Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe
-
Size
1.8MB
-
MD5
edc1a0695c73b670a44f388e57dfdcf9
-
SHA1
1f1d6f94276f14947a700e69c60884d97c773ff4
-
SHA256
f20991ed2a4ac1589ee48df5901f66ee96e7d01a741c07b001ae640029143554
-
SHA512
243ff57e5543bfedd3585319c8e0c8b3dac3a0473c4f61410e6cb6179ebdf4fd61d3b721508b499f15e9dfde6c3a000d6bc5aa4da6c024ee8cc73beb04630c84
-
SSDEEP
24576:gRJwoKtvzDckUJWHxUDreC0KB/5geVv+vVCt8RnXZ41Vi5ELpujFY:gRJwF5vc5JoxWNhEMvXKpv5Yu5
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4024 alg.exe 1988 elevation_service.exe 3864 elevation_service.exe 2424 maintenanceservice.exe 3580 OSE.EXE 1348 DiagnosticsHub.StandardCollector.Service.exe 1108 fxssvc.exe 4124 msdtc.exe 4248 PerceptionSimulationService.exe 4964 perfhost.exe 5076 locator.exe 4560 SensorDataService.exe 1160 snmptrap.exe 392 spectrum.exe 800 ssh-agent.exe 1340 TieringEngineService.exe 1648 AgentService.exe 3240 vds.exe 2440 vssvc.exe 4784 wbengine.exe 1052 WmiApSrv.exe 4688 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3e6d031b8642d83.bin alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928297ea4489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abfdb7eb4489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000619107eb4489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cacf4bec4489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 1988 elevation_service.exe 1988 elevation_service.exe 1988 elevation_service.exe 1988 elevation_service.exe 1988 elevation_service.exe 1988 elevation_service.exe 1988 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 2724 2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe Token: SeDebugPrivilege 4024 alg.exe Token: SeDebugPrivilege 4024 alg.exe Token: SeDebugPrivilege 4024 alg.exe Token: SeTakeOwnershipPrivilege 1988 elevation_service.exe Token: SeAuditPrivilege 1108 fxssvc.exe Token: SeRestorePrivilege 1340 TieringEngineService.exe Token: SeManageVolumePrivilege 1340 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1648 AgentService.exe Token: SeBackupPrivilege 2440 vssvc.exe Token: SeRestorePrivilege 2440 vssvc.exe Token: SeAuditPrivilege 2440 vssvc.exe Token: SeBackupPrivilege 4784 wbengine.exe Token: SeRestorePrivilege 4784 wbengine.exe Token: SeSecurityPrivilege 4784 wbengine.exe Token: 33 4688 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4688 SearchIndexer.exe Token: SeDebugPrivilege 1988 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4688 wrote to memory of 2160 4688 SearchIndexer.exe SearchProtocolHost.exe PID 4688 wrote to memory of 2160 4688 SearchIndexer.exe SearchProtocolHost.exe PID 4688 wrote to memory of 2856 4688 SearchIndexer.exe SearchFilterHost.exe PID 4688 wrote to memory of 2856 4688 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3864
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2424
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:81⤵PID:4920
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5104
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4124
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4248
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4964
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4560
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2292
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3240
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2160
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD552b20f5797fb0ab153294a85346b86ce
SHA115825f329be3c728de5e7ff4c3caed572ab1176d
SHA2565cdcef482f462a4f6145120f58c09c02173dafe647390852a143390de18264cf
SHA5124900e30a6d52c56077733234b5e5aa135967cd65125eabfc3f314ac0b1a3614cf19e724cd9dcb53aa5cabef8fafe6055a4ef1de1b445d2e79408595b40dc64b9
-
Filesize
1.4MB
MD5baf221b94a2f663a1e61568c086bb055
SHA1d7ac0997a713864bb4001ee36dfc1951e029640d
SHA2564f100279d35c45965ef345af24ae475557db34101e0b2c27872b6e59223d169c
SHA512574353e323cf9cfcec9c3e809f99f6d3235d60d7900672961d565072a1357165dae9f0602b10b909b87e6540a42a4d91955b83a2357699eb129dde15ea192a96
-
Filesize
1.7MB
MD5dfeeef40811e5aefaca381d4b65f50db
SHA1326725bc1b460d7903dc63142c5a2ac63a6d5595
SHA256f1eed2133d4fab7c3364f1d5242e72092d699eef658bd38e13ac085afe25c422
SHA5121f5697808869125c7bd315c3a2f7591250804ebd9137cc5b154bdbddb2292ae9db96908e9664cd746ea3e509477b34fc9830db15b19230a66d180a63047e5cf8
-
Filesize
1.5MB
MD5fe06c1906c59620f49f128b89c80e290
SHA1bd9f5e5681fed04116a9ad09f6a2258fc3985195
SHA2564cfc2a4982fb33f2f17409ff28cf3f4e64bab291cfff00095fde3682e5ca2c8d
SHA51203f6e293ee87369d1bba9c5e9f90d40d65fd4f318d790319469721250404e552e18157d9c2dd28aa1240dbe548b6a06c7d7c272ca30636e009551af06dc30730
-
Filesize
1.2MB
MD507a998e3ead9b474005b2164058eab78
SHA1f2e52068cc3474cab4e5d8a5db39652da0d00c46
SHA256f26064addfe60c881e57c419d36e994922e8f18fcd847fabd3def3b9b69ff3cf
SHA51241677d408c92847bc01e26d840f7e1a5ce48890b380c1dc87550797f2a0e031da9a607543327267fccaf75959b037fdac2aaa4b9b9cb5eb2ecc807a6b07d9735
-
Filesize
1.2MB
MD5bfcac1b397163d3536ffb6cfbe93913a
SHA194e6256529c51e9cced24bf14d43c50e09d2b5de
SHA256ec713648fbcffcfa2c41756b6ee130d92b44957b303fa945ec59aa8abb097699
SHA512fb2c597b2a62bb8d25ba3de58308d7dd3c1dac59af84918c71481fa1ac7fd7dcc6fd7d43d60b3ae6163ca8476492538a11a216c31f2cf23d10fab7e2a5d3f849
-
Filesize
1.4MB
MD550654821f564f37a995eaaa672c85604
SHA1e68fddb1ec0321132172c9f3e1a7820db66d1778
SHA2568a4b205515b1a173727d1e1cf2965d45138acb59c612a3f7032c2e2d41bb90c5
SHA5128d089260506b05998eee16b8c760d346d6cc39d912f930ba501d6eee91eee2c19dd561527b9ce97c15a3580263a8fd94c0ce0ac5df5cf460eb5bf4a0d6f627cc
-
Filesize
4.6MB
MD5b3a17edea6d28f263eda8375d7a525a8
SHA18ac6472c426218962d7832bf9198a16e415b3cb7
SHA256ba03d529f80e7da991fc0d4b9bf8054658b1a84351d72565acaf765834f54e7e
SHA512e1b4ba5c4c89e19824fb5e1d0f953767d23c20eee2187a310e05531a8aa5f2eca26e0ed8797bb8bd7efa3efde6539f8985ad9a993769cde27c130281d1abab6c
-
Filesize
1.5MB
MD594d4cfbce2e61fac0cce4b2a20650298
SHA1c757fa2a3caed57ce9ad7b00c9e5e2700234b3fa
SHA2562413916238fdbf22f9b554e5426a2cb087622e60a7be1b818f59b54b01b8d5bd
SHA5129f2ffdbde81af5cddcecb4ad1ce7c3c759563b47b5a09cd559179f57058e1ff7a061ab9ee1b1d01ae74d6ef067f1600d46af49e9994f8024823fa0d30a22f593
-
Filesize
24.0MB
MD541f745a9c1812741ce98190be5e90a3a
SHA134486164ae7928cc10b6e2d181175dffa4bf0ec9
SHA256b0b1ffc7f492ece071c51e254ab5781cd95256af8ea437aa3678a53d635b63f8
SHA512eba40a77df69fc71b3c56833694ac6d9d8c57e270a3929982247aa903998501ae26f688fb23cbb16efba30e19a4c9e14e6a8fa94519a1b6e8db0de05a6d3422f
-
Filesize
2.7MB
MD57a34d676da89fec010d86e545d4c12e6
SHA1b3279300963335aad1c62eff1b37c6ac37d42c6d
SHA256e7f70a126edfbb4752b9d75dc8c13631078af64ee65c811b943ce69349d44d69
SHA5127aa256b102d19a0a0357a907d6f264df089f1e1b437d968c7b5a73d0169c2e292ce026732a2f856f4b192152d8ba72de698d7dbeb6600e1b02b0e99a7e05ccb2
-
Filesize
1.1MB
MD5167e6ac5b68ab368e04ab53df19e5060
SHA1991c1f379267f585b5e492dd6dfa92c048f20112
SHA25670d35c68308c22c08f4fa0bcd4aade9d9a48006641610ce2cc5e2ea4a8fb4cca
SHA5126cef79603f37921789f1e7286282f49009e4caa318df9a78a89e544881dd36204aa764c6aea26646daa0e08ec99cd35f4bb7cef612807a30a7071f5a84e20672
-
Filesize
1.4MB
MD55c5f15d3b057dc20c5ac0db620dbaa33
SHA1f67f32376db1802a264a618403fddc550e018530
SHA25692d100a8c8270bb7336cea2c5e2ceff8c9f36ae0bb956397372703cdee6d8205
SHA5124460c762fa5074d4218d8c9e64493cec9931e52fee91445d36d87e4f1b501c7ac7f76d4f2a76774e6ee0c7fb1f57b26d6cad30a8ebaef266e91de89fc2027715
-
Filesize
1.3MB
MD5a6131a65afe7804eb163889581799e0d
SHA14edb50190f46da699c644f5a4400c6b5de8cc650
SHA256346681fb97f2d42858171143d1427c57a3cc6b5d5b89ec6f065cdd6f63db19d8
SHA5128cf4fe8db7fc536e15b8dae63cf02de3178f8ee7c6f6da5ab03fc660ddfc83228326381dbb8fbdfd02c683c9dae8f9d600f88cb4ce04c51f392dd0584afe62c9
-
Filesize
4.8MB
MD5ca79af515df15db0bed33fb57863854a
SHA1ea6744f0f4d77ea4518a664d21b395b3989a864d
SHA256f89b4bdfb9fefd95ae4e385ad491c063aff18b7b2e26fac427f9010d3f68c85f
SHA5124be4ffffe64a406baf4d9460669e52f648ef1b1f074e6c901913fbc016681d8933300b42c33a37f0da021a8f66b98d98688db00b42cb0a4384ed9c6e931bd0ef
-
Filesize
4.8MB
MD5ac01bbb6daf315b092ca079c2f44adaf
SHA16bf9c383212db44f5f3d7f59cf89b700175fb832
SHA2569ce2aa9fab7456a4cb688d9a8ba1691a8dcbce2413db49394e0fbf1d38830cf3
SHA512cbada56870163730e40157f3a386429d8fe5c22bec409482cf81ebf205f6598c04454354fa41e24c673806bb596258f18c02312b868c4212be25c278a1ede0ee
-
Filesize
2.2MB
MD5a95b0955a32538473bf12ca643c511b1
SHA1a9885033a2ab6eaa2770052c891b8f46aced3677
SHA2560708ec3279ea04022fc1406241fbdd4ad6bb69c576fa35a0ecb52dd02cfc02a7
SHA5123d159da54c83b28b1abe47b082142d964b34b407455b143794208b2b94f69f14e556e6a3a0f134b0885ed43a55c51c39d61461158009ed906e21f85fe817a9ec
-
Filesize
2.1MB
MD577008b2527329952a1adbf409c92cbcf
SHA1675e548fcf081ff4949b83c19f3c5316c72e7475
SHA256f23afd323b4d4aa65ca67fc3633b7dd0d5071e933b8b5d13e1c878fcad5f98d0
SHA5122377bc710b6e0fb6aa771c812c005c4bc20d78603a0767a30ee2ed0ef4a192a2cb8dc2dae8278ac5e036321fe6e42adde4fe9637c1db1afc2ce7b7fe3d183e33
-
Filesize
1.8MB
MD506807a9193bdb8a50135863076864e2f
SHA197bb63a2cf8e31d7564632391b25ea460eb32385
SHA25620cf6329bac2378fed0501efa4415e338ad41b7f59f3303658a8b5ba8a861c61
SHA512f913f126baa5fe25a535fd15d4b628540d99123eccd5fe8bc00c47b98b18c6ce2ea08e205498a52d055b8f0ea7dc1bb8abe6e11ff0575f0611b0ae48fc80efe7
-
Filesize
1.5MB
MD53e688ff60d0a6680da7636a673e178be
SHA122cbb994bfc9d61e5ced3adb0df6a76bbec2bfc1
SHA256c7d58f2993d8ff3eb87a7afff79a475f77a09cb708ae2759d88994d3df1c5dce
SHA512d9a318e94616d0f8a793cf214c93a2fb4eaeba3f6ebc8a4dbd126ea8a774e2c6da25ceb537f7e03026b5564d50f9b5c49fa05bb9e703bdcb86110c54f1349cf9
-
Filesize
1.2MB
MD585f93569fc8026d88415661d5b2e37f8
SHA1529f0163912995bfb4b5ca8ebdeeee9f73be8711
SHA256d3e11e9dcb7fa3505c7c072ec2725b0b4d1085016e151427288acddbcb103df0
SHA5128a8765460ca3ab34317f2dbfb648aff8ae8129246590e879e8ce4771c41484c3252a43782970c8e37a06f6295fa860ba502b94f40c5743b1f9c76148d4aebd93
-
Filesize
1.2MB
MD56b24563428d009801ac0f6f4d73604f8
SHA12f128885525b5587625199fa0cbf80127d2da737
SHA256d0d4ada19bce6c3585fd613cb21a8dd872a43018cbd7b44f9c0e9271214a619c
SHA51222c2eec38e486cf4902a9a7837923510151be0b5940523e94f27e0c8d867f7bae3a0687c50d3162761d3d0399912c2a8388d2e5d7c112b2265c542a6468ffef2
-
Filesize
1.2MB
MD510f76bd5f22a11489d508695098912d1
SHA1ed83268acad189c77a19127e419d3880f3fbae3e
SHA2569a9a45cb698eded6234e0a9c728912cceb5835b8e45b0c72961901143cf49ca8
SHA5121e774b57853fbf4115a1342ce53e5934e70a241174651a179ce5738abc232abee0016e01cf8e59d6bf73c11b8dc6ae416d9baaeffc62046447c6946f5102e483
-
Filesize
1.2MB
MD5d70d2f4bf99988bfcd42a2dec2c74394
SHA182858da696b9944ebeca4d1a6944c00e8ddb481e
SHA256831af04d3271bfb737b711a977ea1a1e168e2410087d00e29c9af06f6f70d818
SHA512b0914f32c29ae4d961d2ec2eb79acf0727b1e8f0b6fe6ceac802c0b19fd30eab8f7235235ace0dc72bc5f8baa55be1c30a9fc8af06b1fb284a4ddd417bc9cc9f
-
Filesize
1.2MB
MD5718d09d242f7a7a5b310b81795a31e14
SHA17b266334d8b9da834fc53cbe514db82915fad9fa
SHA256781ff6dd3bc71fb8bf2b3bd4f5c97427bd0284e0d01ed741683979851313eb30
SHA512ebbf7be5544635a07d0c149108c577e9888bad316f3010c91fdd528e816c49836ce9c3e8898bee4fb34767a5d0a0628277c4c34b25293b85ed9103a9edd69b69
-
Filesize
1.2MB
MD57622917b8c55165e26c63b519c6d14e3
SHA153980c7666559101172c1d8640f6164f502b674c
SHA256c70ce4fd971e207630b11813e7795d6cea2b3cd5a2605cced5cb3bee7d906f8f
SHA5121aa76c47272e69656a50ef9cee672d7aa8221b54d10dddea2e9c8b2c84f27537171179c8523649d66f240bb1e65343bd24645cee166441932bb64b5dab5d4dd0
-
Filesize
1.2MB
MD54b2f43751aaae19dd2501d7d5e58aa71
SHA1fd1463367417db8d04df4651cb6e99f723a517b8
SHA2562b86503a431c7cc11f57265784f2d382bce7ae2e214e6d5e559074d547bc9482
SHA51228d5c55e6a88b0bb2c2b3647b14a06e45c906cdb52d8ecf6068b1f22a1c91e571bf8748443537695a9c7775a833c814a3531c4039948fd042808b3f98c83e12c
-
Filesize
1.4MB
MD58ab967d8c9ce19137fe3dd8972145bb0
SHA161cca8c6aa6cca9e13079b4e623ca3edb263f840
SHA2567c3a81500d6b6da929bff6063363d209583334731b61f11ea7ebc2d58a41ad1f
SHA512fcd55d7e551c853796e603cccd1617bf579aadaf74a0022e6f0e662f59ae5ae1a280f7b73f91188a2c4fa0ad5b64410b1da499f22463926c6eff1d0f0c054e23
-
Filesize
1.2MB
MD5823bcca9c935ea800696ed77173e2ff0
SHA121e3f0a25b09b8f35038396c1a3581f16348587a
SHA256570dbb7052fb5ab62fc50c1b08b3fb70de7bb5c1c9d3a3d416eb43af5c2ee43d
SHA51213c14c753ece276677641e20f2c570a4ec2e9eae391bd283f179967068c9c76e3f3cb3fa310d80f393a5f3453cedf463ca38b53bc951df5f56ab08706c066828
-
Filesize
1.2MB
MD5b0456daab9c5c9264033652d7d6624f5
SHA124c2663ec0a5e92163ab02469d21f001e93f5bfa
SHA2568e76f2f04a9a8b7fd3c64e5593c360d1cc07e1adcbb5153c99d3663e039df830
SHA5128732bffecb8716d44be304e6bd4bfc1aef2798e94cd189b6d6ebee516683a4d9ca73b4b72f8611b287cd4ec77d36aff901990027d328e7004bce793e540f53f5
-
Filesize
1.3MB
MD58bb38d0ca4afaa44d3f35b75a4a8d8ab
SHA1aafaddb36bc85e81e03ea8018d5e062e3d14e882
SHA256b70bac41ae9bd60c13dee35d9e39ea4e69397c5411103acc7f4da04209405cdb
SHA512a0745c186a8b2ebb76a371b3a7f52d95729985a0b5f9a269bc1301e64bdc545b2ea5ed84f7d5929fc2c7275075d88b6c857ea0abfbd302d7b8460e0cbd8c2ced
-
Filesize
1.2MB
MD5caa111eca59e05f4d439be101888f47f
SHA195a3abc3d7f65d91987d0f868e921cc21c93d10c
SHA2565abdc5d218be12b94a737c5ff4c59b689b2e1ceabad4dad1fc19c068b795eb2b
SHA512c5f1c4efea634de399ad5ec8ce2073668581a0fdb26e31724302e66895fff135bc055295d55e15836c145d38b49cbbf5589bf1795cb6c571749c4767225cf14d
-
Filesize
1.2MB
MD545f8df0b8d249c967491942f734b5d2f
SHA10c32701063588a28501a67e00c3c40e1e0eeac2f
SHA256a2bc8e306fd71c40cb2ba30134e1105a006e2a7abbc29784d166c9f3948c0944
SHA51214d17e427b53507d136649ea12a182aaa1f797deadbe246c523bf3d6698b1336849e632763a4d8cef932a664ad30795ced821e5114f6cdbe24a75ca55495d608
-
Filesize
1.3MB
MD5527bfd870a4ada030f6422da9a2fd0ad
SHA18c6f14c0c6fb06262d5813e95cb844d9d6a205f1
SHA2563efbdff06f6e302e43ab8d4b1cf76404c6c7953bf03b324407f3e9e40a0e9f5a
SHA51274123d74f4e0121114431821730d611f0ba6bf8e52ae81aed32008d0d0ca554b3438eadd27d213de8cd344eecdba4771369379f5a2be647d78bff36ca3b52294
-
Filesize
1.4MB
MD5507710c16508f38eb80215cf7b23bc2f
SHA1a690c388dd2eb0e8d1ddde9dbc8ae353a908ce1d
SHA256484d4abea3b2386ff1da5baaccd918b302b679ece1b9bfdda1e14e1dc923f63a
SHA5122d9d39cb5aeeb38b60e19b694642f49188a53d1fad0d80b850e1b9decc6525ad97646819a2f0f797b89c2c13a533f5e99ab22b91d788acd2a8aff254ebae0267
-
Filesize
1.6MB
MD5b29d1ffbb1b088b9eba20fee5cde4d4e
SHA1736084121bf2d9bd68b436b485362467ef44433c
SHA25664c057b40c56fa74faa9c1c21ea740c31d62ff548a54b8f5f619b90cecac5c15
SHA512f81e738a2675ecc08853bbd95fea86822ed9b917fd65239ffb885a3e1853eab710dc3bb1ac20926c5a92b4921307862ce2ceafe8519b3403280b1607558d2aed
-
Filesize
1.2MB
MD54cd613e35be071e5e31165d8d885d3ec
SHA159f48ee4e2bbf8d17ba8318968a93c86745d8b50
SHA2568b62e4b141f504b98f5f5ccd636b0d0b1be896f4fe3149c92e4b10894a9aa645
SHA512533134f6396f834982c3c2156f776f5bcf4dfe8b262f82fd825a75e1e2cbce77c9f0b46142efc41ec2fe885b1ba803c384454b288b3a492725747d5901b42866
-
Filesize
1.2MB
MD5381816dbda903fe02fa56db09b3321b5
SHA17dfd598e8e3c9bf9c66eac25a64deefe78577d56
SHA256374d0447243c6b23c94214eac62c6f2a67b5d6cebc788e18325c168e6a36b4fa
SHA51238e01f0f8b4f4dfd5ab9f81865d6c7446c83a37113064d71bfe992b304248a09ccecbb867e50d6ca335b2525adc642011601a802df0bab0b757626d314ff3902
-
Filesize
1.2MB
MD5344d7ea57796b4b7308b53ac4d601c8f
SHA19d2709793e465ca1c9e7d46890c26bb00def654f
SHA256efb8163d147c0499a385e9c1abd657882c718718989eecaf5d36b5f78df2c5ab
SHA512eabcc6da190981e15671059717cfe84664b01dfb5b9284c4e3f477a476acc9b6dd076aeeb2a733364ffb034d2d3b1abbcf9e493c27968180227ffdc825429f4e
-
Filesize
1.2MB
MD5c6a25ff4bce27eef3c39dfc199e594ea
SHA1dc97350217abc8804cfba61c1884f5d45ec0435d
SHA256f118b01c0db6233206d4adc82cb12890017cb319a1c956abfdbdecd5e8959aa3
SHA512efafc200bcb0a1ea39931af495fc1b2ce0048b2515fbddc0ee834ca2bbb7821be4cc6fe96d75653bf793049ce2b05bb9214acaf307e48417a18216286b20c02e
-
Filesize
1.2MB
MD5599f005aa45a718e1880a1524a1e32ca
SHA14294882f1383c101166af803f716042d94cfc00b
SHA256e0829dec137361aace7d474abc2e13324e0989504991ec9174af5f8883dd3a70
SHA512b809c7bab997653dc10b746de139f791ae2998cad201b13618980900755e9c328ca3c95c8f08447bb638586d67bbd39e2d1ced9b04629e64972dbbb6b1b1f52f
-
Filesize
1.2MB
MD5725bef764b8ec73375e884aea76158d3
SHA100fceb7b6f6df87020262f35c9407cbf4e6692f5
SHA256db88f49c7ce68a659669f9d94376d13e9b744dcb6c45e410ca51b5a4ce9eebdc
SHA5123455633e84e08fe336d0848c8f6cdec05c9eda72d6da125a87f3c15d64175206c4804ac6d04675ac23de9c7dc00b65c70670f1676d9f640fc5f81e68ec46deed
-
Filesize
1.3MB
MD5608ed59e8f086b4fd201cdca60d1df1e
SHA1c08a2acbf00dc478c2d760020533345063155b2f
SHA2560f12152cc7e18cc8a84b54c9a6f197335c555ca5a05b8a49e90a037d93296433
SHA512511ccbd215a63a4a296cedc6ab72cbc12efee71fecb2ff65d20359379ee8260eea3d5c77539773980579dc19ffe6eb3fe666146d22597adb2968885e4db78740
-
Filesize
1.2MB
MD50fd297721e160019706cd5e93394399d
SHA170320f463c1dfc2b08826af85f54afafbb4f538e
SHA256a1447348ad07602be9452967b9c06fa02150b89a0dbc082967c6467314987a96
SHA5126d859a61a6d86b35ba5791fc01a60277d180c019f5fe1132dbf66e7cf345fe09d26bdd56a3770998f469f6f69e4911d317252dd647ec7a3b6b6d296aa2378a5a
-
Filesize
1.7MB
MD5e1de4fa2152bc7f781273f498b30bea0
SHA13ab7d63e014c2b96edb98f80168c96e23b896f8c
SHA2569462a8f7329e2a73e195aa343a271d253ee5c77c4fcaa9c74bd1a5f0445a97b7
SHA51295db2dc3839cad23c260ac4868c5f1b02e4e46b9e547a1d1bb345515b86e4712df23bcc37a4355df10356ecd218d9a2472c536781032c60633f3182b574eaf23
-
Filesize
1.3MB
MD5c84622f2c135489beae20357a1a7bb9d
SHA1fb22dad56d331daa5dbda339d783cc75f72f580d
SHA256e388675558d4d2312d88573ca0ae94a7ece89455bbbef553862bf95650c78d39
SHA5120a4a418925cfab07bbf1b34987fa00b3607164c79208f4573b16e78ba950c39791fdeedb0b1e54c3f2c1e9fa4ed47891184addcc9c320d5cdcd4610a3a2b51f8
-
Filesize
1.2MB
MD55efe3ac1306a6fbe7e34cb4fbf9bb334
SHA1ab5c8a890d2506e91a87e16eaa7cce03ddfcb624
SHA2569b73e29ca69923f50989646f7a0923d6a30f9aab0961e498c86744b4954ab081
SHA5121ba3066978f5542bd21c2ce68abd2fbc8021b66b5f5d2bec4ce5c6052e0b554571992b3d879424fe47aa2cdfe0e7c848bea7d09149287f8d58a6faf36475e47d
-
Filesize
1.2MB
MD5c9b9f3a06dac785759d8c526c33f5d3d
SHA17439ae1b6be327e283ca00ff13d7b48925858d90
SHA256dd792e985406880236862990ea6a6efae51537127cb7d168a132d86130e499b5
SHA5120611bc8fcdfaf242fd9e1418f83b0af0aee88475b648b509b33965df481fc06bcbb332606dc53bed06b8d0468042784e4739703c24bac6b8725b744116a3fb04
-
Filesize
1.5MB
MD5aa7cca2ad59d68d3281b20dd79d507bb
SHA14552aa58d15b9cdfbcc7c582c081b823b05efec7
SHA256f6afd030a7bd7f9b5cf1ed0957fee1a4d8f72fc0e202356f44ae318e3d411f3c
SHA51226263d1606871617392bbcfdc582dbdbcf0cc3deda6fb050b82cab418e387a88aac48be495b50c8bc5f4a40d28d7b865367c26abfd05add22c923163662693d4
-
Filesize
1.3MB
MD52dfcfb54cbc71dc5dc3ac9e2bac82839
SHA1a3eb5a456d8a6059b7f28c8491659e8f6d486fe9
SHA25610f364d4fa760f86e829fe369d4c71196ae77f3062635c3618b8ad64e96d9fd6
SHA5129c7ac14d1a8799bb13ba371b3c71951eea21cc6ad994b1bfacd0eaabfff6c391d502c24d6662316eb81ec23ac2680f19ec50e042d8a4f95ddbec2d01f96a7149
-
Filesize
1.4MB
MD5128d25e7c6e5a09e19ecb1094fee05c7
SHA11f563322e19bf6016e011e62ec701b66618e6a24
SHA25693270ce1562f1ae0eacb3a79973a464c5b3450227b8473668786cf88f20bf5a5
SHA512258ddac605f7e9a77ad084017e2cb5d0770f1a6a1904d37a18a04ae59a23648eef5bd49dbb2302b53d70190d33d8996dece75172034acb59397e4ba15d0dc13e
-
Filesize
1.8MB
MD5d400b8d5a7244150368e7fed3eabefbc
SHA1710869a4a22abb7437e59f9b80da6c38151df7f9
SHA256a9f8b60b5e5b244df3387d643eee8f46fe421b5b6dbaa575ff9df0107966cf98
SHA512fccb111544cd674813bfdd539f18ef7bc0639fcb22cc6e29ed82d2bd6dfcadbfef2ee4be2fa2f7d6084e85154c4b181a32398102537d2092a227aeefe36f9baa
-
Filesize
1.4MB
MD5b59aabc2775a204a60f9f4e041057c80
SHA1376d6b6c52ddd97efa00dc68597d986b21c30864
SHA25684569469f1728a5f45f2722a5af14d34a7238ddc1b78e2199c61e4e948c301a6
SHA5127a5642498752928cf07842e9f4b916bf99d33ccc8edd32a95f1580cddae9d19cb08211b662a6099ff54fdb446da3040c2ffc294a5262b19c2818b5a59e69ef47
-
Filesize
1.5MB
MD5cce9dc0a0104638b6775982adf8770b7
SHA1b56baced38847ba7a8cb35089cc471dee9de9056
SHA256630d84568542b078ddede441f1b5fcb68ba080278f745f8b9d1669a973903d44
SHA5120d888983a6e79f889ab2e5dcbfcf2a2d02bf23ff8034946d5253f640c3dc4528304611f11587621ae37b45a17f714fecd93891ada469eb88ba5b58f592641fc9
-
Filesize
2.0MB
MD559404d3731c17e90dfbced5a83478e04
SHA173de4a4f68b6bc65ddef44efda05db4454af38c4
SHA256ebb2ee55bf540d9542158372e5dbd71f97741f27ced868af3a7ff04e4e276dd6
SHA512985387e198e21b8960811e59da32872988ee94b9188cc0c9ea49ed38be80536a5232ca6ad0641134d22319848416d9d481413136aef592c9e8d0e41b9e3ac2c0
-
Filesize
1.3MB
MD52548fc9a72ca449ae4865d3bf6910f2b
SHA1cc32482fbaeafc5fd27f2ea4c4738e69fd5578e4
SHA2567979069ff3887309bbae5d359aa6b8ab5ccc041a5f48bfc40b2523e5aa5fea93
SHA51249f1c9cf28efffd4b73bcc95de57189a24c2beaf145a42c5ae34ba3e8908ceb630201a8eeda86bbf29a6ec62f2f8d129b0860493bd2811a0889515b874714606
-
Filesize
1.3MB
MD524feb8d3e8d76e54bf32886b52fcc688
SHA1f58fb925b06e7035a80e13b76167e20d8f30bb88
SHA2563bdb1cbbd90cbd2f30e74dc2ae42c4d60f6ddcbe58ada5b359c147d4335348e2
SHA51234cdb459cb421970daa5c170eccdf5fd0537602d7ccc65a82fda51152b8ce982478525ee0106f61c467259ad99a80015e2c18a01265abcedebb525debba8accc
-
Filesize
1.2MB
MD5a1ecb72019fb9600a2bc085c66fb410d
SHA1984faee3d94d9377e12ed9fdfa8ce165c07a409e
SHA256a2aa189fc032c0ef49904a7ab4a091f3f29c186ec6e2e72c7d451d7a90a6fdab
SHA512dbc8465108c66023424c938873f42f990c49f2a9f99390f75f2815d833d5dbf6d63f63491b33a8761ba4c7a79673a22d6cb652b549654040a84de761e640247f
-
Filesize
1.3MB
MD509b5400fa05a28c0b3a92e4d119eea2e
SHA15d902fbbb1c69073fa6d3d80187e6efb3a69b67c
SHA256661448acc9449c9b3086110e1f03593d256299071c5e00259b470ab576e87e47
SHA512d5268e567f120ee431397427d2e6bdefc7f784033bc0a244bd44e5facdc10abe98cc881307a1a4fba93e0b71303a06a3af1dae4621581ef8ecedcf38d0302d85
-
Filesize
1.4MB
MD524f6889bae9356117a73383a5faa634b
SHA1f80250d145ae66fc66a8c285cee40f3acc1fbd6d
SHA2561a01f86f0a166a879488537533f5e83996814d86af01ab738ca55cae11ccb3d9
SHA51254879001ccd51929a4d71d53192356f0cbd74d5b4dfb75e1a15863d18665d8b028655e349fbefe1d7dc30a2e027edd4b0ae8abeed7dd7fd4fec1a78f4b6de909
-
Filesize
2.1MB
MD5667b23ede5cdfb8cd533ab3b7281f3ca
SHA15faacf5165d8c909e28a0ee724c778ac983708c6
SHA256069de07dac68bf474a47291e186ab216df2e7708bf7ad718ae63ee919c78988e
SHA512cfc4fd080d96a0f685a45d49756a32cca7184d1da1c1e8257a4dd61ae3691229825a5316bc0447908a56bede8dd5bc747aa8569ad4f14de5e552eb2255bbb7f9
-
Filesize
5.6MB
MD5183c96f86e445d47c261894773be9be5
SHA1bacb43ef76055936f2ea2766c099205ce1ba7861
SHA256a8b3cf92544911ed8896369d7a4301e32dd49edb044f908013eecc819a46835e
SHA512a2e1f9149de70b5cc5ff1b9ad372844a1d7c69fc9c0be2824c0bfa7c656275520b00ae24f2faa4b52b2d55e21921314371d4bf061b276490dd28dee404e68232