Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe
-
Size
2.2MB
-
MD5
ed02c4fe7e1a4456ff766aa1eb79c248
-
SHA1
eeaead12a61f02657d894a9d50164ac620bb8171
-
SHA256
e45b27c0534307895b6d592770e5875a67631ea893a7c1a21b8aff793d060510
-
SHA512
c8b09336c1d3721f8bc706d8877d7e29696e4bf7debd8016e153899c33c95d9c7fa598fc5c3c9dd7b372a89fc15f4107d77f24885492f6ad8978cc0944733e2f
-
SSDEEP
24576:/OObVw4TaN1wdkukCba4oXtgLhU3wEdmh58AHofe3y1sInB2COzRq8DvFqt:/OOh3aN4kuLbegmtGtP4suIRbDv
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 1200 alg.exe 3572 elevation_service.exe 2116 elevation_service.exe 2360 maintenanceservice.exe 3384 OSE.EXE 3288 DiagnosticsHub.StandardCollector.Service.exe 4020 fxssvc.exe 5100 msdtc.exe 1688 PerceptionSimulationService.exe 1276 perfhost.exe 1236 locator.exe 2836 SensorDataService.exe 2164 snmptrap.exe 1584 spectrum.exe 3272 ssh-agent.exe 4092 TieringEngineService.exe 4912 AgentService.exe 368 vds.exe 4676 vssvc.exe 2296 wbengine.exe 2332 WmiApSrv.exe 3052 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 28 IoCs
Processes:
elevation_service.exe2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\943927e2b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
elevation_service.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020f5f69722bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000064aa89722bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8d4ae9522bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f61209722bdda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f2349822bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adf6319622bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c469859622bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e9839522bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ba7239622bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 1620 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe Token: SeDebugPrivilege 1200 alg.exe Token: SeDebugPrivilege 1200 alg.exe Token: SeDebugPrivilege 1200 alg.exe Token: SeTakeOwnershipPrivilege 3572 elevation_service.exe Token: SeAuditPrivilege 4020 fxssvc.exe Token: SeRestorePrivilege 4092 TieringEngineService.exe Token: SeManageVolumePrivilege 4092 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4912 AgentService.exe Token: SeBackupPrivilege 4676 vssvc.exe Token: SeRestorePrivilege 4676 vssvc.exe Token: SeAuditPrivilege 4676 vssvc.exe Token: SeBackupPrivilege 2296 wbengine.exe Token: SeRestorePrivilege 2296 wbengine.exe Token: SeSecurityPrivilege 2296 wbengine.exe Token: 33 3052 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3052 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3052 wrote to memory of 1888 3052 SearchIndexer.exe 128 PID 3052 wrote to memory of 1888 3052 SearchIndexer.exe 128 PID 3052 wrote to memory of 3228 3052 SearchIndexer.exe 129 PID 3052 wrote to memory of 3228 3052 SearchIndexer.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2116
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2360
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4788 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:32
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4172
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5100
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1276
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1236
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2836
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2164
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1584
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:180
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2332
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1888
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5a17fd345c5c6bd644996c8955f901629
SHA1457d8bbb353dd276667065bf60a727109713ae5f
SHA256e04089d9bf3ac2b83013200bd69c26d1d53f6f146aaddd83ccdf0ab6126e4592
SHA51213a0225dce2a8b09e0f356343aeea92f622f13be8e44d7bac9d5465201ed11abe7f1460f390dee12c4293ed5e3c6631a9695f471bc010ce67c54821bca2bb654
-
Filesize
781KB
MD5f4942c161276c11b63845dcf960c210f
SHA15861252a31892d40cd372fc50b8adbc4e5b29781
SHA256841900351d16e196444f6f3e69e822b8944484a2cfb5d4607163d7fcaf59e320
SHA51295ac0fa7e7a85d5acc5f534f8f2dd46cc0e65cc8a7729895fc439984f474a163981b7071723227c28b54fa99110e4e2e595632844a6729a9caf1e63ad18f47e4
-
Filesize
1.1MB
MD572ed0585035f1952f8fe38c41ca4491b
SHA1997c03c7bc6268a446bc482dc327a641b923233b
SHA25671b8eb6d838d7a46c6cd43351878e057512adc79317ae65182c8c5799b038a55
SHA51233d0eaeead08a51d0f8956c709b85db0d08e5d617b59fae687d8d4f096069943fc5a3a5ac78a545aa14af073011b8a44e84057ade31074c0854bb26a8d0d2e32
-
Filesize
1.5MB
MD58710a4c61b3a9604016e8b38d8c80239
SHA10a9af2b8f96883f916eea3e316de04d002d4db88
SHA2565340037db71ec6c90b0e0373dd1ba646c07854032fc1cfe1bfe69dd46072d4cb
SHA512bb37dc4d93f8fb4b48c0e0ee3990bd4bcd335a22ba0871ce3715293377ff9a5280ece31442f5b26dc5f96e5a53ad73518b93c6201c3842f8fb7480b0b1028473
-
Filesize
1.2MB
MD555ef03d78a30a68fb911bca35ab04fa9
SHA19d1373584e9bb2e4a4c8b9c2b664fa04eefd7ec3
SHA2569bbad2d487486ec6494eac0ac0689ae30c754f3e70cae0e751922efab1f34826
SHA5120bab5ff34cc7180471ef472d65eb52c2bc97d6040d1ad239e9a5c3dbc2a3dfd4ada3b5394ab15d12bfb42958c1e84541011cc16246c3f3835c1830c98435666d
-
Filesize
582KB
MD512ed119ad51e55a9c3629d4df3c9346e
SHA1c675c35758f78f45aebe794abe74d2137119a6d5
SHA256a3337133ac1a1a379ed8d1bd99735de5cd53861931051e51425ed46c13d20c7c
SHA51248b5aed1f610dc1953c27e8995bce2033f22682325146f739f2c04416c2df1e3bb386062d941c22ae8c1363d4aafae2ff0e36b6f36b221a90220721dd88cad82
-
Filesize
840KB
MD58ad4af7fbbe818a2a0eee58b54bf4dff
SHA15006e7156d94eff8da938dacc6a45150be04693b
SHA25601bbfbf59b37c166db1cc2be5acc5a656236e34896c72ac52ab77d5400598939
SHA512966cf331c5565119ade688061249e558f673412b04c5c52eb8d8937e2cbaae0596209405f32ee0ce262af7194b59169f9d7c81a899acaa4a598b8866d510661f
-
Filesize
4.6MB
MD59f7cdb16b4a1401991377631691812a7
SHA13a55ebcb009bf9f4890b56853d7d869348cdfefe
SHA25663fa0c7beea3041f0beee879dcf9f1cef514fb1634a8f4dbf9bcac6583d9e379
SHA51245ca264e0654e760e349c061d1f03b175cd8f120fd5cc53cee0da4da4bfd6dbe9f51762c08832f01da5ff82410a50134e219ed13d8bc02da3d795520dea23285
-
Filesize
910KB
MD5fbadaa8a5af3612ac59985ce91efd4bf
SHA1455e6f5348c08c6c38dc4d09ac439e5a32bfc699
SHA25635c30d8f2d6ac58f84389e18c55f20546546fecde1b5c5834934509f2738cc1d
SHA512d662fec3b818b4524af1afcc728e507c7b12a04ae85fa1d6d52286de643792bc8927f01d6bc2b68d7d35f5e76a9262b693ea730ab9722ed02468e1bbed2f686d
-
Filesize
24.0MB
MD5a48796936b5c1182da6b5d87a6dd54b1
SHA1c27deeb274a2c3c2fa1b33c30f93eb54f82b406f
SHA256110fe04ff57ece395b2bc08b5bf6c43f40c5e3109ee2b5efd34f29df40213bf3
SHA5121a5bbce287173dc013cf8c25efb398ba2b03f8af05ed6757f1390fa2a5c05557caea93c2153d190557f4f5cd88c70c5db3299606e4cbbcffb49796f0ca07d464
-
Filesize
2.7MB
MD5b7a11e6a61783198cecd57d68b76c9e5
SHA1310c2af973f930bdec62bf8a30ebc83fd30d60e9
SHA256ea0d1adb10ddf062342739d434d5170b7a1b08e3165b66a359ce20e86946c843
SHA512ab59e8993b781f93a2d6cbc9dd9162254aafbb88556cb7bc8ece35c19af6d4847df25d88a964e275714aafaef5ffcef6802a5c36a7c613cd88b74b6c10d9c20a
-
Filesize
1.1MB
MD5a8fbca92b658400c8e7286e525904518
SHA1f075fe6c668e21d428e579e37efb38f85b177c9b
SHA2563177403d265b2662d438bb6ad016c95b708c3db2a0077b6d0a3ae38339c2b7f2
SHA5121c47972c4aaa7d28f8935721fc454b2aaaab507bc4c5446655dda4f69d704f3b9c37d94c549c5b09a3909926baec027003a073faa12b0841ebe0e0a601ef3d37
-
Filesize
805KB
MD5d937a22ba8f93ec0540d7f75299b9648
SHA1717d0dac17ae5e61fb25d8a727cfbbda42086f0c
SHA256d7a720fe71c75632aa6bb4c010c05d32125b530c3d7cbf1fb62b678f5ea3c2e5
SHA512dbf8e39f347312e7249904f338f995d9813a514c15ba32bb1f5757430c7dbc618080fec9f4ee7b59655eb4fcfb06a04eada8b617f065023bf20548fc5b544ee5
-
Filesize
656KB
MD55c3207c908f0776f10a306af6485368b
SHA11a9a5e0a2368134d0305292a615ac210c3fbffb3
SHA25651054ed9f33aba47be696610eef9227cfe2b35021d52db7609a050336c3ff056
SHA5121f6bb744ee6a8950e9ef81b3284a7634e972c27f08967979e5fb6c3aa7c9b312d54e3bc312b62be603254de03c2477e394e75952e83bded8ea41d58420618e43
-
Filesize
4.8MB
MD5026a67649b6850857d13f4afac8b6f1d
SHA160079cd0909c973db75b94b5fd1fd9fa419e30db
SHA2567581cf719ed78f47e218d71da3501804bbdfca669b22d63356b29cea0ead496d
SHA512922c8f4e5df5ab9d82bf90929d4fe7b612c7a682978579f9267ab300725495599a6ba4dcc7956b3ede49442e42ffae9b0245edeb17f830f2e4b644274517b6d6
-
Filesize
4.8MB
MD572872face92f137d740f6a6d106ac9e6
SHA1c8cd3da77086ffbbe9e01045a0d11d8799f9930c
SHA2561e7802a9665f83c2058ccaa80a7390299aef43aa19f8f6b4c59743313a21139b
SHA51266ad1a5886f3e2958b406dfa43b4cf2000b2bb52c6c71109e1fccee6ab816a27e508c0950fb74f4039887197382ed368450a1d94d276a55251542ff3e667f59a
-
Filesize
2.2MB
MD5a8ac1895e4cc1b0801f4cbe993e023f7
SHA197fcfddfa2c0a9e673414ccc830b4eda6710537a
SHA2564f2cd7f4dd95946416c8d5dacad56c50c6e27e012174138dc62dd78c17338ab9
SHA5120fbd96065e0f3efa7a0411f548eed9bccb38c86915de20347f5dd49abb94e8fc7259d2d0042321225d1840469be2a30493433aa1d47b60a8014c632204998228
-
Filesize
2.1MB
MD5d51a60221607a2440e6f54dc8b1b6fdc
SHA14ec0af516edd63f6e849c10c1487314e5485f0d8
SHA2561ff0ffd1eca19512f9daa6e6026af258204bcacc93c7d9004d1de0a98df10675
SHA512e300606d7cd176d3dc24315ad81a8cc64dba2422b3d918f3e50d5cdf6a7a2d940b0966706c248af0e4e2c1f81958e3be56693254a0f3af5cc7e11a73dc6b1b03
-
Filesize
1.8MB
MD59a3180cdddcdb21ab3d4e429f3b46b83
SHA15c6ab7a8436fc0b022439b194302e7668c5e8f1d
SHA256ed3d602a3642fd7370b18bfb18c0d4c52a0fa5364b8990bf25635e5c1f951dc3
SHA512f7c7c0a0cc20eeff4cd53591fac2e067f6c70755c298ea042a0c7e560d911a1ecc2e31b5afced61aae42a2b31e5d7680bf74bca09a1b7c92508207490e7ba098
-
Filesize
1.5MB
MD5181e8cca73d1a650a0b3ca43b81e4a88
SHA1357b571a61385cccf2a45bc751849d83c2ba895a
SHA256b6779895b040a701f0b480844b2413d1bb6999acaf3773b916e08f1a2313159a
SHA512ea779b3b1cf1f317cd561905d3d284008c777a69d2a2b8ec53baa1ef09e601245c3ad9a22a00e1da9e09923e3d3f5df104928c2156bf40b974d4c1951fe7906e
-
Filesize
581KB
MD52551bc11522772687fb1be2d89b86ccc
SHA100d5f122860173bff219b0316b557c43a2fe721c
SHA2564521edc0fbb92977e00e9c896c2840fe0c268a75102e956692b46a503f3398ac
SHA5122c77b9c87402b8019a7ac38077aad5b6d223cd89389b2c8d0ec1d5bfef2bdaa338cc33ca8e9216ef5dc497cbc054dde1e1cbb9548c88ba841482829ab26a83cb
-
Filesize
581KB
MD578ba69e3963d76ffec41da135b502a40
SHA17be16aba6dc1481d93c4191107c6217e33deb285
SHA25631e554096ea34082ec4a53c68bfaa5bf9f2208589e575f8a2db3ced3e023028e
SHA512f9a71cb936bbee567cb302a63dfa6dcee81d798cc632db0c53bf95e0d32fdcda1d7aeaddc24af5c911403699aa2a33dbd35296bc6205f7d3a13c4d6b1c50d491
-
Filesize
581KB
MD56fbded1f3b19ab6d9ddcc1bc5955a6f0
SHA19066a031d3abcb0670215b32db95f2fd5b4fc1c7
SHA256d3692c5a1defea87c4d810d4c72912fbf77cebb0acf66e457c4fbd8e87d7a45e
SHA512dca84eca2ce71fab51e3e2b010ba90265cac72841a1e574753b28912fdf07128f98c37931e3a89e1514ec03cfd86ae0e25f8255e3d433abf869f2a393282a5b8
-
Filesize
601KB
MD51dc519c5a71838caaebebf7469e9e14e
SHA13f093ecf67106f13699142f711cb15943be17086
SHA2567c1264796a9ebb9ca73bd23f03447c5769e7918515c1d8073569ecfcc60d5a36
SHA51245de0a94ce839d7cdba40456cba3fdd5e8ef147cc1b3722a9bb8aa5e107cd0f3c68e95eb87dafb8ac101455ec3785b4cb489204b9ca1b1ed5eb92285324cfb84
-
Filesize
581KB
MD5f8d1e34fddcd15a7a1ea46b4472710a8
SHA1d2df87ab1f89da34b3d99b82f3d3b1085a421c4c
SHA256d831f8f5d453433e45b5e238497c54993a00fa257355ead49bd82d2650205781
SHA51228184bee60218736fde574bacf3cc3fa74d8f2900f2164b0176b03caec7e0767a380bfe59286d0f323b0da53ebe74758e2cfa50d7a3dd32fbbf37fb126dad370
-
Filesize
581KB
MD539cb777b270c805b6d0c20cca271d34e
SHA1df62f50dc002f6363fc991be06270f2894a72169
SHA256b6efb8139028de43529f2c044af6f5cc43d3e573f0274289e26e9c5fc6e9b57d
SHA512f3d6e964f52b4da00e65df06af31e5c5a9965a19747352e5579fd46bbdc237a056a655269327308852ba7987bbfe95fd3b357a0e5874ff8ea1e6e8820bb969c1
-
Filesize
581KB
MD5bda6dbd073fb008d263b980a74b00f74
SHA13c02670f63fc9f7dcf0aeadb476331d455bbf603
SHA2562904891c86d28418c7ff584baa1f386fc56d9fa02b4442f0df27f5b3b0ee0c40
SHA51288124a29822dcec59e56c999f51973878bcfc2c98997b01c3988e5bf5649e182ed8fbfcbcb41c03c20928130798e828864848c42c696d3eeb5ed04c2b53c069f
-
Filesize
841KB
MD5f152d4d87c34bcf06904e13ec8c3e469
SHA19726afba3d1c074a47ed86be47b732ada0b74575
SHA2565fac56c133017976e713d603de48aa696f6877ac018f9327693021367448ab3a
SHA51259bc47e5b25f31823b5ba8d71ee5d52343d90da8ce0e4612ac4e57d6bd63e1124caf7641015f0c8c6711c6a083988134eeda156ff38810f58eb97b4aeccb82bc
-
Filesize
581KB
MD5c0f5d59358110eedfb2abd671a601b5a
SHA19cc4bc82978e81641b71d190660f86b9848c0940
SHA256c88da0ede68800563f91efe4e5241ebf801c155740903a35e1205d61eeeffad9
SHA5122380fd936109bb82f99bd8e1ae5364fa81dd316f5a37715718c1c1654641310c5ffbc51ab53ef003242d7f986f34a1b165bb5fb54643c38b26cd3df8df4d7df6
-
Filesize
581KB
MD5cd1aec13cc583cd02bd2bb090142fb8c
SHA1ea26a08d9695aa3928104bcfd89c3b70fb66b448
SHA256d0a56811bdcb6d21189e3c8c0f68094141970becd14d22437d01759a9c8e8d0c
SHA51259a5fdb87e752d8faee5043c3e4d6f7aabc8c29c98308459ba368be13837bce49feb227600cbfd1249a598a7fa735b3a84e1287621031b2bbf4f05144afeb45e
-
Filesize
717KB
MD5e4c4ca11b53c4a3234d4ff7282d87cb8
SHA1664a8027be448b248700d9bce4e720f9c1328b0e
SHA2565f0a3b94b2c50c21c65a1fb310685a3aeb0921d4ce9d25775e114d08f3443c1c
SHA5123fd98f974fc340652e2469eb50aab408aa2dffedd1c5420e71e882bc837eba5ba68308ea633ef32edd2509d489d1c5879aed814f3e9c596c33f612220ad8c149
-
Filesize
581KB
MD5a7449c86faa2e3bafcdcb41535402d21
SHA149b66be4ac426d130cf0e1f29a486d5b502b478a
SHA256046acde7784a7146d073ddb6377f75d49eee20138079fed075bf7b202cb03230
SHA5121dbe8a720d8bee90c0f8152f5927f6cec1a7ac1887a7c334fda9fbc29bbfdd86dea842e8edf114a2e1782a8c7d96b69541e53870b3b5aa8f293b0ec2dfd8d525
-
Filesize
581KB
MD53f13889b3d583e5928c3313fe5bec68d
SHA1ac969fcb1c83ecebe7593db9cfe733ae827b4cc7
SHA2567b3e86b081fa799d0a04633740b9602c48cd1f0299e9496139119f2f7f95ddcf
SHA512b3e31c3081be9ca7686769b4ae2718aaa0e5769ea94088e5fc56f67022be8a4cc1b3402cc203a10f9e6bf404b52ad8a1414e2f23e78e5de5e5e9595c8fc58e78
-
Filesize
717KB
MD5cf8fd9f83f7c5902edd553f5256a7aaa
SHA1e92d109709a4392482434e6a1d85f5615dd98b6d
SHA2569bf1183664481f819996b66b3c786231676de8867d317ae672cb9109f3d93456
SHA51245e24139454b6c79846a3ca360a15beecd9434cc0b763e1df63ed45c00be1a78a2d58afcfffc8d645eddfe40349328611e1afc0aebd80de702a9fe682d9fceae
-
Filesize
841KB
MD5937af1cdad3702d15de9fa092edaea62
SHA1d6aaa374fbae5526839dd6efef9591ff440f802d
SHA2561f132359c6615ea153fb8e491df6895248cede503b54c1d740418ed18e446e49
SHA512a312768f475041bde21ce637aaaf93c1c8ed7bbf01ec4d86b4c30636afe66016738b5c07a5bd21b4f0859f29e68352ded401d9d5e964431d5d021e02b94415b1
-
Filesize
1020KB
MD5b31ec24b5874198f1bf205b61dc58a3e
SHA1b7b1d4eac194fd57152e36c91e690302a2687923
SHA2562dcd85a7d0564469f8600a12356d5887c3f4248e1e7fee0b8e961c2aab8c75ba
SHA512a637762b50f8fc6d6fa4a3f39e48fbd60cb20d8003dc067afd08c74d718d8f6ec0f21806428ccf7a0c8440618f49072b96e4c5e2889ececb7c54c101c3f722d5
-
Filesize
581KB
MD555f179035b2689d2b66aec75dcf170d1
SHA140bcfbb57e651dbf45a893cf4dbcad7a860e84df
SHA25689a046f31ac4469a416ea77334d347a46e0734b6f51383f49d92534643104eb5
SHA5123b02d6aeb465f5927d6cbd69189f0a468d0d7dd77de893d5eb76d4d50c8cc6932a427706316513fb93d2a5c4ae0ff8988910254eded83fc1b049c8e677ba0372
-
Filesize
581KB
MD52b77d4a681adf7d2135baea9491a64db
SHA11749d70279fd4cc172a8a9c4c39e16a2f4e9fa39
SHA2564a015f2d4c5603e024e729ac2a6aa30fd29ec9454170f0a0183708b45bcb4f8f
SHA5125ffee103c71051a8577f3ebbc4d1544efb224390f4711edfdd1132b134960ad0ad926e30cb2d52b4d0a308c243d39c55c4b6d5165dc5c44aa4f72ac3c86e8337
-
Filesize
581KB
MD55cfa0201e5f3faad8d3846f21f1816fb
SHA1419acd24a630cc2d9ed202ac362850cb11785d70
SHA256fa19e69733d0fe1b2a56fec203fa556dcbaf62c5a16646562b841d0f8c3f292c
SHA512029c27b37e7961c481856b6b402af7bc4479e6612de04f36b201a98a3872920f29ebeb5cd7aaf67ea16a094a809b3f123d449c549e6b4c460e3e5e50c7d1163e
-
Filesize
581KB
MD572a36fec49c5b7549d0e5732562e3a88
SHA1e60119cfe3d41216a6343a011cfaba37f1a69a9f
SHA25692aa089ecf19edec99b1f6095f71eeaf2a57d11bc572236a637419760a3667f3
SHA512950624a61fec3f87d9c6470297cb521261260c89500fee769be5e8ceba103fb29c7fabe22b308e5c993358084c49319a4cfc08aa09a403efaa9895023a99f584
-
Filesize
581KB
MD5b6ce9da2b314357865b34f7a6674c56a
SHA1c10de5fd981919a1ce103f0e55dcd698d0b5a5b1
SHA2561c61281bd6e816e13896b8f1b6312a47e9bc2c1ccb90bb254e1f42feac94937d
SHA512b05a1b6be4f315e3c723777fe290a0ce653054be558f68bed405380022752d1d9bc5acbf07dced6ab26ffc5a48a8ccf0ba32fcca028f41cd29fea729af3578fe
-
Filesize
696KB
MD51d7742d79624d27973234ef9b6616e07
SHA181c458edc13f1e2742d6bff12d8a04b61af73623
SHA256dd38e3eca4a39ee0bf6558bb787d499da4e9146cddd51e97092bc657d20b69f8
SHA5122258eda8e0d89d22285f0e7b3104ee62b0755de0ab3e720678fcdc0bb5f264f71da51fa047cec37bc932452fbbfc52b4c6c9d99c93fc4d9e7ad8e3867f99c077
-
Filesize
588KB
MD542cb158c9f0b2e0ecf823e90309fe69e
SHA17d44ed6db5a3742e003ca3808fa0d5756541587c
SHA256255f4510d68618cb194fbad78339460f368dd50b6e5977ba8d313d039dd05b2c
SHA5122da3a042277c846f6046565df1e6ae2508c631999c0f0b1441def6d806d8037ff56dec55a9027d4d164e37edad3add17dff70392623768d3d025d64ca55e895a
-
Filesize
1.7MB
MD52499c4904d21414c3a014202311816f9
SHA1c6a03337061bab9f54d4f04651051f0681632d4a
SHA25623b8c7be505b707f1368f38c8c8bc9287a049fa1e00a99453a05b1d5888a3e91
SHA512f7ae02387e7d82298326a709c4e22a4910ca7197a2493ced7d34020569b55a651d39d9d0dcd9c86319e8b39f5cd56d95a84159c72b7f343d542382eca1988bd6
-
Filesize
659KB
MD5d31165373b1d917027d362c23b24d33f
SHA1513cbabfc04286c039d783972f2c71c2bdef4e83
SHA256310b3de3edf158977a961e67a9bb549cd85c1f4d5134e944ace1e1ad1ac120aa
SHA512f30e80dd8454e01a971408c3f54ef92646ad5c9f4e87d12b8653ebaf5f26c1b390b715bd90e9f51a6818c4ee98dee6cefae83ab5afb08228ea3f0d95c7f48cc4
-
Filesize
1.2MB
MD59a67f613b98f1c8f28a67daed818e4d0
SHA149addf3082e229a38b515df46a4ebf2a568ffd92
SHA256b685198e2230de0c6fa8c2f1aab715f5cfa7303b43d9098010bd4ac921d67e81
SHA51225c0aeec466743b6935f8302ae58567dfb1bfceca9302d0c9461e9ee8a21b5624e9ad63bcb7523662b19823d9a2e28df2f362304cc8b1a834526f25742e3cb86
-
Filesize
578KB
MD587d70a24409a6cd051289c7910b7fe5b
SHA1196ea671b4fa169cbff0c37be7673262610431ff
SHA256d9b7a420c3db4d3a95e4b1ff4f8b9b65810d946796f36a564e3c1ad0c20ab3e0
SHA512c9a15fa3474889c4c775145e9d04cccfbd491dc33e92a5d0480c7c503fdf6a4a64d9a164da2291bcb51ba387209e09e6729dcf18b62d5c5d18df8a8d4916de0a
-
Filesize
940KB
MD504f4dec7e38ac733c976ed458b005f66
SHA1eb8b8dd07f352ae2675358df5398823e55c8ae2a
SHA25689eead9b711d05ced17e794ba9bccd6f9a408243467eb2800130c158a4bf6b05
SHA5125c54421b55cd5228aba4f41a893917384ee51962c907e168d00e4c866e6342dd77c6f54012de06ef1e53f4af4536bc963000bc3ad09e71e30d557e63a96e7da0
-
Filesize
671KB
MD5c64218d00de65985d9cfcf39a8aeb024
SHA1dd9a517df1c00adebfa035077312bdf4aaffe438
SHA2567ceb7b304d67f3ccac97b2dd3409f6e746f0fb634ad20744421c7dc844120187
SHA5120a0050f26ff3b9e5d72338ce90352b1f7d8f547de3d954a2ce7b316b3abcd4d8cc3917451dd061c07d745478f7be50da3a3a7114b7b05d6961d057c2e6c81016
-
Filesize
1.4MB
MD518257055090371ec33919b4c6e749ba7
SHA1815efc7783730667e6fe6c884f2f7f75ec7af78d
SHA256467000cacb3782c428de2e5b1722179a9535d5fc039d26ed28621bb7d9f928ea
SHA512fe57c8ce95b887c9a03cf9fc018a731e9e7d09cc3b07316e8339a1b2138d1a0f6994fc1a9b847207a732f11d2eab47c809224e77080865126d280031143b5423
-
Filesize
1.8MB
MD5aad9b98719465697f4691f45a5df2acf
SHA10f083ba8523ed6747b90fec098a9a6880dca36ac
SHA256ab1810cb7d59f1b7087d4bcba1516bc544cb150b5eff84ba3d7577ebe576a25c
SHA5125c5f1ec448854945f50f3f0478456c490a0b0b162b646da7bcbc3baa71cbe6187c6f0ba79a9c1bbd7f2e915b96f91cc4e3c09f49eb12f1198ee038b5116f6ecf
-
Filesize
1.4MB
MD548455ea76c67c63ed5dcac30601f548e
SHA191e72d9f8ad3c4d028a1348f78d08da69c319731
SHA25695c5ce01dc35007941ac3584b7b5c25ae956688a84e185a9a61a18a02c4bff67
SHA512ea5f452c7a4515e593ad0dedf6d012c25992f7273d38158be1a98b6066c355c9c9283b58354310e69f502fc33e8de442877d2c5390fbf82d51a877ab1b7a36ba
-
Filesize
885KB
MD54f09103825cea05a1be7827e680c0be3
SHA1b75f786b5f94870716d1fcf3f9c3393c774ef6f5
SHA25647614bb3914f26ab0e1092887a3dd250ad0bc79c9814fd9ce90cb88b08fa9288
SHA512d29c758e5673a29306246f1678404fdcd0d6112b11bf4fda47ae07dbb6a32cbf79229d0060afe9668cdeaff2c58f339b3f113bfd1f2024c59ab859c27fce2373
-
Filesize
2.0MB
MD5cf3350b3630cc3a3fd26accf9bb594ab
SHA17b2a3b917c35f30d43cf5c197bb2bc131311c93a
SHA25683d20a668feb91614b1e16acafbcc7c7e0a81631ad80c60536b34c362b71b9fd
SHA5123de247883fec40a3fa3dca30a89cadbee143a0959ad1168d75e38be5fa9f86f111830868e6163cfc618e9aff0cbae802e6dc19b7ce233c9dee5368072843b6e4
-
Filesize
661KB
MD5bfe756653d8e37a7084c1e87a077687d
SHA1a088c941435d9ac457d36df8570e6d355f5522a2
SHA2565873e10028f482793d197d60f80f19f7a8c4ff5a92ac1c4d22faf69c59e74be4
SHA512702a974942fa407da35e48f96ed198bae7b0b5ae9fbb993075f343d087735a0f368f6feb16020bec2a5393f71e049aa0bd34c57294a852e47928ef3c91eb756b
-
Filesize
712KB
MD56fca39e9a41b451c01fbbeb6f778b2b3
SHA1cd17cdd3bc7e4d4756b6a9ecd1bdba9cea41c830
SHA256e9166f80e690d26e276449eb52bc9cccedfdac91e4b1e9e43c0d38e62b9b5879
SHA512af3dde61ffb4759b7ca0ade68384c4b47d66f9e66692d9d501fecd0d5f7c224bcf3b18c850cbd08f45c72efae63ace9266fe8743fae11cfdbd584d9f26825ef5
-
Filesize
584KB
MD55c673fe65c230ef9edb0db5084976e6a
SHA1cc7b43e210d766abd172b5e27b07d69c2e18283a
SHA25671292926c57100afcfb0d4bc8b19ce181da94d0cc0c8b8ae1aa4e2cc2fa20157
SHA5121e1bfe5a4c5930e73487d3ef7b7bf7e2a83d28c5fa5982190990a3f6f16b639682e814fa770e5ea7b1c01445c037822d047d52e3a1fe9f11d0c93ab7736df19a
-
Filesize
1.3MB
MD5506b4b93e1fc32a88f166ba3d754350b
SHA13f2315f9fa679f5451f60d0572c769b6d329fe0a
SHA2566d5f1e08aaa3bd114f2aafa18889f8b841ae0709937a785c9efa7724b4526208
SHA5124c852d74062f1c4bab7fd105bdec8a5b9bc726753d60d5c3bfc668ec1d8ba1a6120d4930ed668cd929b480a051cfbd3a89843782cbebf687e5ae9fb3ed7867e5
-
Filesize
772KB
MD5635ba9c7c875193f550a3b0d8f98acd7
SHA13b1393e339d86ad3195bfb15534ea13ea6b21dbe
SHA25656481616794bec8e7ab108d4e7c46e93a6c2d380b9d45856636ca94830cf02d9
SHA5127138f9355fc9f7628be0cbefc5a36bdb1ae4b96c64a4818ee287f6335772004bf69500bf4ffe0c6cfee1b274ae6236c37d7f2b7f9064fd9cd467b8c9bbcbf760
-
Filesize
2.1MB
MD5a4dd6bffab5f3b57d692c1f14213f88c
SHA1e84d836729616738a39c64be3daff316eee22bc3
SHA2567d9b2f64ffda81b857cef748959a1fe53121543779867f59f0be72f8aebf031a
SHA5126e8c220122e4fb3b446974992b3ded232ac6f8614c387e638698e36e7d12188b305efd6874df04bfe0a41d1088137dd007a7744b1912fe1f3ec37ca0a99bb79e
-
Filesize
1.3MB
MD510e62bbb7971bbe12ddad3aa01435b28
SHA17c6f2e8e5d9eb493e4b3cf705369b81aed7dbab6
SHA25621daa66ff6b86b468d1bb5010bd731fb7dd00711bfff1d4a555632c18b115302
SHA5123454fb400e6bbbcdc901f7a0156c389fc9ddc5ecd6f93a1ff27a71066976260093161d482f343e227832df738cc748bab3b853d5022dbad62485a16ca2669587
-
Filesize
5.6MB
MD5ec349014121c7e651aa1a521f8a01067
SHA1bef85663441679270e1509888ce0b8c093eae9aa
SHA2560c0c52aea65623fe7ac99dc2f843d07458ff1d6a45a257890fcea2b1797a2e92
SHA5126d6d4888f0f46c57fb86a64ae2c0c2a7cb54cc1c802d9b7ee73e1f7779915d2cf73637e3516c0dc8bc7b0e3de26218bcd98d7cb798323c16c00c1ce8fa022f59