Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:37
Static task
static1
General
-
Target
2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exe
-
Size
1.8MB
-
MD5
d91d1258595cdf43a622e1c33eaef564
-
SHA1
f516ca98f52e5444bf77ee0c0d415b174f2c15d2
-
SHA256
e1dc43555b71318989424bd9c4b8099f81d69123e21da70530703b50e7d49c3d
-
SHA512
1908a1d3cf0b8c3026533a18c8f9c435656af421bdc375f0d7045b4c3e49367a39f60173034302de265c9deb9dc7a2462681d6154e211410e5c7cdd4790e2252
-
SSDEEP
24576:enXKjx1jWeJzGczd89ell4gMJGwInB09Vc1VIKCt8RnXZ41Vi5ELpujFY:enXA1tGczd8q7MgwuVEKpv5Yu5
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 948 alg.exe 4752 elevation_service.exe 436 elevation_service.exe 2192 maintenanceservice.exe 3552 OSE.EXE 4628 DiagnosticsHub.StandardCollector.Service.exe 4828 fxssvc.exe 836 msdtc.exe 4544 PerceptionSimulationService.exe 2500 perfhost.exe 2000 locator.exe 4264 SensorDataService.exe 1648 snmptrap.exe 3588 spectrum.exe 1240 ssh-agent.exe 4968 TieringEngineService.exe 1992 AgentService.exe 4588 vds.exe 512 vssvc.exe 2772 wbengine.exe 3848 WmiApSrv.exe 2024 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
alg.exeelevation_service.exe2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\92f4f31112d07ad8.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b6730b94489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000056b79ba4489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000433e29b94489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b1822b94489da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f07d1b84489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002140cfba4489da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf56c0b84489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d42fd8b84489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8d21eba4489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 4752 elevation_service.exe 4752 elevation_service.exe 4752 elevation_service.exe 4752 elevation_service.exe 4752 elevation_service.exe 4752 elevation_service.exe 4752 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3436 2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exe Token: SeDebugPrivilege 948 alg.exe Token: SeDebugPrivilege 948 alg.exe Token: SeDebugPrivilege 948 alg.exe Token: SeTakeOwnershipPrivilege 4752 elevation_service.exe Token: SeAuditPrivilege 4828 fxssvc.exe Token: SeRestorePrivilege 4968 TieringEngineService.exe Token: SeManageVolumePrivilege 4968 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1992 AgentService.exe Token: SeBackupPrivilege 512 vssvc.exe Token: SeRestorePrivilege 512 vssvc.exe Token: SeAuditPrivilege 512 vssvc.exe Token: SeBackupPrivilege 2772 wbengine.exe Token: SeRestorePrivilege 2772 wbengine.exe Token: SeSecurityPrivilege 2772 wbengine.exe Token: 33 2024 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2024 SearchIndexer.exe Token: SeDebugPrivilege 4752 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2024 wrote to memory of 864 2024 SearchIndexer.exe SearchProtocolHost.exe PID 2024 wrote to memory of 864 2024 SearchIndexer.exe SearchProtocolHost.exe PID 2024 wrote to memory of 4292 2024 SearchIndexer.exe SearchFilterHost.exe PID 2024 wrote to memory of 4292 2024 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_d91d1258595cdf43a622e1c33eaef564_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:436
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2192
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3552
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4640
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:836
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4264
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1648
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1144
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3848
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:864
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54f03fa118393710d31f3c0b47f4c58a0
SHA104a92b9fa386315c5170ea8880aaf47c83757d71
SHA2568803d8f937bc21027015e5b2dc0565989eef90448671c22eeaec4d5c72d48691
SHA512712fafe23d1b327cde66913fd8c0ee17e09cdd052331efac81c21db3d262f93317080762d0ba3845466683fd191e4f4411c5e4f54e9ce846940cfafc0e708933
-
Filesize
1.4MB
MD577622de4605c1bc14c4262628ff135ea
SHA1f687edd4744ef24da870b00d01ec6c4f7a716c83
SHA256799784cebcbac54c638503e1e984aa6707c849ec5d50bb11c8e271b28b0e731d
SHA5129bb6c04772fba030cd14dc84cedc8de37962955bd77e32a09c8837ccb179d4f0824c7359c68ab0ec66e65adb2b09316b5b534fbfc4a8b7cfe391a2c8dd6ce697
-
Filesize
1.7MB
MD55704e3c956c492ed6fec6f5f0129a634
SHA145f48964e0ff4f561b0b9368808e6b95675b8e82
SHA256619a5f8b173bb7086c6e613fb0f711b779f42d6035c50a0702620809b89c0812
SHA512367872bcc455f63a6edfef49dadea8de8abb87c67136e1126e8b5d0f2234e676d501b00a5f10827bb59c539f13e92146fb36007fc0242dbc2bac5a405844f679
-
Filesize
1.5MB
MD525a7b94c470fe0974fd65aa4a0af4b30
SHA10ae460b2f59adf491c159e83f296cdb93661a077
SHA256ff1ece8a428deebe5497d09a07e365f6e0ecc83042dee1f4a940359e8cbe1e1c
SHA5127e0b521c5b301b70ca75a47c467a2301741d3ceca212b1da5ac7bf6e14b12ded4041619489e3568270ea1b267efc080932b49aebc4153775da31001f6682a7fb
-
Filesize
1.2MB
MD5e6cac8047b8e5d44d74f87abd03ae6bf
SHA1477a3c860c1405aae6259281b6e67441f98aa3eb
SHA256c430d93b39340f647ee0e715b098403da068c4d8ab1f62e74219372ceac1b2c2
SHA5124cde89207fd8308f5265af09c7b19439a9b6e6362b07913f8cfd6a18cf13df562f97393cbaba58472002a7564db3ddec013375fa547b1b2eabd784f193bcfdea
-
Filesize
1.2MB
MD54516c47db93ed3c78299e19492586034
SHA178322c1919cec01a9f8120fa2bfdd3c961b90534
SHA256b65023936be199aa28c4ead1f0da5f59f73d22acb728e49c2f91bfd5e2d9b676
SHA512b6fe75c7f3ae5c7c117840dc0c115228237ca7d5d48e0d456f59e55ddc928e9b3600be0bced39b716fed8ab502c9230af10b0d69070e4703c9786647dbc28dc2
-
Filesize
1.4MB
MD59b14d962e3ca2290701ee76589396f74
SHA11671522f0f031b8e3f30558986d215add5c26123
SHA25646c36730966426a712b9ac9c1069aca47cc36475cec1f772553e4a3fc5af41aa
SHA512b36a8dab147a51b21784c669c737e92c6bdc641a4ed02931a389bc7aac05d210b9682e3d9713cdd19c6b2c0a156022bc7ada680a478c0c5789b323502f3e9550
-
Filesize
4.6MB
MD5d80b2f8a5b6a9ad56cd4e9e81434b784
SHA1f5fd40304871484e2a27160797c04b172fee4dfd
SHA2563e2b3a3e2bb768970f3f80ed9b142eea6110cd140c575322e3378c152d0401b2
SHA512076d1f7b60406dae43251175fc7cba36e1499f9b4aa002063c5bc07663a787bd7599ca873953452bc5f2fd1735a8876c9dd18ad0b7ea69f74480aa095055467c
-
Filesize
1.5MB
MD53f0533865fc1916c681460401012371c
SHA1373a7dd44d3a5126c826b4cd4e50f1934232b743
SHA256d93b58c5fa54af92837a5d0332ddd107c76ad261e4923e33ab9b11e71f62a21c
SHA512b64ea1fe2e4b5e66030036faad619e037dd48f2f7fd04dd0c149d833b836d4e69ee90acfd0ba8b509b208b546ed3d8b790cf548813b58b8e510171f3232770de
-
Filesize
24.0MB
MD56782650aa2984aa2829e480d0b329463
SHA1304c23b01bd5b0be321f17cc179c26d5b1dec102
SHA2560942ed2e8c791aeb28d49b543528feb62dc7c8fe241226f506ac1e30c553101e
SHA512b947029b52f39e83ffd8a2f09db3314536dbb68b21318904ac9099cf7b5f7a16a4fc0cf4d1aee8be240b5940f74ab582ae0ed23a5e6d9b0975f51b70293c2875
-
Filesize
2.7MB
MD50499a55dc0b8625c19c7dfb8078371af
SHA192997ccd97c026c257f7562494d6b6f810242bf5
SHA2567e12a02bde76c3f23d696c0c5b6f7e2defe30d8054bb63238261c361bfe50588
SHA512c9eb3825656cee7a0fd90b81bb100d400d02adc24006eabd34dd72801512c19fbe2fa06bd020c118ccd954ac29372c7f86114fd15ff43a5b628eec95f34e292b
-
Filesize
1.1MB
MD5721abee964ee365a6b2c234af1fa2860
SHA1de507c1e0602587dfe298e81d6c857ea3bef3281
SHA256c69581b98ad0d8b792df387a3eade77b503d27b7259de0ad13d1bce45dc267cf
SHA512df428d3414fefb32fa85bd8ae7905c08f84dad4461ed37517403d328500a16e9d52bca5bc44af3162ee10533d4e10a59d69970ad5bfeae2c768a2437ce8d5bb7
-
Filesize
1.4MB
MD5309bea675c8e7e1d7aa7b7eb8ac171d1
SHA1dc8290867e2278bed785548a28f8c490e90f20c2
SHA2564c5e0b09b1ba951126fc270f8798db688501a22a453bcddfce3ab5e76128c509
SHA512f09175ae0b06c9097bc510486f49a15e1f5bb318356cd6e859cb8214610bdb8a7d14a5592eb0676cfe9c970896e9f8128253f56d8653d65f5466816e74ff9ce3
-
Filesize
1.3MB
MD565d72708f6e51f21de72cbc5591ac182
SHA1feb5aea33390ba650a89b1c0019281a2db0c4823
SHA256e01edd01b38174ef72520aecd943a7e3b534f9c96ea807ea1dd5d0cac44238ae
SHA5124c39fd42396192a25acb7fb911f05459e5d50f2943ebcb7a88b94d208b3ccbe18a53077caec933f9417b087a775a4a479f9e7238925fff49bc325c010a721923
-
Filesize
4.8MB
MD50e1970d1c8d8e7a674ba6e6b4cfca87c
SHA1de249a430f3ebe3bb2431cc0f8c7b61454091406
SHA256dccea2668f4010266e9738d86bdb4053a874479914979a6e3988055ede813e8f
SHA5123ecd6d64a005aa117f4d3ebca13b93f771563b87765a3bfcc75b240f5ee88f9577dedf68872a74624e44daeb9b4bcb7db482e9ff2904bd919b256a0f22473587
-
Filesize
4.8MB
MD553e86b9dc8c6b0cf28da66fba943a459
SHA14b6081996b5a43bbb28b71d99cc7a7a17934083f
SHA2564dc29cae2ad7e0ada9f8c84b1a4671940331b54411e0c3e03fde08a7420b7f61
SHA5126c68512e1e4281d6059807670976bd14b62d526f018e65ea06967164d4126a5b4cf46fe2b285cde01a70161f2520e203ba25cb5dac2f602a37fe52e26c39d9af
-
Filesize
2.2MB
MD57fa199a01661e404f7a82b30b9d61a93
SHA187aa02a6d0cb4b5bf8dad72e37dc2427a12fd8eb
SHA25620531256b91d0ae0ef3c86bbbc6ad1fd2f0f499944d920c22aa6f2f684608170
SHA5121abda2703ad3a9dbc62651167891b6c6ddcac4ba4396d1c118a692cde68124e4fee762785cbd8a90c6d6a76b566f7d3ce998891215e867d3d9c5c39396016ffa
-
Filesize
2.1MB
MD55e245f3963571ce043e743d6267d4b82
SHA137c711015b6b04de40f84da83ba7b93d0b6bdaa8
SHA2565867a065aed707639e94ef94ca86f37b3895af61c61a5e91568d92cc93149348
SHA512979bc285ac5eea4c06bc5ca267a0edc048f3cacd03a68d2e3220194163818eb4ebf5fd1d2757adb39ad73420a43fb4394296feada82f709fe8c19d27550f3de1
-
Filesize
1.8MB
MD534daa132d8c55147ff9994b023bbdf1d
SHA115f27389177f793e0f3f5695bd0658eb4d179995
SHA256a5749cdab9b93e2fd0a0af75b40a861e06cb66868a2ee81675853ac119ef3b58
SHA512cbea902730b8b7a0938c4ab75084135303d09ac14020ac2b8f97a6a43c94770a90808b1aea4a5daed275e55ab4ab4ea934facb9e7f0276ea009a5289b62da1f8
-
Filesize
1.5MB
MD555454e4f9db65121e5306f897688841e
SHA1547e02a607c4654667718299089fff739201e625
SHA25635721fd960249a40e41445170b1907b6394f001ca32f363914928849bd89b672
SHA512ef2b02714377ceafbecaa762986a95e08a71b76f423dbeba0d20314ee40bc269a3ce1ec34c04d889c61e8ea1b4a9ea8b81d736cdfd567f0b43c79b1a0e5e035c
-
Filesize
1.2MB
MD55d0868ed9171e6ada4cadadc41bf5df2
SHA197133f700ddced12dcdb44213f4d23cf7a5dfa45
SHA256b6bb7f132be772fd7e9af503d684488edf5c68fdbd3f2a41ec54bed44f6c066d
SHA51246cb6f753e8142c0a0b82ff94b316522db02ad9d18c275d2d069b98fb1de1bc3bb9cd9331cdc911542ce4420e4da2f7d12ed9891e4a6934b862c9985922ff512
-
Filesize
1.2MB
MD5c7337236b29897416e98c738493b6a00
SHA1f2429809e99cf984f97cd82cccd4d02056637f55
SHA256791db3d8529bd39dcda88c8bea19de6332836f5bfd847ff9aca7be9716ae3b3d
SHA51200698c3776059b30369ae8d1535b539364f0218a772980926b3a472c78a0f830586c383a1109ceca325cb8115c9327d891a7be6d667b5fb986b7a5c962e11193
-
Filesize
1.2MB
MD557ee95a7e55ff4deeae8ed9c7b3259b6
SHA120df1a383dbae193715c063ecb1c6d3c46400c1d
SHA256c27888f878d907b8a0daffbc0ddb95ece69c2d05d3907aa72cf3d2b60fa98b01
SHA512cf4ff0853c87b0c6c5401045fb9791195a43c9dfb582266852879d5045fe82dbf31357753ba6527edee71c88e16f71b18d2854371f42eab879408d747f5626a0
-
Filesize
1.2MB
MD5481f4c9ba2a4c26f67c1d9dc5a390385
SHA191d4eb307847f1ae9d6f39f2eea8f9415e1d5d3d
SHA256744dbcf1fc42d34cd7d8e025c76a1b7f41a47cf50fadbcb82106cead9b8cc9b4
SHA512ba40985fb21a86650dab7c9a38730e1b806f0c4707b762c6f024ca9c1a44f6fadb56732ff0cf78c07a8487b4a483f22f98bd4dac3bd63b0808c0a831142a65fb
-
Filesize
1.2MB
MD5402e2b1dff96e8e8642f1dd1732664ee
SHA106a430b817d393caf5936632bff450afb651c60a
SHA2568abde2e0189d99a11fba88f1b598de9e504ee7c512865719acdcf54d8a509b85
SHA5120ccf531929fdc4a933aafb38ecc8bfa470b8a3cd612f8a44ad48cf8b533f2837a2e87d104419a9dea1eae95550824676933e4513e3baac25f70ea785afd8d41d
-
Filesize
1.2MB
MD59df5808590187f772f9b25268f7adb17
SHA1becfc863c88564f093e15d7a49ea7e17e77a6862
SHA256053562e37d3b36b3bdbbdea24c12614144b760b533a78668e37b38b3a55e6594
SHA5123c5ec8e05c4a46be4a760cdd98776fdaaca687a9dc80df45aff5817c80bc576eb455a2d5f2f9505b23992ab9cb29c9ec6c62723dd1512f3dd00880fd18aac042
-
Filesize
1.2MB
MD5a02017339c213b275e4fe1d58167ed75
SHA1c1c937201a6a575d0c2e35de382292eea103e627
SHA256403d133531c3f0aac693f25d6327ea07fe7294b86d6e2a7bb0e80dc34be96042
SHA512f5ee6f97172ae8235de20e57938f23fb5df69007c592c664a088de4c6e9c0b430a0ece2fe37bbc969735c754bc162a7369160d94f5315015920d5f44a873f623
-
Filesize
1.4MB
MD5dbc2f0b3255352680f462885d6f36426
SHA1be04df408c779bab8f3c20aff1325596aab13671
SHA25685a1665d101ceba07e646157fe7176ee8c303478aa606616389dc62a61d590d0
SHA5123a5e726e4a65c7130e9cb9e054d9bc71fbcf5e6414be71d461f6912e305b6f59b2f712ffcc682461a8e5af66dc4807ee847ff989114b1e475138d30a1d15bcca
-
Filesize
1.2MB
MD547bcb8d572331dba4cc151c8a08cd348
SHA17150222084788ccc4043aac7bdcd46de53b93d19
SHA2569b0de6ac6f6c9013613079a44bafec251aec1209bdf052e51b7d33506fc8ba84
SHA5126a0e4706ee534adb6e0392f0b08829afdd78b8fe15dd45ea361965c348b74a6b9845c6fa4d87d7d68b7994f981a990e99e96e99e9f75e811b249e99754a990f9
-
Filesize
1.2MB
MD53800852cf9fbe7c640a500835dbbcc42
SHA144f86c98818a02ee7f077e259c5ec7120365e8b4
SHA2565dc78b78e3a460881c8f14ccb24fa99712024dc957f5861859fbc8792278affd
SHA51206af8b832726c326dc38a73d2bec5dd25654938acaac8a5f7da36ce0e973010462f642edad09791fcfb056549cdcc22efb05da0d369da7a5c6a3c7446d230d7e
-
Filesize
1.3MB
MD5407f54bd67b7acb98efd82ab4456691d
SHA1595109618ab9f9bc52eef68efab1c9abb8d2ad85
SHA256d4d58867f176943e8189eb47104fe75646dadd970f2eb27d3aada25016c3cb14
SHA512b19c282e51826424eaa256ecf0b5ddb51c4debf891a77c94f940cf122f7ddb1fec01033a3850fe7128ca4b2d5d2d61e7ed04a71d6522b736669a50a437f8771f
-
Filesize
1.2MB
MD5ffb3a49367d003bbef798e485542b29a
SHA1c3100b34178cb6b34de7151e8d68ffff9c5d6dbc
SHA256f47018f69ce0c55cdfc6d279639ca68e1c9318d81440ffd085bb73e6662760be
SHA51204fd946429e5726b46eb03d18c85795e1fbb145be0a3fd87d8d5f38b8b9961fa82ec2f3445d843792b3cdf21ede4aa90b88bfda79f6ad20273ba8b96441eb3c4
-
Filesize
1.2MB
MD50520e24e47646b6de1472250f55caab6
SHA1eac403d5e4793e551923d1c98428a4d7c043b5f4
SHA256ab4895615ba4efa6b1fa14236653005fee45947a74a527647b4415e7cf339eb7
SHA512a4237d7f3473594fb45804597bbd21d2826119cfc84b6e47101feda41aa0a397ecce7250e6e0ea314d289b328c24edd473ea7e6e6747a6ed8f7621f02882ed5b
-
Filesize
1.3MB
MD55d2c60c4341f7049e4575bfa12a317d9
SHA11226d0e2f2dbd1f4eaad6afdc54f5287c9ac763e
SHA2568cac896af612159ae2cbf7464a092f9d5ab2aedda392a11e6bfb076e709e81c8
SHA5124cd00856b92126ab9bbaeaded82dad7443fe9888744c88e25e0b13f34900f868dbd02c0364ceaddd147c90dbb1a9b542a00ab2f7aacaca56ab1d94f6d6215d5a
-
Filesize
1.4MB
MD554a45ec1465d56e5fac02d3f4eb3fe9e
SHA1cdfd083017c6174afd98968bacdc6d0182e357c7
SHA256253d5d7b5694b054ffc259cac3416f87ed604909467b802635b3ca7e2bc6ec2f
SHA51257144f6fe2a313d1c2544f85db1172b513b734117aea4e652674f2238c532d6c6422692e35828bc90076da28cd15dc4082ecfb4fa84121afe6ab9b72311cc4eb
-
Filesize
1.6MB
MD55dcfacdf0f6cfca96868d2ac526c1d72
SHA1b8a8d8098f73e826bacb9c28673be00919b45165
SHA256fc817cc6af5793f50031785a28b431bf4a651fa4b5c4ab8c77f11c431ceecbe3
SHA512886d66a22f3346daaa0138f9de0bba43861776824db26335f7258d5a420d70b3506c9496ea61b223ff466298dea07c4b14a2c616b367d58d6258d52d397d0a77
-
Filesize
1.2MB
MD575a7c2f55454b423ea72b27fabe1e825
SHA1d34ddb8397a06c2de5f4b0b0caa7c81cb1b12127
SHA2563e0b84a1570bd721c9eb4b15343168aa55ee21ca01d9d1c0be99ea1de03d8865
SHA512ead9a0fd989ff4f8042ced7602e689f5b1ff7a7025a89d1187081990a828874228156fb5f2604607c3476273d281b74cf6e5ce02e59487d07d30675fba2d20f8
-
Filesize
1.2MB
MD573ed2134c17f4070ebe3a61f4b55d0da
SHA132af2489ae60d57f04b762cf9939a0fd9f5f38e3
SHA25616109798f650b5660d648811387899016661747e2ce5170c158443870e6ad221
SHA5127ace15b9597e074f4ce902f8839ef12c0c0e00f94a9f3afcec90b018db875bfcb1164fe893f3dbafd24008d14537effde9ecf21abfa0d800a1f8130f73fc07f1
-
Filesize
1.2MB
MD5306c2000ead90467786287505e89c4af
SHA18c650a15576d7e6856238c97fc9e8443dff8a6d2
SHA256a77416fb02947b2a43ff9759d244204aeffbcd90dc708465a8cd9599dcdc60f8
SHA5126ae8331d1f78003f6759381e0fc1134fd31a40921572f208291d54119bbb826e1b4159cf81cd0566f78f1bf5c0c9c3917177f4dd1dfc35844733b646b7bfac74
-
Filesize
1.2MB
MD5d28034267ff0474470341e8617081a8a
SHA1064ee1e94b9b7ab150780cec810f26f781060921
SHA256b09c9601fbf5f32cbdff8bb73d598229539cdd9209a2f4efc34f2a2222572b8b
SHA512a3069210b84463b7e8b3ee6e752c26d31243ead1956550c61d149aaec9ac0e9ee8dc64991f6ea6a3ec490fca78fc886e3245a71f65f7d0710bb76a60acfbe486
-
Filesize
1.2MB
MD5e31881dc5220c5a69a59de0e2938b2c1
SHA12a670f0fb148e2830ed3e41de3bf984bca299dfa
SHA2560b9f1bf6d2dc08ee134489b25e8b03a48b5f63c13d20be6f274e100ebfeb2fb3
SHA512f8fcadebc232191f185b9e61b85493f78358c306a096c84b6b950149e66f9c26e0ede7417f4956e87117ab74faf542fddd73d95cba6917f9c1040b1767b8522c
-
Filesize
1.2MB
MD57ca423bd255a9aaff4639cc32b0c4f20
SHA1a4c71264a259d7935ddeda2bda06db07fc78aacc
SHA2569c3af95e7bd5c7314c2f91367ad67f3e296a1a142b5c605cbfee775689861d76
SHA5123a84458f62882b6211ef16c4c93e1909727fdc266f426d51406f16fbf8f0af4c3c038b50ee2cbff672c3d1a1bc8f9286265dfaf1218b902940cb30efc6cfad7f
-
Filesize
1.3MB
MD57c7d1385aa83272bd87e7dab306a597b
SHA117750371eaa4be9c2163481dd3a42cfd890f387b
SHA256e286c879419b20a6f33d5858573b640731d46dd285735335fda64604c85d0b3e
SHA512d205cf6ef6eec5d30b4ab85d4e1d8922f43f6f4785dac8f81e3b0a09aeed632e744eb98dc38e4c81737090c12902e0f6fcf0ee5171316e01fcd8228d549b847e
-
Filesize
1.2MB
MD59057c52b9537dd9031e05ebe8a51a1c4
SHA134ecb591c207f328c9879f5ad0b253a2db1fac7b
SHA25652183ee88205510a5d33a6cacf433793597191b6e80429d4b6596266b1daa535
SHA51230615f89ece5dd8ef4b11617c2a55afd416041c152ce9e205a7ccba7cc1f6cd17e92d0fc1fc69f1b7368ec522747d9147b49ab83be77038aa8d37daee663016b
-
Filesize
1.7MB
MD55d374b71cb5a3da5314822474fa5ea86
SHA16e153aaac06dfccc414b00bb3194b79794585da3
SHA25671b57e289c0116b8d3456929b6bf805e27e3323a9388d34ac02b2173262f15a9
SHA51273e5f45e605932c7e2a05af6b5d741684259ac5901657d00bda20abc7ceed14ba061d0e0e9f353407a77403f6ae373fb60c30f248f51859567fb8673ba9e68d9
-
Filesize
1.3MB
MD56ce7cc146128aea9380cd0ce02cc7766
SHA1e1af8b19ac3f9dbb8eea1cd85a2a4ba04e3aeb51
SHA25607eabd2d3b5bf1865ca1292b5ec6f35c38351e0148bedca374de5864a11a767b
SHA51258dd34651d1bc4485f56870b2cc2fb20ef5007bfb3dea3ed246dc9f9c2395feb2a640a607c20ab658f9c065945168807ae28c4d78b96658e12e20b6859619431
-
Filesize
1.2MB
MD5a3a595fdbe896212a7dd6bf41f34d0ee
SHA10a1a3cf6b28ca7d3d6537e87c010b7d33b312a9b
SHA2563d0479a84e7a895f9e8bb18de1a4db28833c27f62a125c23f05308dfcd8330c4
SHA512d13bd679904c0769d5da3f6ad67aa346b71d17eff5444d9b52a0640e86db563709bb31baa5e30f77b93927823aeec866e4aedb02b70d8ca6dee67c074ba4bb81
-
Filesize
1.2MB
MD5e4e116688b16f84305ed21b5c15f4132
SHA12740d51d5396b8620c28b5bad896497fd9f94b80
SHA25670465be13b58c76e67b4b5ca93779760d2790c9872e3ddea7d819126dfb4933d
SHA512e437cfbd3937fad4351f4806a072f80b2fb0f2c465cc5b7f4fc610e973e3bea2010fb517dc5d358314d07e42c33bc51504143b1a6047126f85f9d1486d9bb49c
-
Filesize
1.5MB
MD5c0c92d92bc9726253eebefd07d5439ce
SHA19685c6c472d51f38245103931e93a7a8192842ca
SHA256eef73fa7c4e0bd706d83da306f0586da977fddeab60258ceca2c763032990886
SHA512c230799ca7b549dfc93710fedf569f161a92c6e72c58b031297aae2e72c34be45736534aea31fcc9eb5bff97015434e1978e978e0681d7b39dc8ced22205137c
-
Filesize
1.3MB
MD591dc591d7fe2d0b8175b343c8032a043
SHA12898d3fdae0c452b5e13570c380a938a5e54e5ad
SHA2561e48f138d07cfb8adba733ff45aa1e30fcfaf6cec57b7aa84527f9c3641b1546
SHA5128f5cac87ac336e023daeda865ee828877df4ce97f844c28a00e1d1129b6f442425a81968a8b48f5d1b84af23eca71e0864752fcb8590c3241221ab7b6ba0e0e5
-
Filesize
1.4MB
MD5193766e00b5a93b7b5ef50280eaeeab1
SHA168b37cd14635822f1cf7289c4fb82644b030ec44
SHA2562772dbde2abe0354a4b291df8a9d1c12cc15232fd592a73a66185b33bf00ba9a
SHA512ea7638d7561b101d608131e3074d93103380d80afcf8483cc5aeabdd96884e6a3301b1c93e82f05a0a1f2bd6b4207540a131abaa50091d1bb04119fb5c70c437
-
Filesize
1.8MB
MD528e10855d65b17bafd84bd96629dcb22
SHA181e094ff8889f371fd154521e0079c94bca87981
SHA2568f7274b399b567bec17b47b91343b5ff48b4ef2a0ad6ab94d4f052d2189b5664
SHA512585268299658eeaf7317b707e498233e30c6125d729dcb6792b2d9c0e7889b7af9c2dde501137fa77e1029a7664135808caa2c898995ab0a6950dee726e6a03b
-
Filesize
1.4MB
MD5a2218ebf20b3ee8b099f282ac1bb9f32
SHA197044d62be124324774147e6394ddce86a8ee9c2
SHA256dab4ca098cb430f8b15ef00900285b3d7d3f7b0a3466549a2b473b145f437896
SHA512f1604c1daf8214dd16c2f3c598bca7328e782c6896701ca8120c763d4e8db38f5e3f1ff85a07ff973c6ca5e415886af83fdcf7ca40ba1ddfb23aea94ee430532
-
Filesize
1.5MB
MD54ddcf405650f918ed8e6e1fbb94472a4
SHA1122cca0d6857e2a85be286404c01f3f7be2094d6
SHA256c50ebcad5eca0100d4195bd7a76de00da951732233e26af0bc3cae0c55aea7dc
SHA512686095a8b923de4ce92a03e471a2890d753b2e8a0ade7cfe13a73793b3ffb2b3f8c37c73f9281f79e17aa2e5a1e6ab8e71c37a5ec4856b6586e03bd45aa9230e
-
Filesize
2.0MB
MD52c41f14e2a3bb50d4f71a142b397f7e1
SHA130cadc35f5eaad68d02090d5b1218f48865d9c1f
SHA256ed752f5564f598ea3f0b2a4104041f35be29b1ca4c174aee801aec262bad5cc7
SHA5124065763218082fb58aa4458a3e6be53d5488392c07035002a65626f5646d0e40905d24984b93bc8c2b6849c773c3955a1b9684c2e9bf012aaa17d0c610a22209
-
Filesize
1.3MB
MD540ccd0d9aea39efae4774d4945b64a6d
SHA1798c7f79351fe541fb9804ff73f83ed4ce98c2a8
SHA256cdfa217cedaba1e407bdbd71817b64c1ca85245421f6ad0dccafb7ef0332fe48
SHA51230d5e3f06765f32382c6cfc87ac4a95552e08e9c0fcaf394741a4ca647486f3c1eb1ce293a7f6a7f3be2059a85ea863d5428b9d55f5902121bb46aa8b840a22e
-
Filesize
1.3MB
MD5cd15d27c1c6f03e77536a806398955ad
SHA19f068f362e352b73a3338d65034cb9caddd2920d
SHA256a46930cca459693dcc8935d94eb4e4e53fc2778b7a78186a330da7ac5ee324fe
SHA5128a7ce92b6eb7329a27619b451e8950c31fb3ec46a9cc7a92b144522f9d19c5d2ce8788547d66b44ae2eeecd9c357105ff70bbf9f8be6f47c05b96b65b4bd041f
-
Filesize
1.2MB
MD5945612d106d7a1bcbb5d4a592aa549e7
SHA15d7d993c15f9860f22abb7a5f2afb741127dd929
SHA2566249e9314ac819d63cec7ffd09104ea2623ed74890ba8955074dab85db3a9ca4
SHA512f4a2157d258b2cc06d3a8ed46f3ea511bc543bfce78426820c9def95b64bfc71f232325b5a4b888c28043da78b1d44ba8e4710b8606e97c71225ff401a497d7e
-
Filesize
1.3MB
MD5fbd36d10fa0b5561327c257461fb363a
SHA19d47226d8b2a55549f8c1efe690a7e953281cadf
SHA256a0deb3772f3d37bc59ca02ba3842f385889d49f5d011ab612b63083ff65f67de
SHA51251d65df358ebb22307735d4435545e38657123a508c753f30840f14b2fc3fa1a609dcd999f1012e0d5cbf2b496654585b5dacc9f10ba69464e3a9ccec058fc16
-
Filesize
1.4MB
MD53c7bff1e24fa66fd6f5d9195db2e814f
SHA1addd48aab5a2853721c3d5a352c7d11d3f2e60ea
SHA256c308330b434199f01084d3976fe4298bb25711eaee9cf477c82d6fdabede744c
SHA5125d768c3e24db2b0e1f6392d53ecb6faec561d6b4a3f5985e3073ca2d347e46c976ebd39c2cc235f21189f9041038f672c7d2962f228b118575943cf61b1ac229
-
Filesize
2.1MB
MD51583352753499991032f90355950a68f
SHA1757d691a47d1432fab47e2337b641dc190aa138c
SHA256ab3e2715261495842a0ad972cbfbf55191c79c35590e9e37ecc12fe0604bbefa
SHA5123ef00d541d3f8f83f7d419f5ab7190aa4db54d1540f5a6356c496bd84e64a951442e91c57fa64c52f81ba9764d76c48f59d2b1e9e784dfe534b47eac68abfb43
-
Filesize
5.6MB
MD54c06ff8da0bd4501e2d03c1c764fa77f
SHA14d1761bf226b61f7efbb1651ddad5716df158825
SHA256fb2363644c5ae31e66ca0de5a956cb0c73ab72494f433830973018f2de279278
SHA512b801021d77b1dd5e4ced9f5fc33a836ea6e913b4df4849c083be52ff1f0a5961da21f428753d892dafd000ff249897f8fbced3cc2843a54a32f804254fbacb8c