Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe
-
Size
2.1MB
-
MD5
9cb6787861114ee8c297fb30b118e17c
-
SHA1
668e2237c62efcceca7080002a4d0da28a24314d
-
SHA256
bd0b3d165292fb7636f512a6bac93ee5df6c8315d492ccbd48031538832dc15d
-
SHA512
aee35f5abe41eb2cb8364cfd50e2588012221c0a1fb2096a57f80ad4e95f606bdcb8a37c87bdfa30b82f566355e0af500d1d4f5257d9e7da8e9eafc0ecf05f68
-
SSDEEP
49152:4a/3xXBSZ4K5MJ1LvTMxbfsYBYSgxu9+fw4TdkQ/qoLEw:yZ4K5MJabfsYNWqo4w
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1940 alg.exe 4544 elevation_service.exe 668 elevation_service.exe 3952 maintenanceservice.exe 2104 OSE.EXE 4456 DiagnosticsHub.StandardCollector.Service.exe 4860 fxssvc.exe 1488 msdtc.exe 1456 PerceptionSimulationService.exe 3724 perfhost.exe 1984 locator.exe 1532 SensorDataService.exe 1972 snmptrap.exe 4628 spectrum.exe 4484 ssh-agent.exe 4956 TieringEngineService.exe 2084 AgentService.exe 3040 vds.exe 3016 vssvc.exe 3480 wbengine.exe 4908 WmiApSrv.exe 3516 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4347ed293b476c.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013edf2a229bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de9d03a329bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d20d95a329bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d81da329bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c53de2a229bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ff24a329bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094e68da329bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc52d6a229bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b882ea329bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000213b01a329bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4544 elevation_service.exe 4544 elevation_service.exe 4544 elevation_service.exe 4544 elevation_service.exe 4544 elevation_service.exe 4544 elevation_service.exe 4544 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1416 2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe Token: SeDebugPrivilege 1940 alg.exe Token: SeDebugPrivilege 1940 alg.exe Token: SeDebugPrivilege 1940 alg.exe Token: SeTakeOwnershipPrivilege 4544 elevation_service.exe Token: SeAuditPrivilege 4860 fxssvc.exe Token: SeRestorePrivilege 4956 TieringEngineService.exe Token: SeManageVolumePrivilege 4956 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2084 AgentService.exe Token: SeBackupPrivilege 3016 vssvc.exe Token: SeRestorePrivilege 3016 vssvc.exe Token: SeAuditPrivilege 3016 vssvc.exe Token: SeBackupPrivilege 3480 wbengine.exe Token: SeRestorePrivilege 3480 wbengine.exe Token: SeSecurityPrivilege 3480 wbengine.exe Token: 33 3516 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3516 SearchIndexer.exe Token: SeDebugPrivilege 4544 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3516 wrote to memory of 2576 3516 SearchIndexer.exe 118 PID 3516 wrote to memory of 2576 3516 SearchIndexer.exe 118 PID 3516 wrote to memory of 4924 3516 SearchIndexer.exe 119 PID 3516 wrote to memory of 4924 3516 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_9cb6787861114ee8c297fb30b118e17c_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:668
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3952
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2104
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4460
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1488
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1456
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1984
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1532
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1972
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4628
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:392
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3040
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2576
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c9c58fe2faf35a0ff3aad8a58af54e5a
SHA1fb98330a7de53c04b77c4cab8c933a6ee411fedc
SHA256a8ae02b62d4083de2bba2cdd54de51b880b0dcaa94ddb384e4b89df1d043d61c
SHA512a15eab09a1b40f98e293e941a0bde2133d6c7b7a3000ad705c48208e1944a824179aa5237bb85a3610871815c0f8289810e51b595426d8c145028440ef54b572
-
Filesize
1.4MB
MD59d0e0954789655bb3222a85093b78245
SHA19c6afb24756d5d0cc345d2d5cf60f32cccb35841
SHA25688f8556d669f93dde42fb08ea83cac409f89005dfeb39f0301ca22829a214315
SHA5126cba7bcfca4cf39556db2f37711c92db1cd119d00d0bfb38cac2c83487453de6910935ba3fc69e619f76e7625351ada939fac38d9febbfcd8ba64e1a67b93ebc
-
Filesize
1.7MB
MD55e4535ca4163f22ec7e462f004b0a9aa
SHA124b7ad72e99d46577ee171169b556145629b0913
SHA2564a301461ee694ef46f0a89481563c7dc9de62fddac9ce30240ce8c43f7d4905b
SHA5128591ee43ee1bb8321dc8155c050310ffe08cbd15f5794064775ebd4a072f0263edb521122c4b6ef957f1660b28ac10a15469069d0dd13aeabc58e9b36d189ce5
-
Filesize
1.5MB
MD53310d820408909833788475279bf15b1
SHA1de7ba28466bd063cd2de8e81b69fea077ef0631b
SHA25652dc8379a1754c838b8fc115d1c2baba6f90d6919b9ba2e6fea0b376bd85521a
SHA512a73b993bd8ad95e42483d48f7e43ceaac3eee74ef6c79a89e2e6b0da59c0af351cd3b8c031327555c0e8fa8c78b443f449d8f14137cb0e148b401c40d426b399
-
Filesize
1.2MB
MD58ceac51a4f71cb44387d00993e28754a
SHA19c9ca89a762151ee126945003eac0b837ba87410
SHA2565b9d171bb9dff1a0c435c782076be8ebdcf515eac499eba191da7aec7bd38e6f
SHA5122afb5765e4a0fb5810f87db66d442c6d64a58c59317023aaace6ddbafc7056546f1cda4509dcf39582154b42bbde7907d3c26fab9aadd4d9efbf247318e71767
-
Filesize
1.2MB
MD5d9098ab7fc27ad1ac238d545619c03c5
SHA1bc9f838bcc5a6dac263cb19ab1d8c04d3a3a641d
SHA256c5e7e997498017406a51ea069c51af224a05891e3ac529eb852f4dc0c36d8079
SHA512ac651d761d31114db25748772aa498595ac547faafb80e16bd1ed4f2966c7b48b862a485910e45e50dfd86b97251be696abd031ea60572d1e2601e26c9a4b426
-
Filesize
1.4MB
MD5cd5252be628f28c1550eb98fa524ef95
SHA10d8612992ae0411f60ce1bcb813e7f99e8e05281
SHA256553a27f6197f81ac059911399c7ad24c5c4fd3282d2f977b0615259a9ea75d78
SHA512be68f6e6a52aa9786242a12245184af08a5e82134ac31bd21b35b7e76e17a7958de738ae38872798f273276d57f2ecd4211c494b6bc92adc538e1e9a7f1b33e0
-
Filesize
4.6MB
MD580c47b7eb3b6f0391976bf554bfd02c5
SHA12f2abd7909f9db4e8d65e4474164f5742893a356
SHA256e76f9ba7f2214a04a1029cd6ca239ede0c451da72d8e62b5478c37b9a2c5709d
SHA5125aa5c3119073a38be3ea0f69fb790321f62d09f4a7dc3d10df0022e1db4337d398bc10eefa8affc68f93025f00248daed5c1d9d9ec3d284abccd699436585381
-
Filesize
1.5MB
MD5d9af1f99cebababe22a38f0b367d8599
SHA1cad772706d47867b7ecfa5717d985492ac94d3bc
SHA256eff48173cccf70abe18e47bcdf9c6b5529df0f3fd81f66daf7bad9ffafff1436
SHA51253310b0c413d49ecc6dd73ea4c26bb7f8debd68555448de66184210eb69291cbea8a20ff03eb3ff057de896096118aaaf1bc63752cd6070849d48fb0fdb534df
-
Filesize
24.0MB
MD5f78e89cc1d405a9d9e916ce7a7b4723d
SHA142cbc943d2b01ea1f80d1c89f74076a7da0b5462
SHA25601b574c5d81864904124b389ac2e32f7d3e20852c723eeed8d2b9e24f538ef72
SHA512ebb79f7af109faa606383ffe296d8bd19b1a29e9e21f8d42eae03034d2651581e9b58debe6a4f5bcff0a5d770a60eeeba3b635b51734efa90dc1775a037f4281
-
Filesize
2.7MB
MD5986163ad8ead2fbc31693d83d05a3c5c
SHA158e3f8e293c4ea6b8f3ed0571212f6893db7d711
SHA25626b071dfc31884742c80031e3c6344f4265307417bd9fe3d02b76f7e4dad9c77
SHA5121d7d144c4c01adf24bf02c3063082fceff333ad2d037d5e15694b0f16770ae3ae8a26ed5880078e6d571376e3932ff4485a7502eeb9802b1a09c93679175b74b
-
Filesize
1.1MB
MD5aa0d148447ef7c326617567f1f988ad4
SHA15000a3759877c8d80ed46fa1515627c36cfbb8e6
SHA2562362e4684b74f663338e3004a8d7f294c4dbbe11b67233a87ed0a8a2decec494
SHA51228cfc82bfab96e774e5aa8d206c02b4a227aa3d798285e1230a0252f522bf3d5a71b3c14971ef931d369ec49057cd48acb3482c4930bf10676252d8b5a572755
-
Filesize
1.4MB
MD519fd4f08ed8183a9d70ad75c7d07c7b0
SHA1d76ba99e618eb77d7148364ad111032f3fe21b1a
SHA256762c035113e02f2232699dded5c0d4ee078bde4f948eeb122fc7bd6f9108cc00
SHA512c136a679e2ccc9a8a18347718218f3e9c5102d8a50bf7283c9b3fdfc154eac77b424a2628a2fc4549226fcec3a7c8fae770c4c0078e3c963037fec531792a2bc
-
Filesize
1.2MB
MD54d353f2548d51171e48f8803967ec982
SHA1666175d64678525cdb4dcad4dfedb5f1c8536ddf
SHA256d658ce3e03a205465982bac4bb4e748cd6d0ad0b4bd0b3155520e623fa2927a3
SHA512fea4970d80e304c5f4e7b99ebfbc1943c569b33300e85208c86f325585d65775d31ba9b1ea7c372f9adafabc38675b6523e941eb1e52786d8adc766b7d43a55a
-
Filesize
5.4MB
MD567764efde591d76b95bba0329d1ad863
SHA1a1a84d8bfa8689ababa2ad757c9174ecc704ed64
SHA256d97d54a7586f4ff74cf8b0bc63415e667fb3488a6a7de801ae36c55cf5fda708
SHA5121ba995df1a894d89a09c1819b8ee2860ab64f5433951872a977f35f76cb0c479d0199798c1139195da167e9f7ba01e94face59e2baa758b6a0dcb06127dc1ab1
-
Filesize
5.4MB
MD51a0c4f6808d2636b0212d4bd9492bd1b
SHA1f3d8109f70da67ee02e2a6b00be3af9ed020e8dc
SHA2567e480c11a466a835e7adcbd5d0325f98b5428e9485e70bac5608970f70c788a3
SHA512c040e268637ba610434496d5e98b2c23840ab49f03908b6289c548b62c1609a16ab0c7fadd536a66cae67f59773d3d0eb5678b64bdfc4295eee6742d9372c9cf
-
Filesize
2.0MB
MD514b2ea0d659a1a5d2f3fbcd3ae981a6a
SHA1acb64331fac11b731d4ed2a762cef347cfcef151
SHA25601f9cc393ac6f3ccb1147423e57d28e0ae3c9ea1465ac276ef8cfbc9e1e5ff87
SHA512cae6914b2138922195042b797ceb9b4137f159bbab60f1d75f04ec1dcc3ba54fb2644f286ad168fe6d591f1ff0daac28808453393ad87bd6cccf8a2aebb5b6ca
-
Filesize
2.2MB
MD5c542360fd552a5ea2257815e42622e4e
SHA192ba72e08018e9d9cafeef0ae6f86e87cc6c6c1c
SHA256ef94e1ad84ffa16a55a47a5add223d27af96a3e25b831637506089373499f52e
SHA512dd73545faf6d324259ffb910ea29be2e2b960f2cbe9be6158e121368a91e03a4b97ba0a9bf65919e44334e31885f4499b107ee00481dd58b78a38d3e9abc3a9e
-
Filesize
1.8MB
MD5c569b6c23918b46db255d0d3518ce40b
SHA1715a7ca8d4c881375a0e2737587cf01a0df21660
SHA256442050a60bf6c60c038adca535d99eeedb41c803fdcbc4534977c332f34ea17d
SHA512e113fed117b7a4e99af203a0c1d17f2c2e42d26e0a3cff38728e3f2aa1f0a7eecd1910dafc66130c90cd55887a77bba629196d6f6deeb0050430a1156889b12e
-
Filesize
1.7MB
MD5969b4913de618b980e56b8c8618d6912
SHA1ebf863cffc93a47b8d03d21caf69654f57969f8a
SHA256fdffd335bfa0432144c5c53e014aa609b6f931455ba2e726c7cb752d9e221415
SHA51202d2d11435388e4bcf69da5083e4d213148f04e7c1ab11e2eb5be3dc45940d55bb6bd7be60d14fc0d2d620da0e0d2fe48f95bda9a1cf3ad5d9c494ad0e6288bb
-
Filesize
1.2MB
MD584cfa11529b22918494ffe13c4ecf5ce
SHA1294d59babc577866ac1e82ee0b2385a363800594
SHA2564bae5ac693b3d767fc35da312d2804523634cb12a29c8816661f11749a725ef6
SHA512f069062a4c1201bdbdaa6684dad07a39fa124d6f1b191af8887596eb6076926f65ddcd6c9704df3b88cefe56f6622cf7fd93e1f0377a049a2a2a24718dd56d82
-
Filesize
1.2MB
MD5d4048c335ef95f35151fad8506ecca99
SHA1a6765326e5f9e5558e41ad7145dfd76d99398dc2
SHA2561ea5f0eae3b7b1c8ebfc90f85d04221e245b0e1b356c180ed800277ff9aa2f28
SHA512b3c233d8b2bcfc4123158fed611743d5035ccc0d6c7ecbe9ac7a2111a668ba43780eb6b5f26030ae9e21074d7ea72c1fbabdec9fc84230eb2b4bef24340ce56d
-
Filesize
1.2MB
MD52b39475910808c52c3d503c40cab372f
SHA13d7493d1f8aa3a5b61b6dfb9bf5242e5debd736e
SHA256bd2a6e2c949dfdf5101aa9d8a1d7f9daf882ee7c6bb5a936e8a23ff06e847965
SHA512dac89294ed6d64be783d653cae2002ac9ce598de4a878885d188943d9b6b0d8103c6d1537220bfa8a1f90d86117d6c2ef1f451263e13defa057175de9d13798b
-
Filesize
1.2MB
MD510683b0fb01a94e5019e37c994b9ad55
SHA116e262206a6ecc421816bf231b0aee92919a7996
SHA2567f3c9b9e5f2d532a83fdd29fad1f0cbcb00b03730cf26920ec9bf1f3fc02b5d0
SHA5127b82e4f50e7267183c21fe2faea3b13a76234bdee1219f9284d58f8a260e50039d7f3999c0f316809159c228e60d880dc7f4264e4740ea96e01324dd295b6a97
-
Filesize
1.2MB
MD5d2ac4a11370ff18f43da58e190907cd6
SHA182f4ae8e3a8101c9b4f90c3fa46d3f0e1fa956d0
SHA2561a975453aec59a4f599e9ecf84590956fc42d6a00c60e6d21d803fdde77608d9
SHA512b98dfcc6d0d440387b3168e93aa734152f6cab893d6ef182377f11c5dc52f96f403379bac4d031bf0e2007dcecbdc95db0ef8479274c09f255586965f333f693
-
Filesize
1.2MB
MD59344896c6b5f2e795fbfd7ffb89fc59c
SHA18694b40bedb41eda7e994959ccde1b728aac30bb
SHA256ad2cae0dee355799cfd975d39f54d7cf715c691b8fe6b167245e973db8d42143
SHA512c227374f26e847fd8218ba488a6158c06ad6e96bc701d670540a09dc07cc63636a19ef850e6eca1f22ae58e6625f0d7777371b1cc78ae4b407f1dccf8be6d42e
-
Filesize
1.2MB
MD5346da0f1b19dbe56791ade3fa74e0815
SHA1e16e2354cb0bc0d10bc0c002da8d8d9e325b39ef
SHA256a8cd1ba7181711a618e4cb184e7bff5bec0f90d1cedff56fc432294f1ea72c3b
SHA512859c4b5d6a9c0ca9e4b109a1e3bf5cdb96a0161549d4ae3afeebed6e0e899d2603c0a1dcde4b4d5faa8d15f5eba2d363391b196ae5bdd97cf78160451c2420a1
-
Filesize
1.4MB
MD5a006bc313489277225516f4df8dca0e5
SHA160d0dd66e7400e2ffa4e7f07304763c89b0cf13d
SHA25635a6317018aa903a7b47391e561b2f982200ffc6ebbb6299758559ebb0e17c74
SHA51252449b85437d7a284113895b17c03299afa6c2dd49da6c47fa38dc9c69da95fd7068dd935657a1337ee53994afe4e768152652c68a3cb73a1bb6d431ec35ca87
-
Filesize
1.2MB
MD55cf7c94f3e7ee80291765212f995a8b9
SHA12ea4076a281bcdb268739f7177a8cd6548f0c9d1
SHA256c5c582111ce54f4043845fc735aa8000a6a874f0dab0e80692971c9366b7d54d
SHA51210589e819686e60aa2e7493f1877f1d4c3b093ac59c24db5cab09e8e729f17878e21fd106b80bfa79bfce4d218ab334de41abfb3a6dda6f1b47d1135f882d2aa
-
Filesize
1.2MB
MD55bcbc69a5d0ddeb8bbb2a2d46df63c16
SHA1d0c0c3e6b2006687f282a51ce7202b84e9af4fbb
SHA2562f7491c70af85eeee65d457bf79fea398b317502ae8fe07120c28c5d81c47359
SHA51224a57c4f7b916cdf7c36b266c9367f9196526cbb9b02ede83364c2121c8ee15a2a7f9fe0de7c7683f03f7ab392d8ef977f4e850f8172fb04a89f027e00d54e01
-
Filesize
1.2MB
MD5a7527daeedbd5ded118997ab92c1aa0e
SHA198780fc4637c6c97f4c2eebf8d5fada91c1a84b2
SHA256667f0c6475a92c5f2856430b929291a7f92bc4e8ec2eadd46db8b37ee5bd4d1e
SHA512c4017e4eea178eb61c07778d226fbc747bb9b38154927995b382827558f42d28c8a0534265516ceab074010e1b88a8cefb2d01e2b1430f278326d211e3fc3324
-
Filesize
1.2MB
MD5f70db1fbffab79d4acb62fa7823b31ba
SHA1d13a64ec3f37dc580c1bb062dd7f214d7f299894
SHA256422c1c0062eb984da860de2caf71b1f81eec830e8684d03d3ed52734925852e6
SHA5126d9ba4ff038e555deebefdd0e65594f2bec500c4ee912abddcea64895fd9908fa36099fc8dcce00b400aef35394822650ee784b4425f1d5d2194e7dc2e9750cf
-
Filesize
1.3MB
MD5730a99b196ca33dbc6f047be82baefd4
SHA1d081218204abb0bbdda285310a28266d15db5a39
SHA256e69fcb87781d32c35122f0b4f0acfd783fd56533946e7bed6059ec2c8d03d716
SHA512f91ecc496ce4fa850488c61c312ce06fa70c68c3933c939b8674e4572edfc9e00b07af6d583042c11398429c9321866fc3a7034cea4a9e1eb761cda941cd99a0
-
Filesize
1.4MB
MD579e12fbf651b4168cfbbf3d7df1d9bf6
SHA1249f1b07df6e05b1d268eb88ad93278dcdec8968
SHA256e731fbca135a3319d59a72eb6fc61ffb3ece9ad1934f8ce6cb6338ed9527e077
SHA512cf2e7d2ae0575866944c0f41ac5e13b3bc6e83eb341c2d2ea5591ef4d06b5aac14694f803e22f128c762dfc92614be4433ea597ed4e6651f8041f18eda577773
-
Filesize
1.6MB
MD55cd7cc7659303af7ea5a395ccf98cdb9
SHA12e15a9a3a82e8f33bb434b19ff8eae73072e36c9
SHA256c1187e762f4b5ce17f435ee0d870a87380549872cb1a61eaf915ddcc796adc08
SHA5120efa74515a678be0062510b1a76c6a77007ebe0c79c0aa1b798d1f05b5d972f7add9f658dcfca001de529ea71eb21ef6c7f8760809be6399cb255a081c49fd7c
-
Filesize
1.2MB
MD588925e2020dc799af91f3ab3e99fa0b8
SHA1f0acb5b9bf8aff86ad2c4d71deabc8f96e486851
SHA25640e0214f7b4e1561d43fda6d4175a4d4d7245c89ee2a17bc6659017e702b534c
SHA512e55275003602cae27bc5d2e3b0210a98af19cb520e51da13ea4e2e2fc2d58a4d5a027acb30e2349eca562e8dcbae7f726fcc105044977e5b73abb9568f410c9e
-
Filesize
1.2MB
MD54ee35a56406cb022293175180d6ce61e
SHA1675094a1761a862764a49bfc12e9792c1c118efc
SHA25669015de7ea6ffadebf9383aebe4cfed36985ec5ad089703d6c11d0a907c36f3a
SHA512c2274099fe4025799afdaa6c7c34c9d4ad4cd65856359b64f178b41170a0e76ee3f7a1f333be2813ca297adf9c72556acbe1fc5140ace655ae82ad63b5acd68c
-
Filesize
1.2MB
MD5ecc752cf397b941f68405e6472c4ec87
SHA141648596cd0c7f96aaeeb71610bd40448852ec74
SHA256ffb939a7f72ad40701013b159bb7210e5f6f6a5c0834413181e884f69607774c
SHA512945e01cabe6e2fb19937bc47ca148d02677b4412f8febdfade4d26d430390ea432f857a24969e4e9e2607165e36627af8efae8b1e4c7ac4b482f7a4740f178ed
-
Filesize
1.2MB
MD5955c01676dd75580ab8ec92e2311204a
SHA109087ed66f81e8dbd5c59f61e6ba3379c8e91bfb
SHA256f0a2b91fd9779a93be0f4039bed4d2d71fc668c34404e4efbe859ddd9fdc9676
SHA512ff3d0c6343ff6b3ce3d4ae126f46518aa174f1ae220997c6433b20967b138df04fed88dfabc16da3d830e94ceca838b2652f76647901adcd1a689f4e31b188e0
-
Filesize
1.2MB
MD590f3da89b7051ac667636f9eb2511a0b
SHA1cea046f67bdd45cf313b45ecd43c8fa652663040
SHA2567d9d45cdf238c68321101bbedd0eb58f961316e2b2934b0b7134858dab4e4399
SHA5126b75a78b90f80db09ef1d4d5f2f905ad8d77883e6445fe1b94562e0179516b5513093f9910640ecd71be769d6e5939d20cf4b01ef2bbb0672feefcbe49a84c4c
-
Filesize
1.2MB
MD576ea1c6cbc8680b49da7132bf5b11854
SHA19b8163367877c56f7b84fea8ab03c86cc91f5c23
SHA256d824bb112438b17b34f1f9639ef8a704bd307af608bd7986b0dc687d5f047a7d
SHA51242c36d6b340c15fccc4c4f8c5cf6d8fc016573d6f6185e0bb0be730f4db54a488756f975720c39ef62cafa6d9b8eb684786bb334eae5805303d09ecbfd698c80
-
Filesize
1.2MB
MD5afad7bb8963dce39c6610deb27544a87
SHA12c9420001d6281f4b946b3de30d255f8a7de7c60
SHA2563d473208d45afb86b232e9f484c6f3a1d816195de8e153b25f6f16614f933b23
SHA5125c830a99c7df31a5fc18040b3afbe666eb41c1b8f952e320505eb35ba6b29799cf0ac4ee6ea005610d853d087329f9b636c0697c1e2eb25e7f57ef9c9e097b98
-
Filesize
1.3MB
MD52848ce8f6c853ea76dbda21aa74f7e60
SHA1e34a655c806a2c18f0d6663fb6c1b8cf3066a7d4
SHA256fd0fdce78a5fee922dfd517f6d15ec5a7d8fb002e3cd83108a87d7bca63d5ace
SHA512492e29420717880b29350f05261c31d59495c1cfcc5628e8eebec08c1c16f80c97b367537498aeabd65b49ba70451d5c152cd89b58b4b08a4c9aad58dfe12b9b
-
Filesize
1.2MB
MD57220214759700e81a64e552495e2dab3
SHA1189b94520adc4fb2faed0a14e9d1d7f20ae91740
SHA25655d8b6239b954429a4e9c1696a37248a5027f1f7a3aaed411d38be6dbdb3e5f9
SHA5124068daea07057db73df17b72014fa0d23fbe6a82d530a3545f8b471035a010a21536649743f00b727200cd96d4d383fe7adaaf8d40046cb1abcafeceed983479
-
Filesize
1.7MB
MD5ba44101730badc15137443dadcd8e609
SHA103efba3f3f8b1a4faa1a7fa7b96d4bfaffd8b810
SHA2566bbf5a75840470e7cf18bcb43b0bf62634ec0a03e841535ddc0f3dc4ccd92259
SHA512183fb3b6705cea549663be54fb04c8918015a435d025296ba8c656ead4443d4fd13653b51d6fb7a658fa35e8962fb95e4ea2fb2b1603fddbff7e77df0967708c
-
Filesize
1.2MB
MD577456772340b2a18d52ace974f871905
SHA16e60187202aa90a5570fd0300a34a3e1b1037b92
SHA2563f33263474cf0d584d8f0d9d19bb5c60f1cf5972feab31f07aeea4545dc23c70
SHA51236cb09cec7cbe20dd0700f81dee4f1f9069dc81dea67f537e86327cfae906b3fd237351b783c0ab97e4607859fa23501ccc3ecf9b63753c3b70b7ab190e45149
-
Filesize
1.2MB
MD559c1687888596ef84a5cfab189890cca
SHA1e0444b2706f4b1ec153f28afc81a1489c770ab03
SHA256cf46b0404f537d4437e7dc7a19e3704b113c5ef2f7c3e53d627462a73c3c29fb
SHA512db674e1f5ed2775bdaf4dc94dd5e38ba36606f64c681ec1ca7aee7de6f9d56aabf5600d31ea596f873ef721e206e420e535762146d9f93ccec93e94c337a68b2
-
Filesize
1.2MB
MD59359c8aa633137aa1b42307bf59b93ff
SHA15b896b682830f2a98c98aff073d88176a50b7c8a
SHA256085d88b6924abbafac00be038ef63c6973d58c03c85c14aa0abe15c7b1196cb5
SHA512db0cfdacc16e0e36808ab77bfa44a13446a78a08ff7021873ac020ca74a6d05fb62eb4941a114f604a9712562e07f4015e40e7435d86131bad41d04705758785
-
Filesize
1.5MB
MD54e9fdda18f29439fd9c962dbdfdd4169
SHA171611037b4ee3879bfea4c6e584e014cdb25ee6b
SHA256020bc77d9d9a0e1f6ae724f65cb12fffdfea5d2d75100c089a606d3ac4cb7fd8
SHA512a275f6cd8d1130971a4d6e1ce06b5ba9ed06734fa795db6052222bdadae7c025818fe5c8a1b366a428adf426f1fdcd4356bba0f1339589a0b73c9ae45629935e
-
Filesize
1.2MB
MD51032fe00af553f33caaed5b100f14e68
SHA1824d576f0fd8c9c3c1c6d4e7ce078794e5dd771b
SHA256f160795ac914050f9df19630bd256b4814561a86b7915712d99d72fb2651f9a0
SHA51248e5116e4a99135bb7009ab806d67444b9dde646abc581ab6c34b9bb3506fa8b5910bbc9f54f36e84b5573244863ba2774b7aef408e64d9635ce9904fc926797
-
Filesize
1.4MB
MD5b786dde18e972f852d583f741ffee635
SHA17dfa3fe44b0c2a9bb92ff12ca6d354b5c69bc362
SHA256e863cf0506ad20cbf661fcb450ed61485dbb3950c17ad1ad97daf8fdaf81b283
SHA512fb2764ef59ed183c73d5a846f7d7026b98f15640ad9f4b1231bfbba8bc7c50f20101faac5ceb034f0fa108b48392e604417242a5170a82ce003d4a4009a63748
-
Filesize
1.8MB
MD53d73a23aed9bcc80658469bff9529e81
SHA117b41453a3ba9bef66b2f662d709c5041d081343
SHA2562d513e77260bce1b5f7bdde7ce776fd5ff79b825aa2f33567aa878272b8c582d
SHA5126db15bf7ac865aab16afa96f8fbcc5e320916830c0680007404a8d022d7fc1b7356a02b7bf9ae19915e472e579732011c8e2dad5159cd832ba7655cc1b099ba8
-
Filesize
1.4MB
MD5ca8072a63ce6921104619870b7658ee9
SHA1fea871e9acc7e73bff53d8459012447d3ea42b19
SHA25675eb36c7dd8dfde00a814a38ebb1ba562c8347df5ef0479cfdb0d918017f5340
SHA512fa2494ac25e11a33b1c88577cd413b32fadf84dbe3980b858b9e1cf67abb48d9b95c65fc7bbde7d708a4bedfb800a2066d8a8e810bc867976e2457e71803bae1
-
Filesize
1.5MB
MD5f6791a0deeb5902573b4a21feec8b6af
SHA1619f51e3db1075ff3358d17b79acfec579f30b16
SHA256cfcd3bec3d3c905237ed3ee90b4f6f997ec04c080823b791edc43ffed4667560
SHA512edaff5e52b631b7faeecf1f6450b1ec87facd1b7afebc444c8db88591bb578aa0c40e5e6e4a7d8434a21e1fdcd3d1748e5ea795ce684cb549a9396d22000baf2
-
Filesize
2.0MB
MD50b57478a9aa67a4e76c4f20988996af9
SHA1a13bd063d0dca7f13a8a625a544b26e923043019
SHA2565e0a0c841c99fdbf240b62ecab67b45f17e79d5a6298a137dfa6c45550bd0d68
SHA512450ae73c33f6a31c0a2386315177d0be92b3b4711db4d37921779a77fe9b8069c3aed56e028c26db182468cc29c45846f9b912eae4990817a22b924a7907a38a
-
Filesize
1.2MB
MD52677690dec38b8e286d25f7469d3e01a
SHA1756de7d9d5cd3f89d1969f46f7a94277792d608c
SHA2567d05d4c8229b1cb17bf63248c6541b2161c5ef6ecf5f575d7900e68357742c94
SHA512197c28c41ef18e7a25e8d831afe120663fc2f525e4ef2838a54ee8b6172694a3b1f2ac35e6869fbf66ee0a188e912de3c46a4e1944871ff629fb5518f1a0d681
-
Filesize
1.3MB
MD5d174653e5600e753a8fc46c6090ef716
SHA1fe19e0bb4924af20e448d6247a34d2af64487ed9
SHA2561070c1a97bb288312fb7486dd8d8d68a5259d31a14189eb3bbca651da66e69d6
SHA512762d17f730ec99c1facdf9c4ae0d8f980dc0d9bcd8b90634f89050fdebc731a950aa5beef0f32c90ecbac277d764e4cfd59340619684614fb3ab6c1d40f4aa8a
-
Filesize
1.2MB
MD5b7a38eb05e0c87945b53221bcd1a3682
SHA1e25d0a28b612f6056d2d33c4b5b014eea352f409
SHA256705452b588f1fdab2c2152259b3c0e6df0d64654b342abe1cb34a367c4e35911
SHA512bea29fa17791ed9e9e70344462eaab46283892b80b557e6007a18904072466e64c60eb0805fc34db557c96ec87cabba663049fccb574ae65ea58750371216d05
-
Filesize
1.3MB
MD5bf11cbc9ccd7a596ba80b2f95a87b186
SHA1d458d7c1fa1f50bd3399db2b2e2ee73db975bc46
SHA25663f0a15761b0f017c24cf71b0737b1351ad8925872cf5f5f273e06a3537263a1
SHA512215d7a561183bfe8e8e8329668df0f775a003cd418caf2cc053bafdf2369a6efc15643511f968b3175d3d4ddc300d2fb728715a2ec1b97782ea19e72b433b6d3
-
Filesize
1.3MB
MD5f02fabf5d3d323f2e72e8cdb36ace4a4
SHA1d7cc9baabe84aae548a070bd715af99009b47f5d
SHA256921b47061f249bdd33eb9e0cbd096bf72c7899c69f093f94af5d0b0504677b0e
SHA512ceb09729ee954598cbc4aac8e1081a900ab5036ff3fb52edb227443553b41d3aa97c0b08dfbcf119fa8c0116344239ca2dbaf39608bdf09e1a9d7cfc0b5c96ed
-
Filesize
2.1MB
MD598fdab8b8a2bcd5ba10a97d4ed919f99
SHA1c96160de7d67544ab84c8f226185b5eb02ab6da2
SHA256fd418cda0d7b38c3194533b25c900ee1acd852142676acaf2562f025d17ffe5e
SHA5128597e91658428e7983c71250f854ab8553c85d6ddc16b2b7e810ebad52f72598f685a1a467a2a388097337dfe297c243e4c482277f5e74759670d703a79bc0d9