f2ddabd5411fe1ad3251114b4100699a8b40e35
SHA2562883a628c67f9a20d30bc5a06c4d06081711d8502aed4fd2ce9fe29bb52dc338
SHA512807fec3389b0f8870dd38bc408db82a090cc880c946239f1c306c4f9ccb9dba31d06f14093c3c0e8f62652720054816776130eed3e7883bd09550a3d95d7df72
-
Filesize
4.8MB
MD510eff540bb41f3d2dd23826a9b56ca8a
SHA18763c3296fd3b2f50f4a840464f33f60ceaa9c8d
SHA2564dee3e5d79a776e4da99b5c2f01997c421c35b2150b0f6bf4c5ef2b811147251
SHA51204fe36f913c001f197b61d03231a3bf236808c5f5e5395187fd61665e347f40b485d22aa9e317af94a4c5f4cd445be010cc2e0f9100e913c32990dbe0801977b
-
Filesize
2.2MB
MD5ad190fd198c3ed66200c0de48c09a5df
SHA1da98fa8336b4304bdb81c7fe3eef325682add53e
SHA256ad6d11fed99447a48a28f97ee6d45526ef0e2df097614448f94ca4a74d1550d7
SHA5128931f90f4d722bf643b731c3ee37f062e168fdef8ff6099219a8470bdf106ad12e344f6bd3f9e3700c9f9f66d461cb27d064369a9933a724b32a9f1589bddca6
-
Filesize
2.1MB
MD5a8aebe3cbfe5b1c14c9cfd35aed21826
SHA16d067fbafcabd6f5f50d2008ead4ccc62b13ebb1
SHA25661af735fc77e0873af59ded92a3008f8753f36eaadca4727bc3be0a2c23654f0
SHA512064746b0f6bf8c36f4ff4acc6adf8526e8cacd59d441cbc7ad6515004934ce25e09de2aff760d07bab487433d3a63191514a57de7e4bd10fc9ff502d07f2a87c
-
Filesize
1.8MB
MD5315df9b652677414e079ca04da8b3942
SHA10d2dcaf676cca5e97d346f2634c86ea09eeb44d0
SHA2561d7f17b1c5e5f50b20b42d08c4288a18c8a14fd91e9a1177f2c8696c1cb8775f
SHA512b9139061f3270f0e03e8c5962451a06adc9face6da2c339bb5a7d874ea3860dbd4e005897f36eb5350d8c62f116e4989fa9f051b7cc09106ea06b6c5bfca77c0
-
Filesize
1.5MB
MD55dcf5642c98e6a0462724031f1402959
SHA1302ed0b5fb7afef60f27544ef96cffee299ab439
SHA2567b06006545d23aed7cbdb2873d611ce7a140b7031fbc662a3dfe8bb939c9a104
SHA5125bef2d9ddc45812e0fe4daa8b76c5a565a99b8127b090b661e54f091f091a4c7de27e4aa95cf7e2cdc89d05a5f95e22c063bc60587fb9daff341d8269a0ea69e
-
Filesize
581KB
MD5036e0069245b5748abfb1cb786558f42
SHA1a4959ae684ba1e34122fc7321aefee24c198f831
SHA25686f050b556dd622d5c45e94d843843f3160d3eb4ee5122d4c9d1ee2c147e7b00
SHA512c2be3c6b14c7a28df6c3d5bb60532ac05923741189323f5a9c8b1e0e362fd678b2124c59b8c4df9f61e850f0ef96ce158b42595fb2929432d82c47fabae3d53b
-
Filesize
581KB
MD55826a15e756890841e247e62711e0327
SHA1c9aef1adfe2cb47a9bbeb0d3174d37252b7fc6c6
SHA25697f4b52d562d4fd011a5e357ec2a977d3888d426122b4b0591a35f18a468eb94
SHA5128ae1834dd59be94ba08a53c9a0e16519616006ee86b0d5a6bfb432582055b2b642223fc70c97be90bfe7df198c7511eef9940f0cbae0faa265fb6e8de4a1bf62
-
Filesize
581KB
MD581641502dd7ad6a117f5b4386c584759
SHA13b8ab2da5f18be843528120607d0461eb0caa68e
SHA25668ef259ea9a6a934c11f39c1f7f0aa5ec3e1965c782529b243d3cef61abdabaf
SHA5125e100f723e732a5b4e6823ea3c22e84849f4dc0fb253d60dd09b41e53cff543cb6b391db7028c85f453c3e9e807e93ee404a6473ea16854e873fc36eb5256cfd
-
Filesize
601KB
MD5163dcf8eb7a93a89d60e2b1248d9311d
SHA18dc4496c6267f847329bc82c30232f0b6ca1d072
SHA256e65e12a6a11eb7851c00d2c69ada75ed8c963eee38d722a1303da9149eefb920
SHA51255c2b6d4ee966b0bb4e8652520812875b8f81eaae26f72223594497f8456a3701b2646d5fb30aefb2a6c79e33083e4596d0bedcbefda6dac310a18517ee8b284
-
Filesize
581KB
MD562fa30e5bab199b41a6f9e5414aa26d0
SHA13eccc2a40f7c42507f8a2c1d281df5323ac1beef
SHA25602e654f9262253416a69e3240d76e8171f1999180fc4823ecd1795cf09d0c74c
SHA512bbd69d9c3da922874b53409d7fc0b27acdefc57833b24b00f8e6ef1927a94625ee14bd88d30d347ec6aa718f53a51553d3229e47d075f43cac61ee16a46e0f00
-
Filesize
581KB
MD5eeeb102f91fe9578f784eefb4e2e0573
SHA10d83ed81b5befab6e1328a8223f1a3e6548578b9
SHA25695fe046763b1bbc45f1b78934d425b705295c2ed4649e43c6d74e24eabb2ae38
SHA512cfe1f6f7558c0311271b2eb0f763b39160ec55f8b626a9a677e169e210c9ce98065c1df75df7b408c6732e7905c2adcea987aecce6da7bd2f5d5da62fd91abe4
-
Filesize
581KB
MD5f9cb0efb01406858dd8f4b11396cb940
SHA12f60015fb819c4a54d922044821e8fa13403fa40
SHA2566b7db4a15398920bb251fbd3cd3e5c122c49c91e14b3b234df78c8d4d9d28906
SHA512a772699b70a537479a9aba31163b35163123305b2ccba34041938b2ddafd0fe1a2182555e78bedccc90fd1b1b2c7c18432ebcf00e5fcb832da1efb674e62df70
-
Filesize
841KB
MD5ee1e8990aa1af69510941714f3b02c80
SHA1f2a15006e8e79d470d6036d2146c30a94a2379fc
SHA2563a0c3227d8e892e3777b360c5089952428561b1c756c8a871164b67045e3ddc3
SHA5122ccc9d4144e547a828477cfbf67341afeb2ce9393b0dffddf93c62503e804481609b636f2d53b5ba9070eb81e4ad7a92a792c5478bd97b598fb7302578f9aaf0
-
Filesize
581KB
MD5c7400e98d90ec3d7e741efdaedc0461f
SHA1b09917a8c1fa3c2269299f12634d14806fd90fb5
SHA2565accc4fb6ea84f0b3916c46adb7755cb5fb0e5032d6af2961aa8825687356fe8
SHA512a85464e074796a1e1d82b270028f99d7e77d7431505b3426bfe0032eda49bdc07d76c5a90c1e9c604d82ae6443b47df682137ca036ba89fd4dcca74addf232d3
-
Filesize
581KB
MD5ba084f4b593944b51d2218826efca866
SHA1c7c31b54be8610037a26f0f465eb7bc96607d51d
SHA256a6a4a9e7f50f6d41d805bcfb05b96cceedd25b5768587903f4ed6198c9141a44
SHA512275002e2b2bab747e2393b91cc020ca11c58eddea87fc270fb16a4b13faa96e5fb12133e1874208c866b399b4d1b145cfd4be4b275e2d31f295bfc521cd1bc58
-
Filesize
581KB
MD564aea77504f14dec42e59d018f0db061
SHA1d2df58e22d1b89b350389769c52702ed62f76253
SHA256bfe37c05a3e9d25a67d15ac0b7c9c94f465ddb693e208360625d0a44bd4c77c8
SHA5123f6a65b51e7fdb1ab7229133c8adbaed0d3b479ea8a235d3978ebd242a3fe82e2baa7cab06ebc4a54807ed2340d05ea32663a3b50c6dd543d357d78c9e752c52
-
Filesize
581KB
MD5647fa41a290f7e698efbf7af54c59ed8
SHA15985ac75e666d9a33a890713090c96e922b67067
SHA256065d9240b4080c416e9e03c0926c901650132d6659309104d54c57a47f842584
SHA5126ebf60acb87114cb645b24ac736533d47391b8e3a68492d93fcefe78bd5e32237682ffb3ef26a7e91a34fa122db4f1d90fbced46b27172074456f52ebbe99729
-
Filesize
717KB
MD5b8f3a402c8f6583fbaf05a33f5ded86b
SHA1f51fa0f2f1f2db9424c28718a5192b61cc1a02ec
SHA2562f61ca278f1fd84524c028426a402444d8be994aaf9fde3f92a8f024bc6a6c23
SHA51277d76c2b2f435d0b6223441acd04ba26f16109daae00b6e643695d847ab15c727ce6cb894f7409e1c11ced8b6f212e6c9d7435da070d2b7cb041ca434955797d
-
Filesize
841KB
MD5479cebd94b10bdbfd085578da940a46c
SHA17bd3b4eba3d12a6b87888d24518555ff73d3616e
SHA256acde231cdd025a43d5a50a2750f5e6325903e80a3d27a775e481cf9f4f72de75
SHA512f9a2ed00300ef21529675d0f0727f6b5d7899016baa0f5c41d830ec49261b55d406fd05df1039e41ff73197a6dd6202621e061743c5a2e04eaa5af2e01b4c5d3
-
Filesize
1020KB
MD56a686f51995b3ea2e584a598c5ec7368
SHA18d1d438cc5a3506ea638bf215be569ad36da529d
SHA2569a15850e435d78f9d595fdfa91e5821cb82f2ce5b2ce12857c586efc725b5177
SHA5128f22a26aed38b7655d7797f026f88625b7ead728e9e1859fece6db434e66d96b106540aa6abf055ff4556aaf670e508510a8c2fc8d28c8cec3505e4e88e71205
-
Filesize
581KB
MD549395e3e5d336a36bf5bed809a194fbf
SHA188917f06e88c83537ad89c00564bf1fb705551e5
SHA2563a4ef259f338b746be420e5c542bc3746a1bf58a441d7c78157cb40257b00948
SHA5122beb030e82d7ba0938853bf529e356885aa2b1577003bcd8338fafbafc8500e9bcde2a3b558084926395ec85cd055600fb20cc89916cecceb5cbcac6261e8f3a
-
Filesize
581KB
MD5bd7c6345441f7f164cfe75162e80c04d
SHA153dde782b31941ac77ad973df78bb91d43f524ad
SHA2568172459428d2c191a09bbe35b4b2b5965b788b48c96d3dd9c5c7c09bffdf302d
SHA512bad44266cdedd2958317a11908297c04090eefa91649a8cf903d12bedb4698a8724f9de6207db02d29f4517559c9afa2ee724f8c7763b2cc41692fc1d8d7128d
-
Filesize
581KB
MD5eb4ef863a5be119a2e747e4d91b97de6
SHA1c16b8fc39c46ce69875184ef24df8ea46c01eb7c
SHA2564e647882c63f7f5707be659537c2374826a2a82c1a8c78ced90eb7113d982bee
SHA512a006dfc412505ad36b829d97506a6676bdb810c8fc790caefb9219d292119f4d5ccf7dc7f6417f46352e4114423fd17a3f8e0b3a2fdf59e393290e9ec046fe7a
-
Filesize
581KB
MD5e73f55531776468f6e2bdcb73d70b0d9
SHA104ca8c5002c50c217d8e2e9c8703830af3717301
SHA256066a4bd4a9ab60d701fb75217d9e133e224cd03d2e955dfbf2119eb7f4a37342
SHA512a6a9635b37e5f30576475ca8117a0f8eda5cf800a00686d164bb5f1a95e21b12409503e13f97a358ee6cc731ad091eb00035dbb43a298f3564e0830733318ec0
-
Filesize
696KB
MD5d292db942290136134e507aaeec82c82
SHA13ad7967fb9c878204ce0f0537b65904f18c582d5
SHA25646e3bbd2f2332c895bdc98ecd342f2c2bdf0efcdb2c2bd400f52bdbd7ecde77f
SHA5124dc5b779dc94d1b24612d1a1f2c537a6f0d49ccb17dc6d02c5236a572383066aed4eb63b287efa8e69dd6c06e7f8f40232d76f829965b272902c589731efd045
-
Filesize
588KB
MD55e8853b7d390d2fafb6e5fbb4a51cbaf
SHA10413055508c916e4c0efff5954b5017dcf91b251
SHA256dd25caea01806a1afe3fe074d705e5787608d128643e1a020b8a26c9df217594
SHA512a17cb2aadbe670f6ef9f67a3a16f4d2b1c15d21da9230acaf64585db67ddb7a3956ec8a408ced62a6795bf6d5233c08a491f1720e27f8ebd6469cf0b0af4f846
-
Filesize
1.7MB
MD5e2a72f9d741e3feb20b7efb472aa5c2a
SHA14d474650bda277583e8c643e7f2ce1357fcd8784
SHA25672ffc2d8b12a5faa587cb46089df3e17ad7dc3f62c5702defd4f04d69290cd53
SHA512c7bfe9e9bcba0cfc4ea83d529559aa153400b90198d5710dae47da017233d39a9e26a90ed10e52f8d833345c1d32e1c45bfeb6ec1c3e280338bc038a1a5f6229
-
Filesize
659KB
MD59b3d350e921596067bbcbee59f41d1e3
SHA15bb35b478b9cf22e25c7877125a2f8f53e11e1f7
SHA256b036012cf58e251acea83317ce364c05512ae6a1b133730899709b3d946aba91
SHA512c75d29232649aaf98d9039e0f4b57d12039ca2f3641fc42a0de8cff2b4980a5495164dfdf508af0aa8a1cca1e0bbfaa87db0e885f5fe5efbbafd244f8f2a4292
-
Filesize
1.2MB
MD5b6283aef660df59c2bb3dce1350e6b6b
SHA1f5f680392dabbd1549c8d5721da7dd04321fbb0b
SHA2562d27c52d9a62126cd54722c492f849bbbfa3ffafbe217535a83c25be3f85bfc7
SHA5125b614c44917637e20292cbd2742ede93d62098740634ea8dda42e586fe9dfb5b688955f6720af239c9aeadf4cf91e9d067c771ce34264fbafa333b425b0cdb19
-
Filesize
578KB
MD5b66f593c63d7ab11b301eda8a6e2fad8
SHA131a55fd3288578d4b89ac9094fb04e8beaaf8238
SHA2564c4a4de3928fee834f2ff76b46aed164180321524ddf6431d219746a237878ff
SHA512b4364d32fbad410be7d1434ffbdfe1601ebb8de0d35044b079c3f47c24e3caba52844ebc91625b77a86dc1dca61fec76cadc773dbabb986efc97bc6ff5381b8b
-
Filesize
940KB
MD5f7807766a92dbc189aaeb5eed5f8a4ba
SHA17b0cad7836e066fb1866b8e30c3a905e768060e9
SHA25671dc5ced54c2acb359fc81b1ebfde923c307b001390af6c64509259b884efb1a
SHA512ef48835c8a5f630c76b50e0e109f74273c181806fc590ee8a0024e6feb39d7ed1239bf8051e61c4c301e381220feea6b39066a01e54ba9f91b57b44920ca00cf
-
Filesize
671KB
MD5c8c2785293cfab7b062ca714f4ec6119
SHA1159bf4a663bba52f1f8915dfe470624341f2c1e2
SHA25680e6b416767464ca5abe447d15d6aaf3b03e7f3df65bb331eb0989d4538340cc
SHA51275d4e0c0488ee88e95375285556a702b14f77d28a149a737ea6525f47e5e367674dd60a5415f5849f807c62acb91206489ffbf4e67b46a143aece0a2eeac2308
-
Filesize
1.4MB
MD5efbbfd3fbf6ea2b1fa32be990300c871
SHA1ddcf2b40e1136cb36aeec68212f752d283edd549
SHA256649925a3fc0f108d61f0f10edc8d859f387aa72709d906ffbebe5b3b0821673e
SHA5125b9ac55323f529189a71aac616dc6c07e0f5b44aba352140f517bc39004832ace45e4df74baee2efe0c4f3b9cfafb3b2b7b1c0ac99f426d1cfb47f7143d1cb03
-
Filesize
1.8MB
MD56943a03ef9e48da1bc65e077d1905b29
SHA152a8569105b962a4b09453999b428edce39ac0fe
SHA2567434cd7bee14015b65015e4983533b78b5c8af04849a6dbadf5adcfe6c6f48b3
SHA5128913e26c6323f2955fbc70df0ea7cb4a7dc7376f52b0690bff3e5865aef3e30dc621e815bea87365fadff1ae87aa5b5c3f2ce37cd64306c2dbe1694a4506d1da
-
Filesize
1.4MB
MD5d3f003e982382b627c5a7d0bbf962dff
SHA1a8e5989a85ccf0eabca50d2c87c5e7e6c5953385
SHA2563911b65d3f92ef8b1e8af0b554dffa9701631640ba3ff07f83109599e5f7ed49
SHA5120b3b3e27740c42c5518cb439a2acff05f91d5bad1e23d7a0a50b1a030d25dc2cc27b7f3ca87152e6d09cee616f56b0d301521fd002dfae880c03ef3d5984f478
-
Filesize
885KB
MD597fb7b67df0d244b9d8a4e5914401883
SHA1aef98e4c6464290b3b8495caa38099d26ac44f37
SHA256bc37ea8dd9daed0c1df04e35f2376bec1ef73afc2d97f8005bb4e44dab244362
SHA512a59bf1669c0308cd4e6e935ed0ce718565aaa1afac687c1559d9445b168db50b0ac994aacc477a6bb0c05124f596223a91503c720fe8633164e4368d3b5aa41e
-
Filesize
2.0MB
MD5251ddc44398eb888888638a6fe809566
SHA1dae182dc9a01ce81306c2e416842223fece477b0
SHA2563818fd4709104b646e3526a3a870cfddd8e0f17efd506b7e78f37db6901a4227
SHA512e00a31e5739510494ea4c84d1ef379a447690faf9e4a3fa630dc40ebcf6eede57f4ddf1b2da39d2237fa2796098c91c399b6362bdd86d58619f4df1bba68350a
-
Filesize
661KB
MD50cbf4f38b1c3ef3f4701b433bb8b3fc7
SHA1ad9bfe17799fd5f60f222698a699abff1622073d
SHA256cb275302bb357e4601474c8a6bbbb1d5d13cd3644ae9733d324a2b18c06a1dc0
SHA512c8c47b53223cd8350e91f4547cbb3a4fa38b6ebc7479fe3c23ac2cc275a2cda06cd8cadf570057b7ab8387488ae6d4dadb3352de79cdad1d967a8fb060154740
-
Filesize
712KB
MD57e9e5ee7b0793b560664a06d66e9b07d
SHA143c00d93a35ac698303d8f472bf53f66f7030e1e
SHA256082d928a2bc175bb2b052a7e934bbd613eed878ae8bfd15e2aee0884390ed3ff
SHA5125a00904bd80c3b0888e6cba502328266fa6aa9c343bb2be60af6d463632d12f5795ece11a242c9685911b4a2c813652d62dadf49837c34a930f98490d7d75138
-
Filesize
584KB
MD5e4e1b14736dc2d10e912264e6933ef97
SHA13ee25d56cfd941fd04b399c8a70f86ab8f5d15ab
SHA256dafbda1bb4600ce02a270b3f31eb55b5140756628ca327f278bf644a100c2304
SHA5120bc8c116fe5069f28818e3e1a7ea87110c0f69d10f37d48e36ee4741c6824f08ba72d0b27ffb8d32b9fcd34c196b5759f21bc1c49cee65515a56f3617c427dff
-
Filesize
1.3MB
MD5ab30f5db1bbd3fb53508ce87db4c8d86
SHA14399d80dc8cd35e904d0bf95e453cbac4c986a25
SHA256440c50289a16d979804af435332adb2cb7674142153226d5a739c102a7549f61
SHA512d24cc8823f94077e9d3d0f7ce4b39b7024a8715d381582cea87d7c342965e85737b6d63b7f858ca3265f505a8186c705351ec6d38c1b98c32123799382360c9b
-
Filesize
772KB
MD5996de9b20cfbdc62d68695c0702ef64f
SHA191ce7b896b5066b05f43a1631301bc6c3fa158e2
SHA256d651601cf29871e97931c5bafae57f68512d83860819a2124cc73200cc7f3ef6
SHA51212d08199a2e68953231bfd6f09b2002fe4fb6139084f1cee60fc4ebb679bf5de9372229e99728826b7f63e239ef8053527a32e92af468a53f6527170b35e6f6a
-
Filesize
2.1MB
MD5a39800931f293bce1da3fd6332a29891
SHA1a8924a5a8bf12edb4ae60ae5f86f7f59d0af1b40
SHA256805da778bbebd3ceecc928c62e34142ffb2e3f9bb51fd99de035755af3a5d3fb
SHA512fa981cc515215a112fc7ded9deb3ecf38033d456482ad22d4b4460d2108dc55cd934d2657fda4f966d9c8297199c158f2322558019672e9fc05699e4cab8c8e0
-
Filesize
1.3MB
MD58153b9f18b5609a8a29a71d0c53207db
SHA119f9cc4b07b2d20cb83e9bbca741a7e7e9230069
SHA256cf043947255438dacba35be7258f7729b1818d36bb181b8d6d89744d2bdca648
SHA5123cce2074c1e478f79df52f15e73f04432592aa646c55dc6532b0085a01e9ce0451f084b0fed2303310193cefb98609f432ff0dc0adbe404b3688341f7cbc3a6c
-
Filesize
5.6MB
MD563e4b258ef395c212e3fab62ef06a06b
SHA113cce2c213e44d9fd13b17ac214a914bf9301a08
SHA25694a3b65fdc05105fc29b13c884350006466ff6d8f527299b9727b3911cc97403
SHA5127fc8df74bf663f63d53c2b4ee0646fddf979089f92b2d348b8441277ceb78b6d5ed857068f7f9a14e90d6aef2649daaa47fd9704f8099715b24ca0f69e01cd10