Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:26
Static task
static1
General
-
Target
2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exe
-
Size
2.1MB
-
MD5
39ba9ddbb084defc9a20778e9d8c3cd7
-
SHA1
063cfca8595a9a6e2e3141053a1374f3a0c5a7f8
-
SHA256
f4803378bd47f1b4f02da35eaf8e9e6f13dade4c547e75eb23594fd476ddd872
-
SHA512
9dc1fb592900fb3eb59c24f567ef9e606f603afdb7383a5ca7aa052f1e8c38652c55000cbf91dfcab3c3891f084dea5c4964ccc44b176b64dc49396307004a1e
-
SSDEEP
24576:9F//2iIWsXXrL87q55x8IJFIQlEzn5wqyH6N8QCt8RnXZ41Vi5ELpujFY:9F/XIWsX/N53yQlEbKqyHpKpv5Yu5
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4556 alg.exe 728 elevation_service.exe 4148 elevation_service.exe 3292 maintenanceservice.exe 2784 OSE.EXE 1356 DiagnosticsHub.StandardCollector.Service.exe 1336 fxssvc.exe 4764 msdtc.exe 4752 PerceptionSimulationService.exe 4640 perfhost.exe 2692 locator.exe 4324 SensorDataService.exe 652 snmptrap.exe 4860 spectrum.exe 4628 ssh-agent.exe 4492 TieringEngineService.exe 1888 AgentService.exe 3464 vds.exe 4928 vssvc.exe 4804 wbengine.exe 5108 WmiApSrv.exe 3768 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exemsdtc.exe2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exealg.exedescription ioc process File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5d362878c4fd1e7a.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchIndexer.exeSearchProtocolHost.exefxssvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e4c10394389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b355a394389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a89dff384389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5f95e394389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba80a6394389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ca98e394389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6f74394389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd983d394389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 728 elevation_service.exe 728 elevation_service.exe 728 elevation_service.exe 728 elevation_service.exe 728 elevation_service.exe 728 elevation_service.exe 728 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1600 2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exe Token: SeDebugPrivilege 4556 alg.exe Token: SeDebugPrivilege 4556 alg.exe Token: SeDebugPrivilege 4556 alg.exe Token: SeTakeOwnershipPrivilege 728 elevation_service.exe Token: SeAuditPrivilege 1336 fxssvc.exe Token: SeRestorePrivilege 4492 TieringEngineService.exe Token: SeManageVolumePrivilege 4492 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1888 AgentService.exe Token: SeBackupPrivilege 4928 vssvc.exe Token: SeRestorePrivilege 4928 vssvc.exe Token: SeAuditPrivilege 4928 vssvc.exe Token: SeBackupPrivilege 4804 wbengine.exe Token: SeRestorePrivilege 4804 wbengine.exe Token: SeSecurityPrivilege 4804 wbengine.exe Token: 33 3768 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3768 SearchIndexer.exe Token: SeDebugPrivilege 728 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3768 wrote to memory of 1404 3768 SearchIndexer.exe SearchProtocolHost.exe PID 3768 wrote to memory of 1404 3768 SearchIndexer.exe SearchProtocolHost.exe PID 3768 wrote to memory of 4732 3768 SearchIndexer.exe SearchFilterHost.exe PID 3768 wrote to memory of 4732 3768 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_39ba9ddbb084defc9a20778e9d8c3cd7_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4148
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3292
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2784
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1356
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3844
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4764
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2692
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4324
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:652
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:868
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3464
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1404
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d746e77012c1b1266ff7929ef3e83b6f
SHA1014179f162084630e81859369f76e70c93a65103
SHA25682b679f6bcb1db342f1a7b96f72d045a8e9272a5df3b32e015322d0df6ad25b4
SHA51215b397a0da8c2d35d9c48df61b1262e519354868e876c0d98498c390a0e9bca5b16092f8550cf993e4c2ad150be3fc57b0769d74531df6290fe9c8101e3abb74
-
Filesize
1.4MB
MD5b4fc8aacb3f44c6c335258757cb927cd
SHA12ff4d4bd9d825277f2c63493d40d1445be125ca7
SHA2563ac9be0f1ee337e1aefaf7c97c23b5741cb6b58655536eab50e96034bb37b10a
SHA512362ba19de5b9f6fe0ce0ed948be394ca887986a5a5aaba494b29f9c1cbcfd228174dba0a7d96c622d95d7a9c111e1088dbc2c077605d7ff47594328fe688c144
-
Filesize
1.7MB
MD5a9d1437505325d64f8b90e4573f5822b
SHA16af84810636affbea3a92ce8677bd649921d1158
SHA256f23228431b6a495950b7cc57051233b651034d2b025e8dbe4041dce4bb67e9dd
SHA5124bf740b2a9fcb69c70979f5f0a30cbcc55491f37729c02aa9ceedf722c80a7645d85b0ccc2f0412ce80ff4965723478803bc234a8bbbb6be5f2f722cd0bce2c6
-
Filesize
1.5MB
MD5fd21b83719744045b093385eeabde95e
SHA1d3e783c599136b9eba4b1e68ecc99ff3de7cebb0
SHA2567aa72c2c304d9f1e22b26b052891c010c3547c2b94acc97de0be41d3f7dbf12b
SHA5124eee3e8eb30e95967276c28cc05a8dfe7c3db2c994e8c8c502d12da220df85410c37ca6e76153792c549cb9eb4dec56ec828f64ab8879187ca2d2aff9173132c
-
Filesize
1.2MB
MD586c5118682f59ac2ee3822b788f7ac87
SHA177d9f92d428b77b1848b1c2bf2304677d9f8e246
SHA256b9a03d7d016dc4f06a2bb162ffd798aee030cd72845c0c5bac6188e4c0a6ceac
SHA5122a1c70b6bf04c094c2d6462db017d19ff7060bfa4056577520bca624304f22bca9a7b2ffa93a2139cc6bd0c698f42c64d3130070cc167ba81068d9d7e6a293f0
-
Filesize
1.2MB
MD585f9427982e13069ba5c9f095ebb9cdc
SHA1fed9753f094de31ed2d0704bcbfaabb2c6fc8107
SHA25622f8b6d0cab58427676394ec525c5e7d70ae553b7a5495d504c07204424232a2
SHA512886a8706a41dd8f60fb855a5a55d8e9cccc7d8324116615291ddec22888c125c8d1224cd287142c7f02b594b018a4354c4c51e43e48a3bbcc9e3366af3f92b0e
-
Filesize
1.4MB
MD56721d6181bf371c59a37572b228cc679
SHA135ff2aff88aea57ee72ed3b045cd75012faa3f81
SHA256fe174d5ae1a987e3725889197a78ca2d6e66906fda5784c08efd2f7be58de53f
SHA5121078327d6be702720487c48042edee90f7e6f502f028cb93a398384a89d2293bcd918eb466f9c71f383090756cc23510de351d01ec9367c3cea732e1b7f95aea
-
Filesize
4.6MB
MD55e1bd0e13894ad7a57e8ad40387d169e
SHA142cf1b878d3a0d47a9651d734f903e85875296ff
SHA256e585852f2f0a968fe63d8cbd47eb8b5ba3793fea9c319695924c2297f26a80ba
SHA512133029e3804e15a463c6266289655c20e5f4d68d69bf53e6c48f039b74bd9c5963c1c667c2e234bf0c745bf1885ebf21f3f7dc3e8d0058d06164221507a30265
-
Filesize
1.5MB
MD5d844500ddb4c1e1f6c2968e5245fe931
SHA1812db180803b09a0d28442207ca1a9c455847263
SHA2564dde0327eb08b47fd70b4d24b8c9f7ae29f0ac2031e8ec36da53e4730cca2254
SHA5121732323d280f9bb3244156c19bccf7708f4ad237f11126000cb69758ae5a415cf8d35013dbcd09f8b0e85f23856e239818cd9b5480e0ef0e73cb14712e7812b6
-
Filesize
24.0MB
MD5ffbe325d65bfce67ec992fb91b512840
SHA18fab7501688c3a80d13e5f38dc0316d3dcbd73fa
SHA256af298ff7189d5fc0a3bbdc0352f315f59a034eda5a344adfdfcae5604aa7e265
SHA512cf8d8e3cda4d2eb75263a8fa9d3d94fd51f9ba7af42497c9ab934a9b093b29c6780ad64430972595cd5d2b2da7dfa69c2b18d6c1bd29747674cef04a320da539
-
Filesize
2.7MB
MD5400e0bebd498b3d4b9404df40cd53adc
SHA11ea9a9565ba80d72b6e5dafbf7fee020026894f0
SHA2563fe2118f419559ec42598e2ca2065dcae8af7c7bb9b3ce210953a85df1e27f2b
SHA5122fa593dacef872d7dd8b48bb415b7f34ff22388e12c7f61e77b87289dc3e215ef3e3ae9d860ea231bd0bf289027e8c84b707bbbf345a51a1effb9ba3d572215a
-
Filesize
1.1MB
MD54f4f6fd50f2cadc0d608f8b1c669c3b2
SHA1ba729dcdf9471a5952b9c1b7b15633d661e9d33e
SHA25674dfd1bc67d18e72dea3240d2f63ac2355c9187b08025b983937e414330d048e
SHA5122e1f352ab75cc85fd60cf62cade23e35bcefa49a464e8a767ac5147bebda46d6d22ca90f75b0358d8d4f3b58de0483798061c2510d6cb6e6f4b350891b38fa25
-
Filesize
1.4MB
MD545db770ed5cef6ed2373ae6a3815147e
SHA18ce587e521f73d75f0679e2395bc4672fba77758
SHA256f91bdb047a736d3d20e066bd4111305d68b3b9cb946b074fb8026811b18e6e43
SHA512c18f5a983702b78f78427399f1cebbe608a75f5819f3b0d417e0e397e155d1ab363d442913804147818b8c1b1c6c7c1af43734422e7cdaf1495650925150d346
-
Filesize
1.3MB
MD59655962cc619fe5ae9818ac2e1e2b287
SHA123d49e17c8f73c4cd2d20bc0976b55f225fca554
SHA2561c7b69e34af9cbb3564d2f25d57652ef612df4662ae780a5bf6a26396fdcdbb5
SHA512f5e11029fbcb34155e6128f8223357b382be4b42e52a89fdd11cea73dd0d075f6ee5fe16f65efb3112bd1268c42f65f8492453152d1fd987d6f6213b0cc67751
-
Filesize
4.8MB
MD5e82f91ce9756802a24e2bc8ea89cdce4
SHA1b11639d98fdffe2dd022e9a3834ac7fe47d42136
SHA256825057042c9817a63e87717df60637a19702d6ed323b6c2439e639801a207090
SHA5125b354803ca9bac6c941c84c0a5655fab357bdab802b413a555aa23a1d875346aeb613560c9d75adad1dd3b63b5eea89b457dd176b73920f03d1d0ab971ea14a7
-
Filesize
4.8MB
MD59063a9f8e4d268534f2c55f3bf8e8f01
SHA1a949bbf0de7cde401484415fe94e5dcd0bcec9e5
SHA256f90844a81e9e8cec0feebeb9e5677b811fa6ddc379074a03d592ac1ff9788270
SHA512f5f4d3f9ebe9846ae03db9b6e37c4605169e100af9b07629544dfe49f00dfa47ea7a82a204b571ea5b0231e0626218470b58ccdb128b43f2d29c6e11a5c043f9
-
Filesize
2.2MB
MD5a33568845ca6e8bb8f119696a33c5f42
SHA1081d619ef587e1c9e205a99b79733d6d1064924e
SHA256389d2264d30265eed2e6351dd14644a3a55b01ec76ffd4970edcbbebda2fa30f
SHA5127907a08a82ef49f97bc61594443d6afa721d51c282b35417b55c603750718e6ffd90adb25a2b610e94ecd7a67dd9d26cac09e2180dbf95fb7d1a40a926185306
-
Filesize
2.1MB
MD5b5eb75b679992c8c023f77946f20a06c
SHA1612702f8341a18a2db56d8379ec15f357303c39a
SHA2562bbe2703a1fc62b9db54443501d5de9e3b2da890c327a89f000539e616b7bb38
SHA5123a4a62f2c9b5eb1c7f97af9989b5364a16e2396e4841cbd09c268a668a208c0797fafbfea5943c7ae3e51ab77740e4a0a9584682374f797ed56fa0262c53a864
-
Filesize
1.8MB
MD5de603263e46a08109d30873e341e93e5
SHA1962fc93ce3b9f0d865b1485e7827ea0130b1f2c3
SHA25631f666d388c58b339b8bf329560466050c9f6937e32e1755846d2ed17ba0fafa
SHA512f6097aca54b4238722408437f5093685155e49267266a94689c177aa26673625f61bc6e9cfec74e6312af7ef18c4afa3a3032b13d834b53238d9138f4b7eb505
-
Filesize
1.5MB
MD5ac80ebb598e3233ab81703fca31d7115
SHA178618ccdd8745ecaa05eadefb043d07c87e109c4
SHA256a785fcba5aebd1656614bdc6d58277615d5dfb0d2bc247ba5c0ad2cceb450ba5
SHA512892012a253b87d234f97647adaca6a191115bd46e7ad56dfb37083c0f088e16e6ecc9e6fa6911a026240f4221e053e45afd0ebf5f7256de53f66d8fbb4faf51d
-
Filesize
1.2MB
MD5c9e08e9a29b63dc5fc3e5a1f1c7233b2
SHA1da8fb42ef1d3a5d760f907a36df4a8b4b1712a3b
SHA256c429ed899b20b852e50ae241f523c3ab74df6797e8646e17baa1c94852e6c570
SHA5121c3fa9d14ad126b7d6b66f46d6f063322bb7195362b808018d936eba11167b24d2ed16e4d8f2eb389719000bcb95cc0cc5540a79f6a5ef1e98056b81692f29be
-
Filesize
1.2MB
MD5a2a2a5edc5128a18a76bae90dfd00b00
SHA13ded244afd20d99f58230ed3d0f3377afd1daf46
SHA2568967ae71354f9010dd9437f874caa18a203f4ee8bc940df432e42a4ce50ff43a
SHA512a097a0bebdccede2d64ce5f558210e76b20dbe31a8007f2c289f811ec89eb6f61d065e941cafef3359426e0953900bc63be436dd0456bf0592b0ae7af23ae099
-
Filesize
1.2MB
MD533171f8b1ca4e3801617b45b92af0abb
SHA10c3c2c3982d4cee46e41c89a7e9a9f387172e8b3
SHA25665aeec198969b7d980542338da149bd2213d5fbae4fd2b9282d022161053e674
SHA5128b768f12f71f402474a06e8829eb4da79c2e2d9606c089e0c16fc68e0cfec2ef6e3cb39504348978c5a9651af4c76070c15e86ca4968350ac6d56703b64894b5
-
Filesize
1.2MB
MD51c3c5abe59a0f146dc613297ef9f621e
SHA1a08f5a72e4b6ea824b39b5a53cd20c3b562b5ce0
SHA256aefaf69f61270ee4326db9f72bffd3bf8fadccf2720b2b6560dabb3c185572e5
SHA512e811b423225a5b5be806619c657254175cd0122b576e0b5717f8340da4d85763024c67333145a5eb96c54c5ff527e86c1693c4d18cc584bfd4b4d43a981b312e
-
Filesize
1.2MB
MD5f2efb89d6e25decf543e6a4e079c5a07
SHA183e1ad2b959a3e7c12055879e0d432ab160afcd3
SHA2562eac38c91588d4bddc646f62556accc32fc2ad56329f22d784f7f41c9b996c26
SHA512e287ab93dc8f226f99885fa0e9fcb78e1af27f71168173855cd602faba824514239f1e6c33bcedee44b9cedcb3696f4f9ddd4e7ad91f47119d55c544bc2fc4a5
-
Filesize
1.2MB
MD5a40328540fbd57b2a042ef01ccc85c73
SHA13f07df8c3baada365b8fdc4bb546247191d22692
SHA256665c6e0b6db826efe6d3a046b4802761b5fc1745fb34d32c2b0d23dad09d218a
SHA512c86036e8cf06d1298956d88d7ff6edae22127c34d8747fe1026468a0b04423588d8bb0384543c381d37ee301773165d9785185125e570d501ecf994d0ed8166c
-
Filesize
1.2MB
MD5cbb9b7d24ecfb371f5de7686d096d3a1
SHA13aacf2caf96ee8eee452da916d34db698f736776
SHA256ac35610432ebc2f8568d5e07a64bb370e9bbad39f18c24edeee149520c5948fd
SHA5122eaf719f1acd78c394c794d8846113fc4cd0bfd0033812fb392e77dfd4b511f3d7689a358b6e45aec3e65e8e1fbf4af7c3669a94476364aef898e53c1d6c6a03
-
Filesize
1.4MB
MD530bcc20330ca01ce1a092479dca44ff8
SHA12376eac48109c67d77ee710b1b34cd278db9d66a
SHA25674158eb32249562ad0d9a0a4fd13b806fceff3860ba0435a71748ce782de59e1
SHA512739c9101d2a8b9a890849f3578a3b7cf3d0e92adbe03dddab70191d294dae34d0c0ececf87edfb11c11b2be80df885039a20b63428808867b25c62ced0070e98
-
Filesize
1.2MB
MD58777aba67955859eb123d4c6dcc13311
SHA12864b6826705763d150fb3005d1d2c20a2b254c2
SHA256a3be9f8b53ca3063dd461567d308fde74f5c4235a20db69337c3aa25e845b666
SHA5122a942dfe335591bb941ddfae233a2779aa455bcfee6fd1a09959daae6ffede385613f1c5ed231d442dc1a6132afe5beb5c659f03241c4c069134e2fe319046dc
-
Filesize
1.2MB
MD59a633797c015d25e5eece73e93322e30
SHA1a1656844a657d0b87796dd985c1c53c354df5ef5
SHA256940027f21066fac4ae81c5b63cb8d665a66b9b519c1612f557ad8383a2d9370f
SHA512885e1368636cfbe9c6ee8de9b78eecb38468ebe7c616eadfc7a745689bdb991d9f7ab6a0bf124562b3b71e2277e24bd553efba62f717dc8ec69aaf2b5e9da982
-
Filesize
1.3MB
MD5ce7225801afc69b89b4cfec1e9543804
SHA143e91969c8ec019e45d72b0c714b6697586864b2
SHA256e58c4d6b2eabb858cb002db5222239a7e0199e82968bed9222ab607d1968daf7
SHA512a6edc2168410d44adb6a584739a74584cf4953a590ccb5b79461d6f3b0d80469d4bebf5f051ba318bee2f3b46f1006d654106ccefce823a61330983e9ec91b12
-
Filesize
1.2MB
MD5cf5a0b282fb08f811fc34400fdbaf47c
SHA1e0a1576c7ae27c8430473b8d13da177944bb953d
SHA2569d6a12f0342218ee65a0e23f6b485809df544f251f14342b402f1228d7b6454a
SHA5128173f95d3d3ccbea3e93dad00b7d35b7dce792ba737974a926c6e54b594b3bb3bdc755ef9746ffbfa3aee433b4a229c69f076b506a3a808675a2ac8b407311a7
-
Filesize
1.2MB
MD546052f9069e0807d36afe3fd25f08b82
SHA1058de1d732f456c69246782fc20e0ef9c13b9326
SHA256254fdb41b9d740d06261469a0d5f610199f7a5e6c2090b3d730a012b2fdecf6e
SHA512187f11ff355c4f629ae9e0ce51e5103816f6b527ba1b58cd6f0cb7944567491eccd9761e429113352d5bd32153c5a7d8cec83d85c0c0c87bd3c6344fa377a8b0
-
Filesize
1.3MB
MD5610320632c98bd06cc76e5247f82babf
SHA1e5003960b0c094d4c87075d724408dc2c4499f44
SHA256f1f67fa19132a4a7afd38d7cea50aa1a8112406a5ba8db790164cdd900b06dbf
SHA512c58462067c2cb08c9ed7affa18471bc54986d7a414f70ffb3e6515982c7d9a969bad34b52552b023ee710869624a60f2d0875f1b0ccdd48965a3c54377c7d959
-
Filesize
1.4MB
MD5f817f157f479022cb3621864a0ce5a62
SHA12b340a31a8cb7a8951e556ece3b9ee0bcdda0d77
SHA2564aeb3491bed329e9b26a3fdf1652ee4d499f5b6420dd580fb201010c7c1ff5ff
SHA5125540bf027aa5b76a6557c7e4997210b0b5eed8d13aae2914ae44e73c2cdaa6ccdd7c5a8dfbff5202dd63b3625e1a5e694c84c16a220baecd9143ce3e9066d510
-
Filesize
1.6MB
MD5f3ccc5e08d327e378c883cb895ed1ee6
SHA13979457d7f6f15db1bdd2dea32e54c33394ca4b5
SHA256def6099f7ee2ff8934e74f8944c23cc9a252cd5e50599fb5f0c34064cf3d4422
SHA5129c4f803ac07dbc624bade93cd1f3479bd2172a6fcc772c748cb51f93eb9d6a5ce964e9a9840cbcdcbf205b51004def90b985a4ef9a0c4997d472a43693b7729b
-
Filesize
1.2MB
MD5a43994e89fbc9ff86d4c5b0be43825f3
SHA1587573c1396a1b4e043457c5ca9cb880e24d4312
SHA2567576197b6278e51551a9a96521e7c80d21336498cf34bc0f7a3bc800a5d5c6e2
SHA51279217b8ecf8f60e5246703d4fdd356d4a2adfd00ba796a0c0e5742fa899755422af613a57d4d9a852afd83ed726c6d0f2fb27a522ae2060203f2c9daad10e462
-
Filesize
1.2MB
MD58c14d2ee4b2c5de7d2ecb6981d62bf0d
SHA1b2176b5be490cf45711682a8beebe8b0a10f75a0
SHA256c59c7d0ddbcf0447791013097c83ec150309eff6e7816e8bfc3d9b8842fa187d
SHA5121cdefb78ece5382a52f21a8a8b1ea4a3dc8448f5626ee25b1ce280e498d292a10f49c444336450ea2d8764a742cf86cf18d76ccd0d916019d5af42796fb205d6
-
Filesize
1.2MB
MD521dce90cbc7c52d931c1689288dd25f5
SHA1c84237d34204ccdcb3d0d47b9ad11089dc8445da
SHA2560956049b7256c487d0032b0a51c7caaad91c1b8b12064bae07d37d4fb7af97a8
SHA512ce6ea95ec67bcb54e6ab58c6d92d8f9646fe0dc403aee1661e6c52b1f9864a88bacd8cc6db221ef1924887f4d02fa21b1200dc1c637fefd26c41dab9d5d54b1f
-
Filesize
1.2MB
MD579629dc0575da584d5b1d7f951f9a097
SHA1bde8a885fcf577059a9a9a7c898641e4ca84b4be
SHA25619f9bafb4e3c2c6d6ce50c51efdc36e0c75b4a7946f9846f66847407a5115ab2
SHA5125819e37fb1d7daf4d5b25f6884647e5ea4bbccb05626fda4c598bb363879db943b1b97297bda510b28e174a373014dda2341cc5b58cfc455d09124729fb308b7
-
Filesize
1.2MB
MD503de2308b1c9af6ae0eb17049b6bff9a
SHA13bd371dee872f70ae4aa9759ee80a95e72a30e99
SHA25634168062bd758a51c39fa063861b6bcc18839b98219eefdbccb5249e043b44c4
SHA512f41411de1554b3ab6732cf37399ff3d8a3603a34f022f6efd54597d518bd59220f1fc9c6341ccc76ab5987ebd44278232c473d3d5373eedc2749342e187539c6
-
Filesize
1.2MB
MD5f874ada58c32b66b893bd428dcff7079
SHA102e3ed3df8f51e189ceaba11eb7495e620b8fbf9
SHA25633f2b38572708d189a1124e160065de9f44bca52fe47e981a8616be90eafaf56
SHA51287fbb2698458af49cf4e0600906181775f0f21a30755c0b21baa1adec34632a26d903be9715ab310bf66fc8383848ee0b511e75291f8239723282e0e963c1e1c
-
Filesize
1.3MB
MD511c5ed176f8a9905f08a7e6d1e2009ce
SHA168421ec76d779aac4668a4c8fc7feb7345fee920
SHA25621a7e4334749621bfb92e8e557c22e73ea19915e0af8d2e4878c4c9b4cbc7ea1
SHA512caaece168a8f9fdad7854191f52f1e54d2a53ee6688bc10f777ad09f6c0effde845c2d5d5ae01146141517b52ac5deba07d1307f4e40852ac869226d43c5a91a
-
Filesize
1.2MB
MD50c22fe60dc5f6f3cbfcbed4b5f1923ad
SHA1641604f5787746d250298d8c91a2507bbb153633
SHA2569cd8fd28ef766474b33bdd6f1041a62b10e19146dbb92c4f785c6efb36a97343
SHA51251772a7cc48aa73cfd4764adc691bed323b7cb5bff05ae716e060c7a409b5a841a94d8dd474aea25cdd0440937ad9b610b9238fdcaafb0b63ba533009275b651
-
Filesize
1.7MB
MD5a142c9ce358ffad20a686b60dede0957
SHA1e687942a4ba2585f0928112e5ac0c341daf35c7a
SHA256e5abc35461d6e886ee846b169ab033a6699ac7a5cd4b6f778dfc5d068515c9da
SHA512b1957937c76e3378c40e3a07b0c90fbb19ba3fe44074e3d3d41816eec84ba8dbb9b7331087683661314a9fe2b6bebbc8c12b33c0986d09d017c84e4b1fe1b49d
-
Filesize
1.3MB
MD5bf61e11608d4068fd0bdb4fe833eed7b
SHA1356fc8ce0f5f50778713c517fbe9725f17b6b61b
SHA256031b5dec9f379106e0663480c84e827f42e066c782f4dc1e0b94739383357378
SHA512fd626efc98a50b0378c6bb9ea1239d5a2d4dbc39100994d938fdccf69a9fac5385130c9c182722d5266cf8b473dd2bc46fb7fa25470172573885f06c5d88e571
-
Filesize
1.2MB
MD529782a31607d81dcd483f9e7fdbf182d
SHA1eb5269b56838bc514013ba5bc976f7877c182ce1
SHA256fa6acb4d63473827ab07bbd6bcba5bb250f2ae4d5ad1ada2d613a58b325b2166
SHA512940c2ae6af9024f315bd1493bca5245ae98b83758df580d6d91474b74949cbab4bc26e80e51f65cad1c81b50a67b06d3fe60a5abf89918cc476a4b6ebd7940c7
-
Filesize
1.2MB
MD5b578c9dac07f09b15b667d4e1f08c0e7
SHA1ec0f4d474140a9231cc0fa957d5f1686b0c54bd9
SHA2562146e142fdb82ea16b02aa19d4e77150dd66b083b463ea1b1d6a73e406024841
SHA5129ff18844564b2a0961ea008dbb00f0f4bd02095ff93ec9eecf7d6d8f822cc69b5d764541b624fb3ebdfa4ed1dc7e4624b423746574e46fe98684f9aa650495da
-
Filesize
1.5MB
MD5d82a7d492e8e97b007a82a6c7bdbf868
SHA1e38514f0cf75ced343f925a14344eaf77b5b6a97
SHA256faefcdcd50407bd2eeaae1e260b6c615c94a8f8d4929c3abe726c47af866014d
SHA51280ced0310306c727492461c66fd952dc9c75567fa3ebb1de0ead242e503b44c4c274b40c234ba5073eb011227da2772c1543e659eafb866820ee49ff472f95a9
-
Filesize
1.3MB
MD55310b2854737101ff4eb8acd3391b432
SHA11f322579d4bf5237ba78a3db7fa41a98d138720e
SHA256168b978db68ae75f2bd36d3c512445fe05e5b36691694571e96862ca785be455
SHA51263aca1c4a59837c17ead85ac50e7376984e88f848497baee89dd80dfc7bf01bdb4680df754abf116ed4837ca6cbe0eee9f74e7c6ad7b9803676450a55a372eb3
-
Filesize
1.4MB
MD5e046f30980d07380a3b8d0031c4acb70
SHA1862518cf3d9e11b591751d6bc963ddf00bab7328
SHA2565262af143555edad51f199dd44f2daaa033cfa00f344b76ffd5bf5c5327020e9
SHA512afae2542a337037b95e762408509af047597dc24696073069f93aa02420a15abdcf5255028ae1fb295b85b75ae1a377271c68534a39e953a117eccb65ed64c27
-
Filesize
1.8MB
MD5fc79d7f4e5ccc3fe1265dcbe671cc820
SHA19af9372d20fb123cd55e037a0337fcc7ac832a4a
SHA256134fde3dec4ebd86d68b813734b89a718f49dfe52c26fc1451f1398fe50d6833
SHA5127204a664204395cff28eaab492f539da33b913d98beb4014beb198604deed04480a93a44a8c0c2698c9f4b0848192e389033eff3e2e322952c985bb2396a44d8
-
Filesize
1.4MB
MD5b534dbc4dfc434829bb9ae69cf434612
SHA100243d98172532096ced5f042f1399879356ab3e
SHA25640cf02e7cf343e5c4903cb24e33420a9a43d046e66265e7ebbba2cd38bcae63c
SHA512b40c73be23ab6ab4ddf009dd9c2231ba354efce9925c27114137be314429533d8e30f84556aba06b2b8c37c6c327c0f5de749ba071edaf6d407405ac7e12444b
-
Filesize
1.5MB
MD5f996aa53173a1e5b06c2236b3fae3928
SHA1add61767e558407c1f0d6a2875fe1a980e10d7c0
SHA25633141b6b1b8770dfb3ccf82c9b8e5fc4b9a0e851b35ae171d3c4b86f669200ce
SHA5121bef22bf73c2664ffcf1154dc1e417c6e6a87af0f871c02f4cbb75652c66a3fdd918e202b10ade668823e845dd6a9487d0e51947e061cdfc0cf1f7a4233f7239
-
Filesize
2.0MB
MD5ec3a4da818e193089bdfe0ecd9d42c5e
SHA1b80673fefdacfa13831080a77bb870111bfdb10e
SHA2562dcb2c42771b3ec6b73c3d3851ca3486a2355178eadd21e1056252be2548cc7e
SHA5126749208eb921a71aebe7d13183fd8b370a189b995f36ef1f2ce337705b39071dce5e89942ca3a88c455bf5470c75c21006f3fd8425a155c1bab60d024edafd27
-
Filesize
1.3MB
MD5624df1eaaebb994aef8b11fd5263798a
SHA13decf9630be2469fb9b702926110b33356f5030e
SHA256995d3a5131112de0aca4f914dd236242935ff22385c314502e366b34972c110a
SHA5126e0d49ee05675f608085b4b5145fa3775ee852c759d6abd716cc4289a697dfe44f5f9f0b91bbb9809be94d87ad5dd22174cbb97ba1aeeb5821aca074495289e6
-
Filesize
1.3MB
MD59a5d5105f749e767e225b134d4d72761
SHA1ff69123c02f773516d87d2ee4995395cc6de6ca5
SHA256bdf96cfd333599f425b8664e178520c2c4bf01bf6adc6e9407e70f0e714b5120
SHA512fbe0167c3efa84835f4d1a3356f2518fb812deb337c218e7c700135d6020751ca253d508eec48b533a92c56e646c8844ae47f2bb28a77cfd48b083fdd8859558
-
Filesize
1.2MB
MD57d0d7114b081a8e933153a60dc0f4b79
SHA1adbe9608186b77df6c4dc94950874c55eeb20b4c
SHA2568a8cf1e83465b759df8f37d152ff3ff136ec1decea8873dca05d31a00670f9a0
SHA51269b75805b1273560c178601b12aba7c3c59fac378659470fa19667c4fef6aa8fd31f68aa76c59ebe60560495c815d7031163c72085c83ab244aa7d89a2620db3
-
Filesize
1.3MB
MD50287663e417b421ae4e67b1dea908fec
SHA100cff90cc1b37715f4f13c74965fc810e85b5e88
SHA256f1ca5d968057bc2c3b3df2a2b47564561b97b06cc09f197aec52a9f1aacda127
SHA51201fd3328e43ecc074c38e560fddefb440b860947ac5735a4ed3461503b7a94c4d895c8dc62a5006a28523aa6de826cdc8fef71aefa034dff9f56b1285eaaa5fa
-
Filesize
1.4MB
MD5c7cb31657655cf89c7405ff0f462fb35
SHA1ac7cd157874ddd6fd3927cd3a1ca043eb0021ef0
SHA2568d6e55c6d073cf55601ed8d0cc4ba9cf66e2f51caa0dbdba6a0c5f909aa3d935
SHA512de8f0befa422adcd2f4d6ed12beff6f272b74f327bbb90049abb489e8e0aa7b2ccb28ad4c550e1d8125dc4cff62d4af4858a31b37549cff941fe267c38059092
-
Filesize
2.1MB
MD58aec5bfa322fd0fa8cb8f7bdb0c5c533
SHA1029101a656c56a8543b4cfa7e619b31c76fb54fa
SHA256fdcfc036cedb3ae50fc63d735dab4e1098f0fa509975844b9d4cbc1677596878
SHA51277759dcea8d80546822c0a0d80d51b75b348ac823db05bc5a1e127e3a9afae52fb5e9232145d0f5d498f17ac2483ae945aaca8c8e80e88d88b4ee24c1c168455
-
Filesize
5.6MB
MD507669bff9fa2e1326ed616aa445c2b3d
SHA120933fe97ddb78d41aabd6640de0b15d21ed0fe3
SHA2565110ed84bd3cfea815c459dad02fd34482fa8e165ba9673edb56439f49e602ac
SHA512f610da86b1126944c955ad54607d24f6c73084b51a74df6e4aedd11b62292f2f9c1ad9979afd02bc5df85e0a037c68bcc52a993c759690420914744d7c641dae