Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe
-
Size
1.8MB
-
MD5
755815c44f0b37a1ed240e0abae245b1
-
SHA1
5d7817fe97bf775840f4f6dae372f99ed066ba9e
-
SHA256
52bd52ae39724516b54696430c8d0e57f7f8a00c33d4a8e95884edc1bbdb4224
-
SHA512
55d9cf2d00d030dc140f0582c31640491531a20ef061e51eebd7b3dd733a295d5116ef7916fbb78fc49d6ab1ff5e64b8b79a418b065db5ce7c96b1b6d1d96867
-
SSDEEP
24576:WKjdRz0DzOswhCw45fCpmALmQjdjIucF93i0MtHofe3y1sInB2COzRq8DvFqt:WKX0DzOswXkfymHQlIuQEP4suIRbDv
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 456 alg.exe 5028 elevation_service.exe 1480 elevation_service.exe 4032 maintenanceservice.exe 1772 OSE.EXE 2616 DiagnosticsHub.StandardCollector.Service.exe 1580 fxssvc.exe 1940 msdtc.exe 2204 PerceptionSimulationService.exe 4004 perfhost.exe 1672 locator.exe 4772 SensorDataService.exe 4604 snmptrap.exe 4700 spectrum.exe 4780 ssh-agent.exe 1340 TieringEngineService.exe 3124 AgentService.exe 2004 vds.exe 4988 vssvc.exe 3352 wbengine.exe 4944 WmiApSrv.exe 1612 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exe2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\27bb9c8f822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
msdtc.exeelevation_service.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d43585ba2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c6578bb2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c8674ba2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8d482ba2689da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9887ba2689da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9887ba2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c682b2ba2689da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 5028 elevation_service.exe 5028 elevation_service.exe 5028 elevation_service.exe 5028 elevation_service.exe 5028 elevation_service.exe 5028 elevation_service.exe 5028 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3756 2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe Token: SeDebugPrivilege 456 alg.exe Token: SeDebugPrivilege 456 alg.exe Token: SeDebugPrivilege 456 alg.exe Token: SeTakeOwnershipPrivilege 5028 elevation_service.exe Token: SeAuditPrivilege 1580 fxssvc.exe Token: SeRestorePrivilege 1340 TieringEngineService.exe Token: SeManageVolumePrivilege 1340 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3124 AgentService.exe Token: SeBackupPrivilege 4988 vssvc.exe Token: SeRestorePrivilege 4988 vssvc.exe Token: SeAuditPrivilege 4988 vssvc.exe Token: SeBackupPrivilege 3352 wbengine.exe Token: SeRestorePrivilege 3352 wbengine.exe Token: SeSecurityPrivilege 3352 wbengine.exe Token: 33 1612 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1612 SearchIndexer.exe Token: SeDebugPrivilege 5028 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1612 wrote to memory of 3240 1612 SearchIndexer.exe SearchProtocolHost.exe PID 1612 wrote to memory of 3240 1612 SearchIndexer.exe SearchProtocolHost.exe PID 1612 wrote to memory of 1696 1612 SearchIndexer.exe SearchFilterHost.exe PID 1612 wrote to memory of 1696 1612 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_755815c44f0b37a1ed240e0abae245b1_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:456
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1480
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4032
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1276
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1940
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2204
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4004
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4772
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4604
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4700
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4128
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4944
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3240 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57e74e4101b3314098aa99f640eebdf83
SHA13b81476464df85613357c64da5679fe2e4cf545c
SHA256a74e5f2d0ac63d4cff3355377b1dfac39c73f3f3bbce39c035fc832e73c4e0ce
SHA51259d4437afd028c445f08433f5c5df688377851a2722dd760d2e89e6e78609be7acb58f2f1750d65a2089d236b8fc7d4bd6f62f724cd1f936b91adfb7ed489f53
-
Filesize
781KB
MD5308d8a99071a1f5356e8b2df22570e9a
SHA108548d56319595e91d3b2914d21a20185cd61031
SHA2561bd5ed73a2ade1fa422001d6dec4b9f5598941ce7e278416ae2865c0c62164fe
SHA5126e08ae7db7e294dc579c30514ff48342b42097a2918d2a5bf90ca2370964afe943285b1ff76ea7493d262ab1f46a65388c7b63ebbb418ef26663155c0bc277dc
-
Filesize
1.1MB
MD5c4e53a758e2b50325c46a4674b4f20c6
SHA1716670d00cd3291f8ec0a9d2c9f168400c490b46
SHA256b2dec350bcd5b8d973a128837f99916437595734d203551a5b2c03c76aaf4cd8
SHA512b942225f28e3ac5593d931e6b2c512b6e3730b15af01ae65a63b2199d724f0dd3fb2762be0cb4fd6050a2d1bf38e052eb8a251a537b214162354cf476b95242e
-
Filesize
1.5MB
MD56c188f02d9041ab79bce3196c2c3e3f2
SHA1e02c1fb5698f83f99d0f4a170dc54dd99d483f6e
SHA25676f0399565eb98ee730c1b59cc3fb8aba7bc10153129ca6c9b1b3217824bfb0f
SHA5121c5fc99625bf61eea2a40fd168dd155e252a304d6ec1896682fea1693ddaa9df1ed261ac97b87f5c04756fd83750ca1f1d0ad97eca7f66e05dcbe7d5839a2aa5
-
Filesize
1.2MB
MD5077bb23b61189b136b1e6b12f48c9dea
SHA1ca2446341433f629f41ec9a5e6194d0e471393e8
SHA25629c8c0aa51d52d7ad026d0ce7bc164b988f1af339c272026c2717e8ad8dfec6b
SHA512e236e62bacd209d9b96f840a801d9ebad4509391dd40647cac221536169e0ad682a43cc8b16f1949a14255c7ff074cf03d096ec84c1038e79f552ec2c6f261ca
-
Filesize
582KB
MD5347059e66962da3527d8bed111df9b5a
SHA1fed53401d5827bb7a1fad31be912f3bc008627db
SHA25691418179ab2ab65ff3009e15e859c00d4949f352e76c0b20ac621a0b50ced7da
SHA51280865992621a47170e0044618f793917624288d68e63d1000e6ddf42d88a2d6ea3a51a142785feee6e44693f99862393f8a8fb9ce721e86bdadfc21ec44aed99
-
Filesize
840KB
MD5d5efe3352d872a4048e458af27b7ddd9
SHA1cbb23eebc4ae7c4e065da6bf4ec3aa4bfe2438cd
SHA256dedb8b78751f251bb74617eb05fcff27cefc6a877e42a9705cda9bc987868260
SHA512fc221d8f219e1dc574a337b7418a383d7f77cf6c26cb3668828e58e5f8f526d6b02e5ba64fe842d0a87b6cf4d22a557a2371f3c5fae1e3ee5aad859fa7abd425
-
Filesize
4.6MB
MD5f86767beb09a6fb7aeb8e4d890fe52d5
SHA14324426a6577d5261d8836128747d710cbae3410
SHA25671d39e05e1b4dd8c029601d93f7b74365144575ad3d9c71c5ed5cfc13e7e71b6
SHA51297720484b67a4000dd9e4ef665d525bba341fd63f6968d51cb37790764480867fef4c35b890424bc800649a778fd3ca7dc20cc186545e3911415a525abf58fea
-
Filesize
910KB
MD58461e55446b688ce4e7be07dfb0f7159
SHA15be047faf4b8d45b917b70467cdef3efc4c45c5b
SHA256dc3a1cffd6a39588b1d369cf8e3fca9874307691aedeac3da251e0f9e2a1e007
SHA512df11e67186f851df971b2e51471f7380e6be92156fa6e0cda49978d58f6fb203a2227de0a7db3d34905ad73ec5f7bdf0404290c0899b9041210d50db25839484
-
Filesize
24.0MB
MD5dd39f8c81ac7d162496163713dfdd98e
SHA1c8ed3932cdf386a369c9924e3dbe58dec02b4155
SHA256256df863cd7967a7c741ceb1f614dad34ef2bedfe7cd7af7cb755a01569bd6f3
SHA5122db76d1f24648101d721903e1459db54b0d9261f6859bbb6d7e2516c62ea27929467f9cc6eb0a2b100eeefc7f21abe32814c27bca92e0f4359bb2f6bdb71fe7b
-
Filesize
2.7MB
MD5ece47e8ba510c9e627f42fec45bfeb50
SHA1db0498c99b958236d69c2684e4718e1326ae7bf6
SHA25665768c6a10370c876c36c230afea0ed9ede78cda26eb878feb64e13ed0e451db
SHA512930f6212ea9a3f5ee733032e2aa9bbed73a00fba352f1cc9e50152a2745094958c0c19eddc2f090a2e594656c92d8c31cf2254aed90c84dbf96ce52a7e7c8614
-
Filesize
1.1MB
MD5beaacdf8802d94b61d50510b6dff19ac
SHA18ccbf0bedadf7e443196fcda05d9198012386660
SHA25693b2670bd783bcf104b16c5396c1f53d71042d020594554a3224b16232ac9c4e
SHA51271ae1e15f4a5260f4078c9637cebd989e1088f24e662dd9bf1ffaacdf1c9761dbb3fa68144ab1f6862b50c8e2e0206e0f9854373e6928c25487f906b20fa732f
-
Filesize
805KB
MD50138af80c8c352f2164e488296542e07
SHA1c36c84ca185939b05d2a4c4fed44f1b238390949
SHA256e7488ce7a76c838890529f36200c1c7622e92c6ff7cbb6469a026678d4593c06
SHA512c64545f739cd9e39c3caa01edc1a748524bafca9c713e943ce98623cb67cee8bd1d94a3de2816682df5372d65d869cc48090e0c1efa9cffa1df905eede01082b
-
Filesize
656KB
MD5909b0e816d0953cfd2a96723a4c5e000
SHA1be17eed4c4f72e10d39b9866828d5a5cd0d70bad
SHA2562e46038654d7d56da9d13d45c79df1e19f60d8026b8d7b0b67301ec41f9cb4a4
SHA5122c275a5062ac043ebc58ec8e492a7c05d3568bb7e9e781d77d0dda1ba290e07cc63e4e21c8c9549a7395c873067f2745c7213e8a846cd53c30990f2e1a93f290
-
Filesize
4.8MB
MD58fc7cfd4cc014df2076248b416633dd3
SHA1fc656d1fd61d5fb6acf5ce26cc086e61838c66fa
SHA2564db74508f86df287b556abf20bd317d35fe3009c84c84fb4f275c475ecd8df04
SHA512afcd1033aa02203956d6e4f0b6fc9bba1fea36020439cedba39665b2ff25aa874626222b9c0a5730187e2693dd4c182f15414daff469e42146e41c0b9d3613f4
-
Filesize
4.8MB
MD51fc4f3ce8999e918b8a67774c615bf41
SHA1de25f4b00b759d3667cb020bcca4ad1eedca8089
SHA2565f7ec50fe5ab52ddf8833648431c6db769ce31e31930c50e344e1fad64eeb0b4
SHA5126931a44b4008988bc794a101c8cc15f4284d32126790b4a190c5e5c5c025a16247e0be1b4a75095289c42650537a966debf9a14b7cc9517face215c6a2aa7af0
-
Filesize
2.2MB
MD5590be45745701486536b487b3bfa058d
SHA11c394dc209c352068c2b7b68fecdfc4bc1e9865a
SHA256c0532d79dd59463de721e072625b8f6bd489ccdc0ac8b3ee22ea0e58c77e30a3
SHA512ede75fd7ba3689a9347fdcaa15b25fcfba5447ca163e21fb1d981f7918e31b08c1a7188eea62f7d40d6c70ab713c2f6a56ed195736ab5b43daa49763e16bf3d5
-
Filesize
2.1MB
MD5a1d0ee1ffe1450135cad9e08e76cd7d5
SHA129ecb199ff3be3b151115bad1df5848ff91b8a9f
SHA256c5c97963d2f1b7e4fde65ec3cdfcd0b3285858eda7c22618677086b156a0a22c
SHA512434d62d46255e18294a52e8353c33f0079da0311981bb279952fd65ff2d234caf9161904b0831c09928cdae8eb001ede10a716c9c65a8d1c972f617860ae5889
-
Filesize
1.8MB
MD5cacd4c589f04e986cd854c8bd86ffe91
SHA19c2760f4f1cbc341684c24f0951adda0df25cdb2
SHA256345db6756d19a37e52f331a494b5596c8fca4fdb1bf5b6b6d5493d32e08db405
SHA512663df6eb46e2eb56edfd3b6a7c96b427987e084dc5bf5315c1720e5616731182171298b9f8d07a4bff163593ca896220ee761cf28818381dc4227cb3b1a80e5e
-
Filesize
1.5MB
MD5cc449c13bcedf9536990fa9b6cabec60
SHA1635eee32fbf8d7a4ee9e86e966c64562f0840ef8
SHA256172d34ed434555e471c4bdb508345812008aef928541c53cb461298813b0b983
SHA512c358c752c8ab72ae875e1bbc471246adf829cad5bb13012e8b14e946de6b995f96ef8c66a7ce4c9ea3b5dcf4173cedebea2559a24e3e15fde0c01150b91930c3
-
Filesize
581KB
MD5852f637758404f820b30122e1874c290
SHA1c20c6ada3e616a941c98fdc793029bf59085fdec
SHA25644cbd00fd037efd89839d1863ad2ecc67d0a99101e4c8ef2edb7943d8c60b9a5
SHA5128b14fac757b739a910e1b0131041de5792220fbb3cc5700bf26f44b37978663ba3786be0c574901b38f4d428e36d99d7df81b7a55c0c81eff8893e4ff76a27f5
-
Filesize
581KB
MD51ccd5ed4f45f694afb85940755020a1e
SHA181878945bb7b6bb2e43585d343a4b4cd232917a6
SHA25699baddafef054f0d4995eae27303a3d86d6fcf87ebdb1435f31cf577a3d2a2c2
SHA512f077433d8d26e7ddc8b8d13142a32927875d98be0ca64343454b41f1d8ba627d03f8f84a3d5c91b43f917770869ab5b1d5309057f975b492f46d14964898e4dd
-
Filesize
581KB
MD5a49e6dfe17443096ba65d87850e6bf17
SHA14d94d8994dce77e24eb1eddcece8bf579ce1af69
SHA2561338cc7d21a8114fd3b9f3a30ce28e9c0063f9d5ff106018c1ef9677f1a450fd
SHA512d8c25c901580b4811e7d8ad6b7171fc4406f41578b532dffe9ef87be77426e0f327a4ba8f6e5e7d222e39fa8359657ca07b232a1b890a5335ec92564c1329894
-
Filesize
601KB
MD509d52e297d3952b1ddcf98dd765e2491
SHA10e81923001591f0d08015d11e0367897f2733bf7
SHA256878395752c8a8a6e7fe33d9373143e1fc1a99d46eddaaabd7ea3ce7c3b52c057
SHA51236c9e38694e41cb6147f090a88bdceed635b091882dc9df26351dbfbd4dfed0fdd2a6cf3679d4771975020256e723d31d0e167080d99a09fa4d5d7a5c629e0e2
-
Filesize
581KB
MD58abe61c22b1aa3b9969977d1f9612ce0
SHA148164306e180bd427a80d21d833091093ba72bd3
SHA256b548857d904a8a31c073dc09d62f1d7ad4bd6997c660b4807e55838f3c5e6227
SHA51206f085b6c462e711dd6d6d6f058eeba609fed60b5df05ef00f18818d65402f6361542b317775bf84d3951ae6af03a866a860d08a652e7875a05177b14204818f
-
Filesize
581KB
MD57eb0cfcf3d63ec8f5a979e5591f23f7e
SHA1ed19cc3f81e9118aab0d7111506ebb3703f9ff9c
SHA2563b375bb2bacaae8ec944b09702ad727e8ae7cf38960df53f11be92f3840845ef
SHA5120af01939182899b794e25d456978d4557b47270cc3845d3501e991a9ebfd5788f7036b5bba029d3d6a10558e61c24ad8be7e604f1d0b66d931e0240b1b06018a
-
Filesize
581KB
MD5b4ada634f042da89234cdd047e448b9b
SHA1dd66001f668b5c9c5339c84881ca8b72c0fe8461
SHA256d5324437dbee1c2722d6af9d8d0b528622dddddb50e09dd657a482e38d5af262
SHA512e21c8c40a4aa0834bcc4cd7fc2c05be4fabba0620a6f1455607b5047a74235ce8bbd6eda6b5e58ba03c866bea936d8d6b07e77834451d3a4d99f07939d4b9679
-
Filesize
841KB
MD578445dd0e17c910ad8276ac8fedbd3e6
SHA11691a91042104d2fea4f09043a4c22793a2b11cf
SHA2560c0103c4ae8fb39fb210fd253560caa70a924cdbeaff51ddd7c41e6d24107f13
SHA5121e2f322e7f7b687de9b1a766d9c1edde1095e007240f51d591ec2ccaadd7b16be33b632d7162ab9763deba84cdd065749ea0a35ae24b28167fae4ee866370bf0
-
Filesize
581KB
MD50b8391ba8eda65e993e1039a132153aa
SHA13081bb3c7490ba76799b662b624072855233ff92
SHA2560b8b3dc92c48846edd516c7c09c1f9e197ba8454026b13b77095fb5ce301f61a
SHA5128a38da12c4cc851e89c8cbc200ad6af88416d2c8641ddcbdc8075e9844f02417e8fb5184d7f5f6828da945e0ecaabb6caa8e7f7c67589041c390c1010e82f89e
-
Filesize
581KB
MD528f631050ff74ab5203a09841ff8b24c
SHA1cc3197408ffa8093e08ee55530d6f761ca857e0f
SHA256b080175843cdd9cab57da2c126a739388dc9781be1de5b0ae0dfc2c8ff60b168
SHA5127066254d5736330958c0e19ad118de991449054dc29b2e008b540fbb968aabc3e410fcd7f245aa3ee0b2a2feb1616c590806038b35e09b75c95f868706593105
-
Filesize
717KB
MD55ea10ddb5d8f65e00683bf206ac2e354
SHA19cef688f16921d9ebae2b49ff92d0fe633e32e45
SHA256fbb451b82494a9c8212c053caf041f1b28371f94941254dfe44a479cce1419c3
SHA512d310092f55189f04c7f0a676fccd58a3cb89f0a4453bae09a6af400fdb464fcc982bf678a8b256d10919d630d6d098e05eebbef406442f6548a584cbf4e99418
-
Filesize
581KB
MD5e4a310df2679772e79ce74f5b6480433
SHA1ba401ac3f7fdc0146eced9215a87bba43cb7d15a
SHA256bc1d95a89cd4992142a5a35fade2bf4048fa5c7383561380e3553a25f5f74e61
SHA5124f0bde64925d82fbe53e6add772ecde1df7350b143cae255329dfe734135a91173e1574941f26cd39a42aa27c33efbb9e8c4302f657cf92b6e841991f7f96eec
-
Filesize
581KB
MD5f40985c55e85ddb25c1733faf4e5ff84
SHA105964cb9198964513c5917df8690fb251f2915ee
SHA2563ccf688cd6235c226755e9debf942de97bd26535c8a71d53f4f3f1eb261c2d22
SHA51249681a9b0ac0dbb254bf312854395d7bc78cdb712c28b6e90ace6d92aef5ccf8c3c527ec3ce5b65d9c9c6b3b49aa48d0e61aa3c0fdc4c6d5a08edc399b0cbe7a
-
Filesize
717KB
MD58dd5320ea57ae081e55dcffc9b622761
SHA1cccb65baa44b44259e0fc1fa47b5d0f05f1fbd3b
SHA25605ccbddea0e51e30f2865ada8d33232bba79108c081d9b5d710950220adb116a
SHA51208aedecb46333083bfd4aa88795c28e0ec2747ed6c52705f95d64fafac89f0bba0b95b1ce6551e42301c5a660bc88ac1bd5f63b89cb3ebc366d7213ea88d18c2
-
Filesize
841KB
MD57d710a5304f7d26bb66005f5f9f0d570
SHA16a241f3f8745ed1d94cf8217291819962ed37b10
SHA256860f598ddceaa21e5a62dbdb7ba745f06ea44ca3417d72a3324739a64e76e223
SHA512cc54c87406f3c1bb21ebe1c45a2d778248973e1fa204d49a4f5daaa53e638c74cafcb3d5054459d8905f5b089419c51eb58eb51f8abb435c1bc4999b76fdcba7
-
Filesize
1020KB
MD5dacae08a613dcca05da368fb2882e3b3
SHA1e7ef358ff4c459b0a2154851d4260223bcf95fe5
SHA2567775f3981eb68ef9a14306fccb6dafcb22129038dfc8b89ec0be1e4ec74ca805
SHA512d0809ca8b1dd2d86efe6d613165faa1946ee05fd808517c22e04e66e1802be006b131482f2e41ceb4f5adf76b9446e13afd02f0e26f6eaf336512264d5d9b02c
-
Filesize
581KB
MD54f2b3f27722cc688a9affb5752b2dd8a
SHA17fea739a09559c65f771c70cd0b91ef4a9cfaba3
SHA256d1d63e3e66a88105e6a7d62dec9e93aaff54f575717b6396a1d83fe916f7ea6e
SHA51207cfa12d344be9085198aab9319d27028d35e7799eaff8fc55eaa5bd034d3fb812c640027cb6034d2f0212f88dde97a83fbc28d4bf1aa7cf55108a763ff5f240
-
Filesize
581KB
MD54171bf43114f9b51288498b2f7b4a314
SHA1225ee613c2cef982fc1ecbd4d1bf9b15774c6684
SHA256968f4b5869f61c9016e1c577fe27894bbcf3504539f6f0e170cedb1ee2e4d541
SHA5123b7cfdd6680fe8d3923c09f0b0e797014779f477fb696827bad196572f3131e915a8697dfcc0382973696326db66aa06dbcc40ea0d82d09e92bdbe8d15a428d6
-
Filesize
581KB
MD54b2ec41b35c1b9744cde2214dd17262d
SHA1b6e836ee983d9ca16c4de914595d028019367264
SHA256558861c45453c42faf4d47d8001d573338e6d66872134b0c09c495643c4a814c
SHA51268ee15a25d5edcb74c13500e0ed9c1b8403a8c55c59070c424d34a18a9d0ad50217e98996daf225d545aaa9028d239c1da943287ee8db1c274123a1f8c664fed
-
Filesize
581KB
MD56d34b2836116ab1ebd7f5db9920cba47
SHA1764d23c6cbdc6e8891817a19084ed27b3822dc79
SHA256572d1ffe84428d3f6c92f996c45f4989e5af2f621e8ade7cd67318c02c6bbdb2
SHA5129d5c4bfb380b34d24c40b199af2be24d4119cd2bb601e6d4d25c54fd99d273cfe1608cfb2ff8034e23fdc7b9528569cd216f24a90fddf6ff249df66333b4ff8f
-
Filesize
581KB
MD508ea729f6ec6c2707b2ee920e2fc05df
SHA14f1568aeebd7f04f4cb60d24a5a6454ba4a7779d
SHA256d63e756689d5b2fbfd90c71831d7da3891a19895475f1800d60623145210886e
SHA5128a1519fbab715cdb39533c06b3648d8768d2e85b7105a736473197a95da6efc4c2da79fb6786f4e8ccd43b207bb3de03b34072755e7e1a67cd97ba509ac3861f
-
Filesize
581KB
MD5a3cfaebe09e8b92a9058f620b5d0ea99
SHA1b61b34751cada08bf13db25a473da3c598428af6
SHA2560db725d01736f596820d30de3548cbd8564403dfae2297b64d94299f5725f94b
SHA51276853f20a02c092c33a9e2f5257b898f154df486d9a2a88d08f0fef7d0e2ea52cb7c89b1d8e5ec1890b0e8082e1bc37d2530acdb167974769fcd34d861126104
-
Filesize
696KB
MD57d60b73eb8b27d4485f6896c77082e8d
SHA1534fe27910250371758a8a5f3ce922551187906d
SHA25611c9880d2665281087a92ce2cc0ed5beebb702ad871b4ae5a9dadd4ee9c5962a
SHA512517fc185d5c5f73837aa0a6041840f64ef7c397e4455caa8a1952912d6a4afcae470463d2254f5257e00bfd27f3053e485b1e9b1636a08a2c0484f62dc3d62a6
-
Filesize
588KB
MD55ac22da8f7d5440fa3e4ee7d4290992c
SHA1f27ec47c3d781433cecf26a2e74a354c9ffeb92d
SHA2560f7da36319698e46c09114b393b7a0db90dcac79faba4aac1fb0f2baaff4fd2b
SHA512036d8c7432f20d6ec6f906bda62040d0bbce389ec9ca8639bad67ee158c30574193d584b7882477e9cc3bdf22e990e7f415f578c14688ccc3181d458f0854457
-
Filesize
1.7MB
MD59f28774e44a4c64ae096e63ade275773
SHA1a4f6b948d2d312dd8db3c1d5abf6ce62bd4bb8da
SHA256259cfa3af8bd9ea862f7dd7fbd8de55f4b388dd8b71ea37f0ffe77b05d7f6c2b
SHA51249e2c54eb94105d7768ddfa3928fe5b7654b16d43d277712e65de9893f781269aa0f186145b5032b519ef4a6d62d41e79ea01c566b556e25e065b730ce4f9368
-
Filesize
659KB
MD503e77a8873f616bcef98917bc5cf80ed
SHA1b17473c3aafb1f5b9d9f32de7fa2df5c59890e1c
SHA25670ac6a01e3cdc1c6f59f09605d03e85bc63569e0afcff841db86679565770ea3
SHA5123f10110076a95937861eddde916be576bcd27d1cecbfa78a520dd4515863f6d15d69cfdcd4867c7982ed9459234ae836a1189ff16fdbcdbd307b364067483795
-
Filesize
1.2MB
MD57368861f08a97cb2d17e3dea29128ae1
SHA1c7c466cd5526bb8682684b1d04bddb061f29675d
SHA25666e01ee2f6d7bfb0b2dcb726afc07c90349d2656a34c8735634ac72ee28b7669
SHA51266dedcf91e663ef15fb34663d2437837415bc53d34180ae6879528651539a7139ef1a9c099cb58c3092da40c2775c6c97619d864f2fbfa23d277d41a52cd1398
-
Filesize
578KB
MD511d1163b0bc28ec52c73bb1a69ea14fb
SHA16902646e8653dbda059b93608dbeb971616c1697
SHA256b6a7c017ca6b7597bc1092ce5b52caba77e9110e1fad576b73b85e708ea71616
SHA5124e2e689ac7895195cced147dd9025e950bc91954d4af22c1695c1d436f578c06e05e6bb061c867f17217dfe91fbd5bf6c19d1311bf107f09793c09b068d1c48f
-
Filesize
940KB
MD5bcd3873ae285acfd3f25439e8f9e2e50
SHA1bc8cc24fca862aa4449541b8412c9a8f34c4107d
SHA25621d23661a6c6f7f0807c4ee7ef7745c8a9afb8c0630ad135ca2c49b8d0937c56
SHA512d75c34ee1b0765f9e1881f495f3bbee1e0c168c1dbc6fb665bcd82668de015a1826c2b9bd3a6e725553ddc4f64c0b7e5d5f701ef8bb51ff0d536a34f859379bf
-
Filesize
671KB
MD5b1ce86a952f2e512387f2c87484db51f
SHA1806a9ef73f0a5c94ede151e68806effdb5984e57
SHA256f1e1a6b46c421e6aa6755e400233420a4524a3b676999d3f1968980f066f4cba
SHA512e49e267ae44da2924472d0aa14a9e9bcc0d0440c95aafc1209c702b44799195c91145f510d1889cd69dbc51359915f6e3390948c605e43a71af8f7be676561bc
-
Filesize
1.4MB
MD5ee258181211b8beb6fd8b86b18cb3da2
SHA1d5a0018c3fbbe1f02a6e559478d58dcef3fd0aad
SHA256245220fad136cb24ecfd30989674b7a7464e8ad1405f083d9d8996d66d58b031
SHA51299648d9be0ff7a1a5d57ae5b6b226699d4c5ea7d821464d86d462c4f5d4fffcc5396f4801b4ef8936539b47dc50d29763b44cda98a3b5212fdbbf4bb853edcde
-
Filesize
1.8MB
MD5eb19c670896d57b3f725988bd6410910
SHA144622a7a4666c591901c0b32faa42ca499fc2fc4
SHA256d6d5a3368a15ac0fc6a5df81e744f221669c6f1393c64c5f6fc115edd11f1471
SHA512d3d65207cd44ef106d0d101ff216cc51bc51343e0dbae02ea6ee6a8a91db9f9f33ed217d2d5b448fd3265b03f3cc618d25811022d9e19a725a70db9ef5c93987
-
Filesize
1.4MB
MD5d8f38bd903e55ef6c10ac6702f50d9b4
SHA1aab4d387c4939f5515c0e4287930b2b408f58b87
SHA256ebf82f2bd462779dae7d9780f72b3297af4a767b1bca40f925a8da5cc59051ba
SHA512ad62ac97a62ebef2fb87524a097025b2020a64649f7f3e8fb08951747088436d960bec67798a6ab2144294c0798132bfb717de022b65ff347596a9c6ea0ac801
-
Filesize
885KB
MD567c6e89d4a536e53097e3812bb387219
SHA127bc6c1a3f74e578bc97af4a07eeb2be22f8368e
SHA25619538dc023768221eaae310c85cd12548306e818c85df1e1b8b8940947ae5c6d
SHA512f60c542e5017deec7f888a597c81588f1ab4c9f02a4debe4fa5bafef0015799b1b9204aa745b3d612ff2cd5ba63f9977a7beeed68c8e29ee32aded6683dc805d
-
Filesize
2.0MB
MD59d86d5aafcac1b23082f33c8b6a644f3
SHA1274d165ca2905841b95b72aaecce1d7853751863
SHA25651f8866854470dda0ea178e8efbee84ebfe07f85c065818d8b0369a310e2a360
SHA512139b9327478c020f4b8287f09057222b08f6c0606bfb1c2e09bfbc74aa17650d74c4bb5520a2dfaceb22046887a47a34415ce263659411331903af1174d2678a
-
Filesize
661KB
MD5567c57738f14e1fc0196ae76b94724f3
SHA1f48bde71796f84d6e723d1563f931eaba05a6cbb
SHA2561fa6fe256fff83c938aa1007764d49cd5788296db1073e88478fb402effadcc1
SHA51250a6216e425cd64979864a11a935ebe549990461cb3be7fcefa3b170f12c6d2802faefad3bfb8f8ad613153bfe185b51f733c518f5355cf1da5aae2dd8677471
-
Filesize
712KB
MD5b2015a0593543d13088e50fc795f1156
SHA15318c636e0e35f47226706e325db5b9b32d5899e
SHA256eed8a73552201019075fa4555c82f96f15bc99d64b51586a982adbc9675441dd
SHA5124bdd749c83ae0f43e632bd0824445d1dd5ab69d5156cf5d69dd0a29f9859685dd9b764ee483f099a6fa2833b3669b6b7073b85ebd366773b8a3d111db7b37dbc
-
Filesize
584KB
MD5a9eaa64416ff32aa02aeef546513d223
SHA1f585191565a5872242aba4c9165ff34685711104
SHA256c258309ebe0d12c2241ba5f36289f08a8be343429a139cd0ac4cb61418dbd338
SHA512a9510e1780db76db8771bdc0e253d5b45d80cac287903890db5693839262a78ddeffb36a42047dbe3ee3053846fe006fd0dbb7d8c6a96577fba40d4c77ca2edc
-
Filesize
1.3MB
MD54f91d8e0f5beb46557f20b7a3082eec1
SHA1d8b22b031bd0fd9ac06f0f1adacb3fabdf6bdbec
SHA256f0e6fe7825392cca3e08bec8c55f1ee11f0c8817d9adfc198462a63060f16963
SHA51229cd8782e1ef48f4afb5ac8fdaad675f2a8c4f60d0d46209dca535df7d3adb7e75e3cd92a1f739fe2364bcc3320658f0c8ea536e721e80650c57c16c63cb617a
-
Filesize
772KB
MD5eedff9c8b07bc5f958920f773089c1c5
SHA1b694961f52c88dc25e3ee86538420dfbe26a5357
SHA256080686009c26fa67d1bc6c84061ba6e43211672653899ded8532ae75a346bb66
SHA51238d2b70cdcfe681bab34245b678bd7f0a1666e42287b5a7449a59b4b15e866f8107f36f64cff6157f70d400efb954cd1603ce29e6bfeadb4ef8358af8512acb1
-
Filesize
2.1MB
MD5edc940a3a5375f642e5465173622021e
SHA1b2f6f011a4bf9c149e3678e6572b449d7834f604
SHA2568d5bd90a4c9af433e196cf3e8bb1c33d923989804314fa775c16031ce7b15d13
SHA512d4443f5c69e1d851ad37c126dc8fc1d70a52c9da0008aad7a8fa65cd41e282de701e0d5da9a3269250d50a1f7f4b4fdb1091d49c1b018c05b1819846dd86b54e
-
Filesize
5.6MB
MD5954e38f6ae1ebcc9ea612b500f1d5686
SHA1c8fad84fb2fe947df2dd8f38f2d9e6a1260b7e8a
SHA2562ac1edd02b4dc475f45bf4da257db395e4e9bf496164ba901d44ecea03da351f
SHA512a2d2afaabeadef67a505af8e46e835ea49005b75882d6822ebab12f8e20ccced0d705ec215638f409867db216af76d0447bf49a3508656bec34e2bdaa91a3250