Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 22:12
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe
-
Size
2.2MB
-
MD5
f1306023ad1c7828b15c02b02990711d
-
SHA1
bac1b2c69da71e36642b331cb9649f11460c5712
-
SHA256
0014ef482273770f0f437d9f83bdcaec0136d63f6e70bea3f9e6dd8285c76fe3
-
SHA512
94185f743a721aa2f82c2744004397d2da659de8acb003c889837a853409376c1c225f8a51965af622d3958ca1e3b00f469b128facb0b1b5d7c42d5026d45313
-
SSDEEP
24576:eOObVw4TaN1wdkukCba4oXtgLhU3wEdmh58BTduSZpUR0GHrVQ1aW4mSOgv3isi:eOOh3aN4kuLbegmtGspAHrVQ1/fSNvi
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4932 alg.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 2968 fxssvc.exe 4004 elevation_service.exe 3548 elevation_service.exe 2836 maintenanceservice.exe 4332 OSE.EXE 3312 msdtc.exe 1172 PerceptionSimulationService.exe 3244 perfhost.exe 3844 locator.exe 1840 SensorDataService.exe 684 snmptrap.exe 3340 spectrum.exe 4960 ssh-agent.exe 2060 TieringEngineService.exe 4940 AgentService.exe 2940 vds.exe 4592 vssvc.exe 4048 wbengine.exe 4112 WmiApSrv.exe 4060 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
Processes:
elevation_service.exe2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9e5d87c4b4b1389a.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
Processes:
msdtc.exeelevation_service.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exefxssvc.exeSearchProtocolHost.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a76054015a7da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aedcaa3f15a7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a862114015a7da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd89184015a7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bae5d4015a7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002202f03f15a7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01def4015a7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid process 4572 DiagnosticsHub.StandardCollector.Service.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 4004 elevation_service.exe 4004 elevation_service.exe 4004 elevation_service.exe 4004 elevation_service.exe 4004 elevation_service.exe 4004 elevation_service.exe 4004 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 220 2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe Token: SeAuditPrivilege 2968 fxssvc.exe Token: SeDebugPrivilege 4572 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4004 elevation_service.exe Token: SeRestorePrivilege 2060 TieringEngineService.exe Token: SeManageVolumePrivilege 2060 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4940 AgentService.exe Token: SeBackupPrivilege 4592 vssvc.exe Token: SeRestorePrivilege 4592 vssvc.exe Token: SeAuditPrivilege 4592 vssvc.exe Token: SeBackupPrivilege 4048 wbengine.exe Token: SeRestorePrivilege 4048 wbengine.exe Token: SeSecurityPrivilege 4048 wbengine.exe Token: 33 4060 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4060 SearchIndexer.exe Token: SeDebugPrivilege 4004 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4060 wrote to memory of 2088 4060 SearchIndexer.exe SearchProtocolHost.exe PID 4060 wrote to memory of 2088 4060 SearchIndexer.exe SearchProtocolHost.exe PID 4060 wrote to memory of 2828 4060 SearchIndexer.exe SearchFilterHost.exe PID 4060 wrote to memory of 2828 4060 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_f1306023ad1c7828b15c02b02990711d_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:220
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4932
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2864
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3548
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2836
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4332
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3312
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3244
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3844
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1840
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:684
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3340
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:388
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4112
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2088 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ffba58681047c2855c93f534be7b0807
SHA16119c0108d13adf2de7da0edbe413e7ebf4692be
SHA2567312726c7538e13d0cff158188f236755ff82e045a1331506023317b3222f5ae
SHA512bd26ef29ef404c45fb22487ed82d92372781f09b160572c4f98d64cfe6559b79434cd26e2b571d5549934d3a20dadd8a6b6f84a3cd189d3a08c74aec8be6b32e
-
Filesize
797KB
MD5168601a070d0e2bacc765619ca958315
SHA1bcc450224e7f05db7652c818aa7ad7f2e9ab960c
SHA2564928d903c0dfc3e7210b7f228fb0c7ef37d3f28b503b445ab87efc0fc94cc549
SHA5121e6f07eb166b3e0eb5da90efbd9544aaa4fd3b8aa8f67d38eca9f98cf2620fd07665aaf59a544c8e528f59e8c0a485958014f0dd1c4146db516418fa12be108d
-
Filesize
1.1MB
MD52e32bf055cb6adf19507bc97506717ae
SHA1108cbf59ee11eaecfd43421b263ea7bce655a169
SHA256952a75633382e049e13ead087b83f600a0dfb509b32d79c1cf646d8371c2ad4c
SHA5129455356c7c18d9f6f5a522a6c93855b39310f89e7e68fe3057095d0727d4eaf926af99f0a90726852f31b31dd8f172936e4b2fdc6fa56efcf669af07e50d4172
-
Filesize
1.5MB
MD55dcb7de973893147110837021c85e953
SHA1e9b23382375ca2fcce1592734de49c3cdfd0cf4c
SHA2560f70774a0930b623bcb9612abdfffbd32246a8bdce03f02d9565f5a628370852
SHA512cf81f5a5a7250885344b5d5fc50c50bef198c586482c5bc25568cb3a2e752b324fd4d7de76f0ec9886ada598288f4a395ed272dfb34bd759de233eff9c405b2e
-
Filesize
1.2MB
MD5efbbcfd916593dd8d28bf323d77f5e4f
SHA15c940b93303ebd80b4642ac8008853189572cbc0
SHA256d33498dc76e2d9a1b3808b26e78533855f8bac2a3c37bc6a90c794e9eaa7261a
SHA512d67cdcad80f6b2ef9c90bca768b04a83b1852103424dfe264bf67ad78519bf8e68da625f17cbf90e68a7016735d50b6e125ed13ae6c5743d858a433e7601858c
-
Filesize
582KB
MD58c97b409dfb6d11e061c1f5618be00a3
SHA1374edaf3bcbb8254a4eab952d01f55b50078a221
SHA25699b7c8be5a4c0347380dddde588566ad9d5921fe852c90d50ea3a93429af67a8
SHA51218f9032c98deef1f71428d48a896b77f9d51f2fcd17899101839ab5e0a01028db39ef4e98dff67c0086ad9851faf0408d52d002a38a696976c917e109f5cc631
-
Filesize
840KB
MD553db1154a20c9564111445dc0f424c04
SHA1916b6bc4611560456c6cdd9be16d90e39b35f05f
SHA256184a78f83b5ea8f7f0f87c6f13847cf05e8a308688f750aaa8529917bd01c18a
SHA51252a2e9c6aed268f72468787101fc172fdb089a4d905ad87e494b8217706d6ca252765a294db7a66e82c1c7324bcf53082b1662c3334429f41d8433ec476cc2a0
-
Filesize
4.6MB
MD525faf7ec4dd844a3a380048fe331ff68
SHA17e787f290ba5594efaeca0bb26b28b4fba9e94e2
SHA256282715a3ce62d8ef33ebb1392c535dd55772a326d99076ada1f73a66b3adb0da
SHA512dac3c8c7aab8f8e10a27dedd0842970eb85e2179c97ef44d1394c062675513929a2b2bcf2a1323c971e53416f13f4dcb7d2afee1e6925a4c82bead25f219583d
-
Filesize
910KB
MD542abe38fcb58816e91e2760422ca12aa
SHA1f7643f0e055500694fc9e09be999d6154d8745f4
SHA256344a78edba26aab51234749bcb627c87bc07191395b9849f562526eaab1b7925
SHA5127141630119c25d7b26776b8a8d3c8fdb8f8a52e334372cf5a1716baa9d7cb02d289847c7685414b83eea64c2b9ea19d0448342bb59bc057d02a2b869e432d8a7
-
Filesize
24.0MB
MD5a72f1387c661e8b5245722eb0dba7035
SHA197c2365496c333092bc48dcbaed62bec825c78ce
SHA256db1db9d85928df6ce8e958178bc1648cf3d63f0e97792bc7c4d5557bd8d4677b
SHA5124838c8a2032f4f8d271489ac7a6ba46f7f30ca226aacf73f9d058d57331b30f003f13f29cdc52166d3b8186db496b81eade11a792180fa9821ce90f7b6360824
-
Filesize
2.7MB
MD5fa8c0978c87caacb5ce4ade9397e4310
SHA13e3eda8abbc9b328a4ee61f1ca6a512ecd58907c
SHA25683dcd62928282391d0976a4316294a2ee6fe21d7723747b774e22eb37ffd1aec
SHA512e19a22cf31cad60729b08f49ebecd56324d1fcca65085d675816e08ae6f5ae1542dcee69dd8106fffd43d72fad4a470c30e8613f5c4a01e4dba12aa37a15ccd1
-
Filesize
1.1MB
MD5225fdcb8ee21d9095d58d920bb9880e0
SHA13d504e7b76aec50426edb5d0bd73cf75e65268d9
SHA25625dcaffb8b03c15dd2ac03d2c57720c022cd72cd0c0b884aa603d544ac85e7ce
SHA5120411d4cb88723fc3ff3156f0d4b42173522f17a96c81c6410090c16ba657184a28fc9cbbf8b99b2e4d14db7eb5710e3edc04d2ece09c9a13f473292e1469ea50
-
Filesize
805KB
MD524373abf7151d3fb77c5b563f5bbd8ff
SHA14edef6381091e98eb0c702422c246a0dcd6b101e
SHA2569f40dc72923e34d9fa6a0a552a5394e54f7b03534975a582a018d0d6d224d1fd
SHA512d0429974701f3d0d53ffd1b8ea28cd074b6f21ca3ffe082a7faec65f8088d478e13afbf1e9465d732e7df3f4f144d356e22103b4c9113c9ba168fac4fe588be9
-
Filesize
656KB
MD54fa68b8c05ebdb1da750d03d42c54f06
SHA1f280e1994e6df18077179545fedd553f05f4558c
SHA256b8c29d9edd9cbfa8b4de3413d8da122681ce20e4d5df95dbf029ba6e74b45cf3
SHA512dbe8055b9888fd910f26c7459e7f419cdd0bc87abb70d908e80f423bae87b39d4ff37a6430fbebe95955148cd0bde0597c39c5553125b61c877861b5877226ff
-
Filesize
5.4MB
MD5aca0f1ff818b3e5a5f4df6d3a3ac443a
SHA1054cca32b198ef05775d8ddce22a69ba02bf2b48
SHA25649cb2c59aec3a554f8c1da39449ffc0ab9f51367c52d39341d32bf01395dada0
SHA512462476f08435a94578c5bde0e2615acf768eec2a7f921288d42d31bc863cff93fff87d3fd1d7d4525eaee4d9bb4bb3c384110103d9909cb8e21976e101f80c1e
-
Filesize
5.4MB
MD5a56c033c7137175f725fe2a2dfc1cc0f
SHA1ac17ce0eb01d87ebd2847a9e9d85d47edf8c9a78
SHA256a03c9788bbcb03653e03995bfaef960ebf94e124b7f497abe7fcdf74ffd18fcf
SHA51244dd80016d4fac7329732e11518ad8a56d0a3a062eef4657f341ace5d9ce3bbee1c40b6801580ac90ece85b9e2caf3a2d33fca644dfb374f51fb6e99b12fb1c9
-
Filesize
2.0MB
MD51fd9bb4e0c2272990f1a96aa841b92ab
SHA1063fb65eee7e779147333a892e362fa3d7b17b6f
SHA25656d2857c0c3c3145dcdd5b6af16a522e4561f6a706668a984971238b50ef6341
SHA512ce70c296a1b5d86f6348184a3d659243c86732aea323959356aff56c2077e763a485e611ca71dd2d07addef01dfa19efc433d23efadd1c792c656d1f4091d4f5
-
Filesize
2.2MB
MD5865c4dbf2decc679e99e26d43a162973
SHA102dabcf1e8f0a8c077c0f180551c09f1667aaae3
SHA2561fc775a0ee3deb61e10e448c55e8bf944da1cc05d07c7b2974ed21aa9aad22b7
SHA512fa6adea154e294a32c63a726a4346b48bb172d2d5446a4edfd26a25cf1db7a6000dd2a2538c320f628342fa12e2ec60fb575f2566f6c18aed895da632e7b1005
-
Filesize
1.8MB
MD55659f11f6145f245bc2cea8bfbd0d2d6
SHA11b4f4a8a8162ae28668fe4b51ed81caa64d1409f
SHA256936d2fbbe29d25e41a5f023b066c8504be853a64c379bef5cdbfda57a9449f2b
SHA512e8eedb541174f4e61c848a8e36032821ec12ef7979d77817109777cc33d39bd63d1747cea7a18e19ad5152c7b533d619729fc0d2ad93ed9108affac85c8cbebd
-
Filesize
1.7MB
MD530dc996b5c22a30c68bf27dbd9ea7f9b
SHA16005c1f2689a696a47f2fc09db8e821e7f248abe
SHA25631e43f15add979d459e4f1cba2f42b50683b2206e24cd828ac6d947f83316cae
SHA512aa3467d032dd5ae63c3cd00af2dffff565b8f4f874dddd12dd6f061625af8c2ca93ef55cbb561cc77678d8179b7043d339c722db7e38606e6d3999a5c8c6cc9d
-
Filesize
581KB
MD5e5cf596457c3ae667b32027cf6622975
SHA1037d2f0439f4bdff4366f213ca8290c1501baa5a
SHA256c02d024aecf17b2c14f3fd4b66372531bb355d160d9f9e3ed2bf107edfd1a6d7
SHA5125d644904a1a399e2e32790b22cabeb6ee2fb3f8d0e780bba48f23a8146a6a8b71dcae90c263517df63c20a88b0fdfd5a061ace899a86d8c0e4337c43745d29d0
-
Filesize
581KB
MD5f9931a2310fb42144eca541d8dee9894
SHA1ca3d5903a835127441304f4aa98a3ab825c61b62
SHA25684fa66810589cf52f1b595865112074a0d9d0be5a67dfdb227cc7d22915e876a
SHA5127bfe9fb6ae9b6c307b3a36c21561ea5d5c24593a5570423cb0dea7d2c14cbb8f94b11f364c000fc9ffd17273a942f059fa09f9b43e625bacad43135c07f3f947
-
Filesize
581KB
MD5424a79c9126645a5aa0e03c055ced933
SHA19bda9d3242beb013316f1aa391eb34dfd0fe3797
SHA25640dee2a07ca34df76b5ec84f74ff1b6e7e9de70c20e512edcc0151b175d7f256
SHA512cc71b2a5f4210b63631330cd551fd92c16e1e574e148d639216a75af11ed90506fa6ce3fd70d8eda427f4f9f3bdb6a94389ae143cbb70b9f6da732d43f4ca41f
-
Filesize
601KB
MD5ad4ac98625e2f5076b28f81171b2e4c5
SHA1df76e764c176033fbed68b07f8819323d2fa6549
SHA2568dda4b4ec1c948d466b7a25eb914efaafd1e3bf1419d324bd66258e6cb1e68f7
SHA5129460ca965bc275a67e7fde96154ba162acee171591f624a2c26b44aa840976d3a29ea125016400cd52f9fea0a4291b6479d13544076a487003eb071233ed1c14
-
Filesize
581KB
MD549b247f09d6253fc5c913c939af09a1b
SHA1b81f34382344149c9382bb2e055b9b10fdd81277
SHA25623bbd0b49c59b1e47a6bcdb761f746738244a64861e1ae27e0204f7503142a8b
SHA512ed4c89bbeb84f8073fd8212e8295513af86e1d8cead8dc0a9905eabffa558bb8dad3b65431710481355bc6d7f8e0530af41dfbb52acffc7cb0f238d0d877dd44
-
Filesize
581KB
MD56794298b0d17c61cd607b87db2440334
SHA1bd5644e85a9dce46f7b39b56bdeea8d216ac80bd
SHA2568ab5171d1c461d0e926b80d9ef41fd5543d39360ce3d4b1374bde04bae9349db
SHA512a9c0cdadbddcecdcc8a9d89f0ab981ae8ccb13c41969481fab25c459686766d090213c960699ca4aada81aa7ab8b1e25b54685b539ef9d71008c2e8dbcf7fbe4
-
Filesize
581KB
MD5827501f5d44a450953f898b6cd0e89bb
SHA18807f86580ae64e0e7e4e7fbd600e835c3a1ec72
SHA2566e11e885ca3d45b2c14f8399ffd577bb29fc9d05b39e4ef3e463b3860adc6196
SHA512aa5f5f95ab06be3061d078bf431d08735474e6454d7f312e444ec227012a2c0c0b7148181426dadff3eeb3c87c12cbaa863473de621927fbaa00ef17acb92591
-
Filesize
841KB
MD5983ac23594e38eeec6f00ada5b9ee8f6
SHA14208b4bc3793484ff824ae2bd366137806577096
SHA256a1dc15bd3c3f6652ba921f9a49fc8912ae7f5a271338490b0e5df2ca86ec13e3
SHA51225aea929c7a60b37ce2585c6823afa0c52364ac577a2e654fef1516d6ef2bcdca3930d5f742819d7d74ce6c59c54839363e2a59c39600ed8e81841d399cc5adf
-
Filesize
581KB
MD5967c6e11429184ecc2791e9a54277923
SHA17fa0161ae94976669783eae0a416a9990990b507
SHA256e503a95c2523ad659b0fab382a832739bd990a17699b2fcfd7450a3a7530c78e
SHA512a3eaae4eb743f38f47f3fff3b2be2a33374ec82809d7d87599011e320026340f33fc619b437a318f89c61510dfff089c7205e6ec44772e733cb979f7d164dd8b
-
Filesize
581KB
MD5bf0a315b06a8595a49a8f08079bdb422
SHA119b60ef17961ed5cdbe0646f1fee38a154971008
SHA2567e2db98f32bc5fde9ef1a582986b5e91ccbd76a4d33bd5bff645599f34098b97
SHA5121ccd8daa57216e48f74bfa9e2974791ce969b949be83da655f0cf0e75f3acd2ca136d4101ddf086ad6fe2edcc23b2b38357eea9029dda8b5b15dabf9a117323c
-
Filesize
717KB
MD53e8bbff56836eba3d9bd6b04f7789e60
SHA1b7e8349ea65b751dcf61fabbc954d2ba4d741b8f
SHA2564213d9d99f4f01dac9d69b5348ebcb17142eb107560ae240ae7ca776434d0721
SHA5128ac7afca3ed4c51731a25bb67262e67f7a4be3ba969d8553728626ad08ff5bfa14f302ec45a1559ef5b54da94f85ceaefe5e8f7c5221df886b17fde84fc2b709
-
Filesize
581KB
MD5b353f41e414bf72160f95aa53d79f7ab
SHA190d4343ed99d3df8521c66e90150652e63f76d89
SHA2562a91bacf269f0fa011de36fc1908ad34cfd68c4afb3f42d7d7146a8cda09dbc8
SHA51271dee8ad28da712ebf7d457ee169e115af23beaed409ffc6b63c35d7d494f1625a2189dcdddd197821cc4cd2bea69b6662665f663aa9b174f4b7e4f27aa107f2
-
Filesize
581KB
MD56652c676abf5d35c75275b6e62fa73d6
SHA1ad743048f55613853623f3fd2902fafe57f3b363
SHA25655970abdfb99878a9542fc2a54f0e8c8ada4ee6e613dc1fb50f77bfdcaf0d146
SHA5122159883bdf1300f49bbb5ecbd90d64a365dbd6fb65e5aa6a5119376306db11bbd33f4397efb8aabdcf548e9a41bcc1ef3708ef749c646f6a1bbf8c76fef8b0c5
-
Filesize
717KB
MD5c70d6130bd434dcaeae145a7465ed1c2
SHA117c5c38c61ba99444a54e2dc0d721bd5949583de
SHA256765783626f1e7e5410ef57e3d890adf9f4dcedbff827f0f1c3abe5f533bc8917
SHA5125ac75f71cc0521d576e9a41195781196c96147aefb85e96465a713db7f652ec3aae765ef57f539b5732606af7459f0dc8d3054a537d58a7a06ab2ca3c8a3a85c
-
Filesize
841KB
MD521fab18a6065638ec0640194bbdd5dc6
SHA1b32a4e902e875377ce7142c78499a16dd2aefbb9
SHA2561e41e3e253e2a743ab0d0d3460a1154d6a82f19edca364fda3acf5a7c0f3fc2b
SHA512d6e2187e9bcb526349c083b7742a8859fda899046a94da21bcb7c167482a35a364362313cbeebf75039e79b846b56c11d8381e59a28c6c976eea96767ee609cc
-
Filesize
1020KB
MD59285a0bb68c66dfe68c186511e0ede16
SHA18815b831dacae42bcb85ed1524347884645bfa17
SHA256389797b07b23b9656bfc94f97ad7ce2109e3522555be1482a16f07b72c65fed4
SHA512d0da91f7ec003c88388201dd299fd10e4532c70cf67527a40746c8bdfeda75fa9a1d35992410b897668e0ebe6eb92cd7f7449cec3bc485e9ddb22d8b43bd595c
-
Filesize
581KB
MD5a3763379b704c54c5382142a0cc65af0
SHA1abf927b020d90d53b3009c9e5dd0ff68e947aaaa
SHA2564a5af9a6a7a2b4a0e1144ad3b04899f3a657b194ef1aa16ad0c08d434583363e
SHA512ba31f97a9b26582b727f19d5e10d71226b022b23f773f956130d9f04aaa858378828f8ca6ed95743a8be432a557e15e083deb78ab5e6cd5657ceaab4dda51fb8
-
Filesize
581KB
MD5abd0905a7f02427d1983b569a7261381
SHA1002779ad1cc6c5a26124b585a022d62b750d121d
SHA256d7330f5d027b956edddad656e67624f5df16599d4f73c2fe961ca292ca5ad00d
SHA512d45dba8de57fc70e179efb6d95f074e515c0cc3346d30e65d33b2b12ee4b501a490887df525541f2c5d806d269bbdb9df3e57be4043bb693ac0c15696a22e426
-
Filesize
581KB
MD5bee1953555e71d1b5ca1f4dbd99f9c97
SHA1ffbd4a514f8e78d094bad1c43aca56105e73eaff
SHA2560de976cf6e600a4b16809547352222524811b3b0a5aa1c5aab0a2f09aeda8e42
SHA5120206a1f7e5560e07d5f45a218ba98b8f348a598b6e0061b422655acb0407b0f507eadb5ba7123cb1c7dad27d244771c998fea7a6fc1ebc737738f8f5703a7aa1
-
Filesize
581KB
MD58e622f50dcc565c9937419215474c97d
SHA1466d7c8bae46a556f5bf9a958d938261b4a6a15b
SHA256fefe06a77b7e73d57ea16399bc59bd10740984fcb75dd54669b73afb5b557d65
SHA512516eda6430a465f49376d198f23d88790bc0966df9208068756165b70afc6df798cbe7053ccf68fbf9b5f6ecee901dd83220b2b739f1cef44a54ee3025d88569
-
Filesize
581KB
MD5b4063bc54f0bc6fea1f6880e6e62e176
SHA16ced616b9ba09db0b3fae40cc5afc57dd47a67bd
SHA25628a2853e7cd0ab6a595dd7b65eb74a523c3f07f7e7696e08a26357e396ea2d30
SHA51265f78f8facf75e40983aa1ce037435e233b8e4700d0bebda86e0d6e7f89149787b58d1ba9c8d5706492e4e0d214a680f36ed63412e73ae606b346f0046aa01f7
-
Filesize
701KB
MD5df7da71116e0397fb79f57e1b8e332b8
SHA15b53a50b6fdb9a985d7e57740a4e0195880dd659
SHA256779973817f2c1857ab76cf4e2bdc5b62b9ddfcb461fa0cc20604287c62f15237
SHA5129db0943569e050f581b583f09c179ad8a62a746a695cd8645ad0047eac88ae3e3aca2846f6cb4acf7dbe84a4441234bcf924fec01ef6f5c144977a0c66359ebf
-
Filesize
588KB
MD5d4ee902f2c8553ec6bab1218bd10ed95
SHA1f5f20f0a5eae92cd73bf1cfe4bf8ae0b8788b4ff
SHA256b50a365c781ee9cf8ac43e1a263553d53f5b5de659e8e7bdc4072d91d1f4e521
SHA51242d6e5aa68826624bbf892d5cb685313b350768ae00f7443e2a0b421ab88a33de7e7690b8757ca8eb6690dc71132f86a38af2f4f5102e3108efb596c7dd71e13
-
Filesize
1.7MB
MD5480f3a8ba4b1257d9389fad71a84d8cb
SHA18d252ddd5e963e8cf891a4fad2f054f4ededd77d
SHA256b4bee6a4e00df2f431c86ab02d52aec9fd3e6edd993beb9d6a30f64a1c666963
SHA5123547e92189d56e452561ffc1e373bbe1339b05552082a9d4376d0dfb74509fdd753f783dc8a0fd12d58a4821fb562ddbfd3496a0a5f03e10023fb920549d145d
-
Filesize
659KB
MD5eb3c6231ce77e434162fc92af7e15dc1
SHA177751dd9b7b0d6d3ba12fcc5519833345cf9c288
SHA256151df581e1d06b782e31759b1027e9f1b933391ac85250edb1067c2aad7cfbcf
SHA512a68e35fd14879c754e4aeef90e09fc29a9c8af96c3966fee905e02ceaf66be16222cd28506a34b1caa44b8ec31ddf75b9e04ee7ee9445f67837dbbafe1c876aa
-
Filesize
578KB
MD5e0a75668e4b646d84b19b2686ee10b44
SHA14c38006536bfa491abf92a8d8c44c49436ec790f
SHA256b4737f94bc22fba04252314a838ed94745a44d4305db43e1ee21e1eb9d0d3bca
SHA512a62d531ee8e4f079c1904f5375f4eb0fc376877c5562327b42348baf4dec46795eda28059b48beb06f161996be8192e9a508028feb77f2be74739a8f453948cb
-
Filesize
940KB
MD5a464da9cb60633585d2a37129cbdceb3
SHA1f87eaa7b440ac2f5b9748aed2432e6232443cd6f
SHA25675351d7496bfb8be29bde691eea67393c4be05d88cda46c5eb4b8f79a742d08a
SHA512ac5724de9cf8966615618ee45c327406f69faa5782b6455b39fa754fd8dfcb0b477a401981e29a09fb5c0f635a1e938a47e593c904b21c7052031a3af65d892c
-
Filesize
671KB
MD5ca405f9015f42ced67a4ae57d8ec863f
SHA1f77eef7a452bc1e0227d181226eabc3b9941b59d
SHA256cb7566bc324eeab8be58ceb093d29971946ab6565d74170107127cb7014db5d8
SHA51293a21826d49195266ab09b36d55e709f414191ac9847d920c554592464bb1a5502b2c5d930a615c773f8df5603ebf1fc8efcb4afadda9a27cadab4f7ce5b4aa4
-
Filesize
1.4MB
MD52ac2c68e802e97fe4f4aa2ee31dcd368
SHA189ae8568283325b3470fe1e629deb8ed9ce86ea3
SHA256b95db9bf7ed4e3c9cc1dc4cca15e965895c3f45765f274e71cc990d87af190fc
SHA512adc5bac1371caed6f6754544023fbf18e8e158d041fdffbaefb7d8ead64ea7a258751ca324a17b5bf72fd440f592c284bd921e96749fffb366306c81539305c4
-
Filesize
1.8MB
MD53567731e75416a88f7dbdfc2ff442c47
SHA16314d289a9224577448e0b928b5b65425a16cefc
SHA256a06a8805dea72193d895a5e8fca4359ceee15c56bbce8605d0d1171af4ca42d6
SHA512e0103e7a068aaa781971fd7db7292510480116ab59dedbc548e8a78f1eab31e414f2609ed117bdf48d6cc2c2659e9021491153b713ffc4443c760c0153b8bcc5
-
Filesize
1.4MB
MD5a62d14997733734594eb438ece8ac0e0
SHA111dee15c48819f2e3f13340b8f6dc490b779796c
SHA256bb30685b6d0f0707495a2cfe3665f678868228cef299b07beb1df3461af9233b
SHA5123bc8ba22aad37df064e3ae414949a2fa910f2fc95878c6fc2b4ed9533164977a914b03690723cc80d231263e233c989b202e44c3cdf225794445b9a09a8999a0
-
Filesize
885KB
MD5b6bc6a09b37cf13d76d3a0d7ae3334ba
SHA1293a58f22f3d95674a7789d31e30111f24ff0339
SHA256e13d3287d5f5e2cb046e37f03c9b07e5862926432d859bd615444a318c2e3bb2
SHA512ba337bc6147658712d1da809e70faedf857a48b2b412f98aee6c95f260a2b398c058d9ed8e4848512cd552c0be9a72de5b3e968309465faacd87075ff849928c
-
Filesize
2.0MB
MD516fda16b71d994ecb3f7ce6f79f9e59b
SHA1a59f5d553e49ea130a9ea0141d9104c0210534f3
SHA256ac7f1e798beaaaaf4ef0796a8a148123013d430f5ae7510c0074324b25c160bf
SHA512e5b4eadbf82c8d35c44269e0e6d3213a43bb8b345d93400ac92cfb62cdc614f6ecb8eb0808367d4371ecab2cadff7742c89b4705ad972b2beff0ed1acdb82f01
-
Filesize
661KB
MD5adcfdf2c527dc3bcede0b3994b1b0b40
SHA1c9d0e958f991cb3e83b38e1756dcc888adfbe384
SHA2564dbec608cd2fbbd435a60e1d857a4fa151e6a0de38a65bd5597c8b20e399148d
SHA512e04a3eb1718cdd307516c138a0d1b23e5e7a0263227eaa47c39ff9d39ee43eef02404aa59f2cc7ce81ca17b434c94445bae0e8d5b61f1d7d7ef2a8e7646937fd
-
Filesize
712KB
MD54979a359e966a88a9131ce44bd904946
SHA1f288c969724504150f13324686e36149f3313e58
SHA256204862a8bafa384ed7aa527078a6966866e18043c0db90d85e170365fa79d324
SHA51299dc41f99b4dbf4434e4f438b95457a3c69029d146fd519a215655e92d729d43055b48dad170b3ea90959844c3765c947a00562ff6886e863408209fda91fcfb
-
Filesize
584KB
MD5b4da5160efef595608928132b6ad0fff
SHA1f486467c455528f63ef2d96431f5f30091b6205c
SHA2569e5d2396f8c948a908bd27eba728e2eff457311de2b4805d91e5f60fcd0661f8
SHA5123c651fa7bf5732fe2593f063440cf5219988a395607abc2ad9c0830d8c75460c3aff1b85ad0b914b31441db91d41c9960d88fea82d266bb0e18327b74b566fd1
-
Filesize
1.3MB
MD52938e482259be9071a8ab898c47cf255
SHA1bbabd7349b1b586c6ca98f94529ae5527659fdc6
SHA25632381b05f12c09354d89ae60dfdbda9b013a2aad60cf65220563589c901b1a2c
SHA512cf448a4fe86a9479fd31204750f724764fe831f1f4104ae0278890cb958b44a2d444897472dcee1f984d58ca43b972b2e63a5b7ef75fd2ed99fd5ef71db060ee
-
Filesize
772KB
MD57af57a5f6a11159deec1baf3f35552d4
SHA1f406aaabd53ef650d291cfe75bfc71788ef81b2f
SHA2562622f28727ef7d6ffb93486bd1a063e4e1d41442785b9f19f6094ab9c5fac49d
SHA512a1090d54e87d571b61bdad3110b59e67eb4d1937f3ce95e5dea46b6dc71bb6fea2bbb2a9ad2afd4bf7e2f30b9c5cd91154283f0cf1ae327e738f4d1b4ab05335
-
Filesize
2.1MB
MD5d8c47055376847869959630d9ee3fbf6
SHA1cd40e684421afd71fec27db102b7f4a65c292b05
SHA256aba2d41d9c530f2588e977b93ae005de4bc3cf9791764c7cb66c99b3037d7c40
SHA512a680f008703f04fec6cbcf54c888a73e1d29a59a3c4cfc5ce0d0b3f2d4038845c8ebd39c1302946e85cd831efd4e58c1721386eb38c1c6dfa0cc895825b9db7b
-
Filesize
1.3MB
MD5219f3e0d7528818259e51b75cc277e8b
SHA1690f87045b95cbb9477d35e98c4eae349bd13274
SHA2565e83f2f1d2880d686e6a55996bef66062235680820ecc364c7d55a73b3658d76
SHA512f2db576b15cec8da471c414c2c5c1de2aefb6f2a5776ff2b1ae15815449b425bc66726cc8b6f9bf758deee5e4211da563f5b495cd1c6533811d93a0fc68ad793
-
Filesize
1.2MB
MD5f12f7397206b6b8a130c98d0d1b6bf57
SHA10714d4f9693b3a0fafd2827e7140cf7d64d577bf
SHA2564dabf1674c05bf9544b21fbcb128e14fa30cedf7169a83db5f032ff3f5201dde
SHA512dd92dafe0ae42db96f2e4c6d2297b085cda1d219b55fb41c4919001d174e679cab5ae79d7bbf7bbf2ad33839e1e15d384ca64da784d495e8e7e3c71f237f5452