Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe
Resource
win7-20240319-en
General
-
Target
2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe
-
Size
2.2MB
-
MD5
a9c34050c70ba4518c0a131fa5848ba8
-
SHA1
179231877fa7c5e7f980e83e1f7f7b869caa763a
-
SHA256
02be6e56ecbe4c064d2c3f67069d89512b072c7202ba9048dc835f09ddaa949f
-
SHA512
86475bff3500a730d1b13ce38115fded8e770c244658d136efbba0ee6b64f17edaa3ab7b56a3eda236fe50017bb4e4959648dd15cd7ed9cb77dca1b58c6831cb
-
SSDEEP
49152:4Nl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDQP4suIRbDv:MD2311kaxp9qQPHn3
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2148 alg.exe 432 elevation_service.exe 4624 elevation_service.exe 4252 maintenanceservice.exe 2244 OSE.EXE 2348 DiagnosticsHub.StandardCollector.Service.exe 3632 fxssvc.exe 1936 msdtc.exe 3576 PerceptionSimulationService.exe 5084 perfhost.exe 2448 locator.exe 2548 SensorDataService.exe 5076 snmptrap.exe 4852 spectrum.exe 1360 ssh-agent.exe 452 TieringEngineService.exe 436 AgentService.exe 2208 vds.exe 3784 vssvc.exe 644 wbengine.exe 4080 WmiApSrv.exe 3936 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\66c2b110205991d4.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f69fad9f885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b13645d9f885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9d704d9f885da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000913907d9f885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9c3f1d8f885da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b7402d9f885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2f4e4d9f885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001426f4d8f885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a3383d9f885da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebd342d9f885da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 432 elevation_service.exe 432 elevation_service.exe 432 elevation_service.exe 432 elevation_service.exe 432 elevation_service.exe 432 elevation_service.exe 432 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 624 2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe Token: SeDebugPrivilege 2148 alg.exe Token: SeDebugPrivilege 2148 alg.exe Token: SeDebugPrivilege 2148 alg.exe Token: SeTakeOwnershipPrivilege 432 elevation_service.exe Token: SeAuditPrivilege 3632 fxssvc.exe Token: SeRestorePrivilege 452 TieringEngineService.exe Token: SeManageVolumePrivilege 452 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 436 AgentService.exe Token: SeBackupPrivilege 3784 vssvc.exe Token: SeRestorePrivilege 3784 vssvc.exe Token: SeAuditPrivilege 3784 vssvc.exe Token: SeBackupPrivilege 644 wbengine.exe Token: SeRestorePrivilege 644 wbengine.exe Token: SeSecurityPrivilege 644 wbengine.exe Token: 33 3936 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3936 SearchIndexer.exe Token: SeDebugPrivilege 432 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3936 wrote to memory of 4244 3936 SearchIndexer.exe 122 PID 3936 wrote to memory of 4244 3936 SearchIndexer.exe 122 PID 3936 wrote to memory of 2088 3936 SearchIndexer.exe 123 PID 3936 wrote to memory of 2088 3936 SearchIndexer.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_a9c34050c70ba4518c0a131fa5848ba8_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4624
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4252
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2244
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4544
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1936
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3576
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2448
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2548
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:452
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4080
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4244
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51b569d7d75b491c792ba2ce0c9439d0b
SHA119135879514e0380d55a18de06b41f15dcbc601b
SHA256a4ae1719865b653f23c53cb3ee1e1be29d77936030f155e17cbb2c9b6531cee0
SHA5127535ca6e20b6836993950ff4ede86c2682888705e61d71c42d136dba83f7c039b795a56aceac4a0a1c862622fe8196913c236d4155b65402ef854fdb451b26b3
-
Filesize
781KB
MD5a1b9c9f7ed8f69362c1bd66fc94c5968
SHA13da06dd6538060bcb167e964ebb497b421b4747d
SHA2568c1b819aefe1c2db12ccd85bb171c8a51402cf9201beeea0c673e7fd21c42d3a
SHA512fa27ee9e3265f22fb37d8af574109b72355d77ffb152b3b5fd775bcf255d73ff563fd85a12bc2e6eba49c66c7ab2ac888904cc7fc05614ea306566bf448a04e1
-
Filesize
1.1MB
MD5e3c9f386b9274cd793fb15bbb276d5a3
SHA15f722ce27d749f38e13b5b60cccf5cf15cad94e0
SHA2562682d5d43e7e7fdb18ff43d000d58bbbb769d1a6dfb909ecef5cde854d217ab0
SHA5124c8e84388a79af8de0868a79dab5bc357333de305b8d11326678bc2d8f5d0ac6c0f71cfebf969d248b084a943fa6ecffb20fd391cb6f721642e7b59ff5de5687
-
Filesize
1.5MB
MD52915eb373443082235c57eada4600140
SHA1bc58e46530dbb24f0f12cc62512cc212fa05c641
SHA25603180969f527cd33dc50cc3584d6ecec6366091b46a969de95a3ea450584dc01
SHA5129d2df71085318fed97fe6ec05b6b3e08ce96b9fdba58ce14843b55228a135efb7a438ffa383d930b03620c76d13d76a961baa40a3f135552b3a2b3dadfdf86f7
-
Filesize
1.2MB
MD5044db04f9a8fdc025f127bbd35d087fd
SHA1d29072db77d8de5f2b1f448cc68fba826825e9cf
SHA2566c695f02de801b36aef14febc2bffbf91c298422f6823b335041e97f8b99aa77
SHA512bdc42ccfc82d4e22a1b0c0967d29aa9af6e5db0050fdefa2e65e7b91a9d9d27bfe2fac1680aa17a9e1cd37260ed80e20543782bb80ddc62b0cdea9334d36d243
-
Filesize
582KB
MD5318be854e795bc36b167bfa2b33ff37d
SHA1a0f2885b4b2b82a7498e48c8d91db73184825e90
SHA256378b1cd89488f6e010e2faf6b75ff4b1a79c0cfb09b5de6805f4c4181d7de24a
SHA5125d1fbf0d529dec9f95193af2b28d281d7a0ff3a5bb3f022dec87eebca9b4add9fe56134661641b062c442abcd4de0e80e7e0125c3989680ab7f448c605f697b5
-
Filesize
840KB
MD5bf3e804ac70a047bde244c0dafb82e97
SHA15e4f095d278a3686e6777f2000cf5e9e7df455df
SHA256fa1b13444eb5893e20bf1193dd24d013e02775ec53877e1ce913efc594738f60
SHA5122adaa13379abcab8f6d8cf7a9226cd1c70148a2a87cb75962e0250b5670c4ddd6d338045882cfa49ec8afda9bda4ab3b67e5d8b335cb9b96b8c7e29f7897a83f
-
Filesize
4.6MB
MD50376e8f5ed47437dd83c4228b14ead14
SHA1353f9339b8fa31ab32ad12987662a3f2fdc592f1
SHA2562f309964fbd5f9fd7f33e266182e4792b0c4077a043efb93c79ae1c943f462a5
SHA512cac8be77657a605bf2565428799297b2cdbb4db235aa6ef75cfd1f55055373a0b456729a6e4731c65747bc9bbf02570824728600c5654c620a93d12ef5e81f5a
-
Filesize
910KB
MD54952c7dff06edfd879f73ae72b61957c
SHA1181c6e19941941961253468540f0f42af7471e0e
SHA256126777cb02fdd0f7bf1b1adbb7603667471751425cee9557d7e59335dc3aaaae
SHA5121e8a96163dd6c6a010408d138920239ad09dd0157b1eea834aa3c729af355f1cf6621451ae7ea78a8da2ab41025df131d2eb5ffd894c40a603403e0bd8535d5f
-
Filesize
24.0MB
MD5a56e90ec19b0c8813a8dd1f84439d026
SHA1072a0b3474d4cb86a31b273df23f3b2d48369449
SHA2566d59c2a6c5ec5d800cd79bd3230e48ded1192e187475e9b250b2450a11331d1a
SHA512c4d6466fe8ced3da1caea725531c5ac54700bd9ae60e2217cbe7c365ee783940a1d03172ae65b7c72849cdee3e81497c36c895e694f298a97188c6cc536f2590
-
Filesize
2.7MB
MD5d01dc41c66f8588c98148ce492673462
SHA1aa6f80268b7e64625ff1d6c715aeeec38cbcebe2
SHA25632b8f8f9b05144c9b38f9376d6204e3e62cc10bfe3ec74fcc376e6e2f0a2068c
SHA5122f0116f4e3f9fc8ce1e3c8cb913ca4195fde6d958f8e5c07559274dd40ce95b8034f519ea936764da6261eb16578fc1b58c38dd734f1ca220db00c2b704c28df
-
Filesize
1.1MB
MD5dcfac451462f3e1cd7c9617b7e855bf1
SHA171aea364165ffd3246fa7d7737861d99c30f9334
SHA256b81447f419dfaa7c285e4731926944b367b0119959fa59d539999d06f20e3ab6
SHA512e19a491ddbb04dd63bf78fc4768f97dc26667ff8f8f58fe5ecd19dd405ca56f8a498d72bcebba4a72815cd9b4eab977a3aeebc2a615b809aca4ccefee96e7af2
-
Filesize
805KB
MD5efbd4e945eb97d967dc0932f313ceb7c
SHA1fca0f1f536fd5990ce452bc30e4557ae8bdbb83d
SHA256cc2cbe06d83d5ea0e6efccf20ff1397e9291d3bfa020d263c7ee89e363106124
SHA512acc2be2758efba9cf6d62fa9c49ac8ada0c3240391f93be4538412d6266105f86f2ca185f2feabc2b7f3525285dce8a582b1bbbbb5e32eb07f405eb7cb35939b
-
Filesize
656KB
MD5d9bb9f0b641b3df1f22fe05aaa992cea
SHA141943418622ae162bff737d1763ea2155e75d349
SHA256a19309b678770e236cfdd119ad6d5cd9cdfe3ad530ea46a44f651024c53070f4
SHA51246c9a8551c3cd0520bd9e482cf22ba0b50287f17735ed718bab8cff82efb30b2cf3fd57af52403f1495ba155c9508833a736d520bc3f77f4aaff28baa00c2ced
-
Filesize
4.8MB
MD50a7e34c1ddab89c7059c9ddc93e6859b
SHA12f31a057b39541d4ad2b97fdeabe1ce29cdf6857
SHA2569f464b18eefa21e805181b486b3909ebe321abec76084cba7492da1499fce0e0
SHA512ee74939080a331159c4570e9359f532b7e10b907543666056a674ee23748c6b532d97896234673335681adda496aeb9831d69e1b756ef7bfcc3f5f184855e043
-
Filesize
4.8MB
MD58db4cf4f9a3e17a3181f7deb7776f99c
SHA1cc69c782a6bad0a9d1b6d5e55275133f8d261484
SHA256788d6afe46a7ca4d699a9446a98e047e1c3f88c069ebb7b3cd3f9ed5e8aa656f
SHA51226b2ab9fdd9d6512ddf169a1b91c78bc8d4833d654473ae939af413fdfbd135eaa40257269bbaeb0e1196dbfa05c468afa2fca0a8dd417a35b8bda3e9f4a35eb
-
Filesize
2.2MB
MD54d98d68ab70e07788f329cbe879fbb9b
SHA19834b2ad025d527fdb9c21e632546bcd4455d38c
SHA25671114c310d2e918ab6547a883c30b3d186cb207a26df8d32fd4139a270d21b37
SHA512bae51766ea5b02aa6b9cfdaddd4a8aacd707a33332ff1e26d8361241892a5c00cabc397900290f4583ae5b8ae12eb3fff7592529d25961b5dbc45032ab2ce70e
-
Filesize
2.1MB
MD5953b5578c6e6e1cfa555ded6e68b47c9
SHA1bca8c6b6f2f3b64d92f1e1729b3bb906e8c8f689
SHA256540ed896695c983d57b9d5de3c140f2d5995d0bb569973f999bb594cc804ed09
SHA51206ebfe17a272ab7978e1f98ee15d9455f7f147c53c4f8d2a5c6e617e380fe0c671371dabcea06177a53e639c9f204fdc789a77f1cf4a291f65291522292eb1a5
-
Filesize
1.8MB
MD51722d2645d32f5276f54ddf5219c7104
SHA1d60e042ab7bc25427fb73f428a9a4c1b1430d8c2
SHA2563eb57ffeac21c5b9ea7dd559935bdeba105c24d82b6927b312c242ff23453b41
SHA512d39eb51c9da503d7b5812c1bf0ca676faed96ed0f17d34946b6b1af74cbc25dc16899d71ded76ceb5aad04e4fff364e88b12b277b6fb40b33e07aa6e39364311
-
Filesize
1.5MB
MD5d89435547febcf354914e4b187047e8b
SHA1350962caa90931e01421c631f12ef1c22e0e4f87
SHA2565c76b3ab8b1828f657b54f079a27cad84534a6a2147c8b6a613304e00344eda5
SHA512d0ce246424a416cc44534d4a7acc6ae7a5052c8a78f318212f914e5d894b5611455d039e0221c3959515afde47902f05ce1ceaa9097dd9b1aaa0faeca7b8f998
-
Filesize
581KB
MD5c1d1d1b12ade97ac757fe00040fa5fad
SHA145b49722b637ea270ab49b9d7ecd4874bc4ccc57
SHA256ec53b60ccfd9b8bfa0ac95938b5e4f9d6b2e8881eadb181717a168500f90d584
SHA512cecef8a02d1e046a90fd3428ca8ed41c893fcf70a1f70df08cac25ebb033c773225778acd9a3ca0c7ca2c2e3a0063fc0a2a81ed6a7596369045235bbf5d46a94
-
Filesize
581KB
MD54f000bd00e7c98677bde3586b1e41ad1
SHA1bcda2e859f9abc10bcf538c41dece78450642085
SHA256c47d079e7ca3865eaad41bb5b0de1bc1c1d0110085e467a0f77474925b5cb8b7
SHA5129cee8fad15014493e097572d9fd5eb56d68f1057903a87f16fc42ea9a8c086e36add24158cac43aadb8860a3974009756703f45ba5ed68a2eef28e7a371d11d7
-
Filesize
581KB
MD524655ed553bc0c6bced769cdb14e282e
SHA1903ac23f3922bd5142c1afacd98e6e4ec7810ff2
SHA25619bf4bee5959adbc33b82c92beb20d55bb3b53880fdb40d19ceedf884f19ad24
SHA512ed59dc48c269605348845d457c58010ef38d04905d5ed889a5c4c97b849a7da564633b98f3ccccb42d88fa97993c1f8ddfec313a94ebfd3a6441a802ae381ea1
-
Filesize
601KB
MD5e4f06cee24ca3e46e3bd6336b3620f38
SHA16daad35b763698e2b91e10c320dd6e4de3069737
SHA256f037f08013f49b971c2d35e2a3c7c6c8dfd1add17f4bbddebedee9517fb6c678
SHA512393735dc4a307a0e946f0efa255bd50edcfb6b9a0a4a5c48eddf6c448f2b9bc2f8de8080f601cc7cea0efcef97251a9c9d24d4479f6cab68da790404285972f6
-
Filesize
581KB
MD5296bd96ab00ffd319e631b40ef3e9c76
SHA1ac2e40b3c6de1cd926a36d9d6a5afca0a533245c
SHA25666e772da5005306d2a7dd3678ca641c4b1f5d7d0bc726eb36e8bca85ecf5364e
SHA512b947b33dcedd8de20f7cc07001618ef358d291305246ce338e06f64666d72620c0dc1797bb59df210ca50033b7e30b19d092cc656aea382eae536b524837032b
-
Filesize
581KB
MD59b35a00c4cc1fb7042c3a044724ab8f2
SHA194b3bb9986333243fb2f59bbadbdb7516b060b21
SHA256338c64265f70ce0493735cf8be6d9bfe2e67fcf5842a0df536c36e0f503fa80b
SHA512fcbe7d85051d9cf6cf61ea0691175df5e2b09f681ea24c74d7ae6b3717cf61a846e6046ef18593f1d47c5d81b6d4c19bc80bfa96155af270156a9fa308c6146d
-
Filesize
581KB
MD5c43a57200bb9b030f2e66a40a0b999df
SHA13b5ecc304ccfd305cff0412b2610bdfed781a541
SHA256558e53d6f086b315f7003cae6e3c788d1a589263c450aaa22b2965f58ac37a85
SHA512d2ce95e08398a79baf3496f9d64700761ef2700c6d309729c374ed3961fb029de66305316b7a63d99f9b414fad83e718c048376857fcbc7b19053e4264152f7f
-
Filesize
841KB
MD5a1e4c978d307c7f8b25559244ccb0e54
SHA12f2db43b3b1a603fd562f5d63d686f83c1eb6f65
SHA256ea7265aad4f9fb38c1fb9b94a4882f1337ab1a752f068a79d0044eabf2023fef
SHA51264ca85786f6d2c0c4647d61484add93a4cb341457667a95feb6b9fc79ec4ff0dc41be3a5fb7e8910c962e6bcd25e81bbc33d4ef1aac814dd0ae9001dce0042ce
-
Filesize
581KB
MD598a6cdd2c669d34cc3c04baa431ba226
SHA1daa1abbda4cc32465d1ed3931ace801214ea5631
SHA256c43839ad19046c56b7e8ec611e28b102101f2b3960b19d581153d3c4100376db
SHA512714bb272e465f2355b2addae270b609520821226209d30819898a7350b7b0a342a4a565f60aee7a158be4afa7e37a81df4923ec010f1b126676fbd21359f7b6b
-
Filesize
581KB
MD5c145b5268582002edbf53411d0ab637f
SHA1b21d24b7e689100eb3e15ea8f10f38543bb9be0a
SHA256712f74f34debd0009b74a981098e2500745cfc525f0179d4b8eae7ff3656b097
SHA51237a5f3b3f8224f7e77f5daca78939c3c7d3338cfe8c861cd2d8b37b9bfadf733bade86a04273f49fa1f65244749ce3b330527cae89c2e5559657d2779756c702
-
Filesize
581KB
MD52f6929f869debb4639e56bee07f80373
SHA139f9d8588f56882c231e3dcb08144d336d1f4624
SHA25669b528b56a7734b95f4d7659e3b5e8659683704927a0e00fb6f7015b5f389885
SHA51296ac1436be6dc0b6d62f1d6fc4f57f2aa281509d25aab02900ef023dd6c421f65388598880b0d5d7de7d223089ee7c3947ebab8bc8077d2bc1f665717a03db6f
-
Filesize
581KB
MD50eddea29f6f53fb5862cdc26c3836959
SHA142eaa69f9cd4e4a130fa21c07ba181ef83e048f8
SHA256bfe757d903ef695b0e7dcfcda06fcb9a21fb348b79115b84c28ed95448752f28
SHA5123af7855621a8dd1d9f0733f9d5ddedeba093283c47972289c1f0d8bbe1b756bcd4ba0c264dc5f72293956d0bb5eb70fe6a893d4fcc021c8b7a04ea5b980287cf
-
Filesize
717KB
MD59b6014330248c4b56cdec030fd70a320
SHA1022bb22ec7ae4d09f7cf07ebbd4507893fed15a4
SHA2565f5c20188f4327ec83867c218cb6b95617abf9cb78d0fd80508183b97ef033b4
SHA512a5d6cfcba3513ee9a66d98dbdcad45b3c422153fa0a407d040efdf11bd9babc0af1d98c39e65a94844759098ee0fac60745f4f9bd0f14cd9f2bca72a288ec567
-
Filesize
841KB
MD53e3315777f5f6383961f057866705649
SHA1d7dd9a022208a2be12a6d0e1c088597145694747
SHA2569a0d9ed094b4f906548740a91428d8add4b67c74fcf0f060183b0e99c98684ef
SHA51290979f679abb15e692865eb7578dc92ff5bf93759afab15c487aea80379f831d4492874e8f0979490254ca192525de53ee8197436a5e0be77d81c3ab2c962bfe
-
Filesize
1020KB
MD58b99928eead82028e95022ae9f95f094
SHA1379f18475d67f25fc647ac40522084773d3ce655
SHA256763919a8602e8b1fa8b0e561e8b6a91581ee318580c2e78e69581bf9e0340ac0
SHA512858decf90c5db58aedd18b1d1fce13fda433a4899c6a0dbc1986258f82d032350297eb003891f27e1020b53d9e7117044ed953bb095d975f3fc0b974c1c8dd66
-
Filesize
581KB
MD5b05ddd662cd4e3e2576ca30e1aa9035a
SHA1316e9eb20786c183775df1a673573f6d4695ab48
SHA2561242b87734be55b349f91753575d779f235e1ef271456b602edb6969316b3d18
SHA512e1e88db6fa4b87e799a0cfd803b55f53a104ac2908f0079765d72900cd10af759d6ed54c66666a781560bd5e7b723d7b01a2dfaa6dceb875b30975f238c730af
-
Filesize
581KB
MD5c3e8f7873412e3b5037cf7bed5aea6fc
SHA17c3263b3ee4155facb45e44c75bcd830dc0e7fdc
SHA2560c493899bee3fea242a51c7c954e196d4ffea5ebe9c776b350af53aa6321cf4a
SHA512d3f8085808dae3346a3c3d8a3d5d74dbc73c9ddbb1024a405b069f34b351a9b4f0f5486ca035fc5bb39356230b9446d6731e3e86e38d5511dfb3aab609f5eceb
-
Filesize
581KB
MD5d043fcd22001a5a90dd80ca8a5ace819
SHA1bfe8c323d5a07fa9eaa319a00517bc8c6c81ae9c
SHA256353af9c878ccf7cc9286736892580cafddf0fb52394a911ee8bb595b3092d77f
SHA512618546815332fc93b0ac9d50c011f8be815dece956559a17ccd1a2278d8bfe04cb3e1b1bb1a0e1b58a2f7f03652c58576955cf7c694f423305438f1273746a25
-
Filesize
581KB
MD5870a87f50da76d25b7317de2ac7a188c
SHA14bf509527283bfaabb345376b1cbc5f0c911a9dc
SHA25610d677eaa8fc0fff6f49be18062e4764c4427b13d88a4be11aba47a9ae89bd7c
SHA512c6c025dd1c973842fc0ee03efa67afa9761a893cda61946b498f4174ac6bbb66786dab20f242d137c253fcca3f29e567407ea45330e54786927ef065f388643c
-
Filesize
581KB
MD5185a20f7b003b415e4613d16fb715c06
SHA17ddbd1f2399793ca2c3a07059a696143539bf02f
SHA25678ee0baaf1b3f884ec4bf8dc6179308921485b6814df781881f00df42fa08618
SHA512dd97210a3862a6f7482e2ae9fa2937252dd89de0791d026384ee43a5e66be45102ae43a7c0f7eaeb048fdba4071573dcfd4916c298725354ded30320268e99be
-
Filesize
581KB
MD58fd63c3540db11cfef1345eff32b7551
SHA1fbcc87380a495a0e7a131cff6eb93a4bc49fc9c2
SHA256b1e9882da8505e1cdc72b3f7007ae31aec8f5a3dec4187c0fdaea2f395b97045
SHA51209b18700b77adda98607215eb8a453ba95f5a111457abd494208663d54be26a680fce4b65c929bd2584ae7a53acc2cd6f8ef819d5add5dc0393f0759b8b5a530
-
Filesize
696KB
MD5781f8e4a8df586d8997fb9a16c0d090e
SHA1ae2dd1994e7dbce54b1a75b1d5acc4397bd3c27e
SHA25699d34e9fd71573bd1ae90519d0be281a23686120f63c7c1fe12460e1063e6b15
SHA5121f79960510fec572ebad1a1d359b1b1dc5804a908570fe7a19fc557df83c7821060ff355b50e882e15a4d3a9b35235e1d50a28ad71f0b08b8b7fb1b41fa0ae27
-
Filesize
588KB
MD5b969b59aaeedf5c01b455a65006a1bb8
SHA1b91ce6d2408c4d9a828874422c961cbd421c947f
SHA2565b29cb2dbd1cbcb880fe221b89e8fc4ffb81b3ccbf756bc41f346b3e58ccc73e
SHA512c69702ea81db649969038b5c0f0988cd7f0ccc676e2f398f431d0839ce5060ce6482b8c08bc11971adff47e2c5489de525f471a0ed06cd427ce83836cf247600
-
Filesize
1.7MB
MD5b3149dc6513d586cda71666bb89746bd
SHA1d3545c1abf23c223d86625765a124d82331c7e58
SHA25641c755670b96e151a3fc5735ee290da76f4ec36da04eed32222596431846a13a
SHA51238e53c54e6b12ca4fa9094468df011e74531c0d837825a8249af64fb8814cdbda8dc125a0dc9a9eb41a9aeb30934f7776a260320a2621ce9739365df2f1ac3f9
-
Filesize
659KB
MD5b575133dfaf593e98adf37645954a924
SHA1f19a62b9259f1cd3b5fa2ca4eee7b2bbd9e22c34
SHA25627b7d11a59621901225064b3d82a15d9db7ceb85c16fc6987d9d020fd67bd9de
SHA512e9bf77a646d028c7fa82eff470d12eed13631de7bbdc2fbf048441c5847141993187bd2d7d4558e2e3b911b0e4b90f4d0ed5dcffd2c4130dc8ddd79257e397c3
-
Filesize
1.2MB
MD50e2ae53b3e1cd002bb98d6af20c4346f
SHA1cbdc0868c4a3047411a6a8307bff1d7b6f47ad72
SHA256e6e4fde8ff74e8c41fe19a5503f5df8a6b2ed9c6357d9d9cc5071fd6c8e31746
SHA5126b9ba2dbd748c52da30cca422f5b775e68566c22c789cbc8f0e4a3476dffc2c0c949f2c7c451febd5aa13b8df242a5f8ce76091c101ea6ced23d03f64a8f915c
-
Filesize
578KB
MD5f0662c21340ef9d30c40c0140d2e9918
SHA18609eafbf890dc46b9da7a3036824b0865ed070f
SHA256267a81bbe7c734dbfac63968e6d85323c93c64e70a5c708dd262897e1ade3dd2
SHA512507e30902bc9d4d7391ad7b1fea4e61c3f53c4ce3c0a3148b08f8158c6ff8c983bc82de9944ee3aee45d7c0b301a5fe280c2a1972fd203d2c2339e0885c3d71d
-
Filesize
940KB
MD5a54ab6b19bc5b1f01511997596991222
SHA12fe26cecd5b01a8d54be0004a5ccda6e673f9434
SHA256f84eb316666d63937b4cfae619396052c4aaa0e8579f2c1f8ffcaafd426639f3
SHA512a8331728bf23f3d183b31a845faaed7b2be84d98f13fafb7521ecc8e360e3cd4de9fb4d3604a0484433d106941bf375854868f2e8653f04958f0af5e83b8e558
-
Filesize
671KB
MD5f9538ca5136cd4c819b15ff39d188d2d
SHA1b1cef5878fe6a93f371a9c3393656d24c1062aa7
SHA25671a7c66982a1fbdece41193e9e81d84e512d3f69e14fce490dc0049f8a9420a3
SHA5128ddbc738fe1b825f80475a1480fbb1dc949b9a8e1d3ea7854fa7ee8fa26f4815532eeff944af51932e85a707798177fcf6db8ca97fdf34cae5616d9dc51943fa
-
Filesize
1.4MB
MD5c66c8f6a453eb6c8b9ac655596746001
SHA152ca3a0eede17135d19c803c3a03b020b574b4d9
SHA2565daddafd0180f3f6363be872df898474795b95a38705203fc52bc630fec3aab9
SHA5123606f4e20316991193fb7bf4d7b05be0727670fc7db3db092dc89de59fbd5e23a56b0093c68d30f75efbc7852ee1929364c216a5e384b977401898626813d604
-
Filesize
1.8MB
MD509c903536b9ca609dbf62b22392ef4ac
SHA112482a98c10948dc92b59c5e1c58ec7b28d28f43
SHA256b7a98d43b76f39a2509ab89255c16086de8711410d917fd648a17cddb085c6b0
SHA51249ee00738ccbdf7fbf7cd75ebf11f91b0d526344fe73ff375ffc522c76825dd9f8941357ddd1751f93c3c7cac1d897d70c42292530af0702e053ac02c6bc18cd
-
Filesize
1.4MB
MD56769522850134be3a33451d83493b986
SHA1729835136f98db4d8340b432812b329f23baa035
SHA2563381664de0730a12bfe4c61dd8d6e3d226108c1835a6aebe61f10b6ea733b5af
SHA51246b8454dac983dd04ceb6bacfe1655b87b847bcc70f0d26b7935bd3fb4405c4246a31a9979c8a1491256ba5005ce4dc93bc460fe757a37a06e3edb2bf7bbaca4
-
Filesize
885KB
MD5f6305519f826bf055ebfe623688d935a
SHA10fb7c29301439e133132e88c7e6de327a2bf5f9e
SHA25682133232cab82e3c099df49bd200a449aafa275deaa5ec55270feee3799b894c
SHA512377999df57f72cd42c98ef7f69b5d46a1327411ec54c504a35af03e4bc38c64f9830cedc75edeee6b566d9519b84825de5ddd55698217fe3c7276a680488f249
-
Filesize
2.0MB
MD5f134e94b3fa4a3c627dc42569c06cd37
SHA179dc6ee7fcfec176c4d472375c4b584a6d537491
SHA25635a41f84c6f9d13b59f6e32f0505d519f8d14258e5943331e84bfb9cee43e57e
SHA512a87eeb32a46e2aeff3b5c6a9226e9d004482c4289cd4d4cad0bca9442c9b869f6178cc1051e9144c72ff8ae278adbbcc99af145db25861fdce01cd56774e2789
-
Filesize
661KB
MD545e79f868bb635d1b706292486d151a8
SHA1e831d7f853511064d5d06f8775ca053864a6fc28
SHA256fd4559178614925ab260ce107481872015a7fce98b77a85867189c2990a7b117
SHA512dce71732a5337d244aad205c66eabbc02c576858e76edff10d0f84d5779cc0ec37c758d90965810176ed412934cfc07f10942cbdcd6e85ec3c0710f6e3013194
-
Filesize
712KB
MD552e1679e3fa1500103033b0b9452005e
SHA175186d174a84470551a998d2a42d999b82846e0d
SHA256c2eefc1fc9c78b853f2446621cb1691e2363e9123b6906a0bf1f038ddb858424
SHA5129c506add4be41388a0810345fcf377a8a269c07776d55560ecf391b4fc4b534d58b242e111b37ae25fc22375490334ad1685927aba86f45fc0c229310a0b5650
-
Filesize
584KB
MD5f044e19bf97cf2836f05b2500c53b5de
SHA12bcd4b05e6aa1ce2c002d5566cb0d9b59bf54779
SHA25687b434a59ea415c1d37f9d92f65045cc819743faf5cd252f845766d3ae52515d
SHA5125e87c844201a9a624629e0f227dc787632d2a6cc22813b48f060838735e1d8fdfb2c0f30ee09e726c3c5805e91b49130febec491d847bbacf2870f2b32bf4191
-
Filesize
1.3MB
MD54b5519f9401a8f77a5f735a97eb9d599
SHA10caf5d9287458e0d526b570a135e9665381d6598
SHA256dec1d96cb4f4ddfc99bd5a256bbad899841656adb8814ae1e6b78935205e27be
SHA5120007e28dc82d41b45dafcc57e78da4189e7ad3ee3f32e8e368df14c5a7ea3b88c824e4dd2216110cf0217fda49e9c3f9550b17e6466a841619097a4bd933ce39
-
Filesize
772KB
MD5919e8d030cab20e97f617bdbdcd825a1
SHA12e9f7826278c3cf5dc9fe9a5ed8db5edd93f157b
SHA256424eb510c908f78d67971b6820110f063b1a2309407f2cceffef6f3ff8611a6a
SHA512d9145635c822a23fb5eed2058358d09ddd9e4b5ad6ee30c5aa02432bbe90b72fae0f7831cff9a235b0fbaa5b33a4a9c38d218e489d0b3aa49a46e1f05da50298
-
Filesize
2.1MB
MD59cf41ada8a348a87db48e0bfa6172bbe
SHA13b3634900498e13f56831c414994457beb6ded67
SHA256de8c55c436ddce84483581a8dc314a05deb69d9e8bddbf9a5ab32e06dcafe12a
SHA512ca15d45fe9789255e2c1994454f1dff1941c6dc123d7b3584e4135f761767b9cce5cf03904e0a5fbce286ca3de4dcbfa7ea1ca82fc68774468e0de3693fc042e
-
Filesize
5.6MB
MD5f3f61fa2e13df49c5ea5bf7cea7cfa16
SHA1f516deea2ed3b15f17d5047e150283209b949555
SHA2565e4c7e2ceb025e1be670893b0592beed36acd635a66df3a790ea425ffdeab6a0
SHA51201825ea50c3a0cce37b7939d6d3cac2e40bfeb82ec7847c128b975985844a665fdc94fb1151d12a372d6e33d2ecf9fb7c670923f00c363088fe856a58062a311