Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe
-
Size
1.9MB
-
MD5
0ba9c74a5e01ff231b623553dd9c5c78
-
SHA1
3feb6fe8efc7df7666a3a6b510d5e146768d2a62
-
SHA256
614f4407de42e9983827b5051838a270664b078afec3ff92d7514a2da1c11f97
-
SHA512
8028fa616abe3cc1e9393afa5b6b8bc552fe0510825ccf2a85db793cfcab25f4b04f2ba53560ef340b734c95ba2fc5af153b70739cd8b561ea5b7d873df9080b
-
SSDEEP
49152:26cZGizWCaFb4gDUYmvFur31yAipQCtXxc0H:4G5CaFbRU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 8 alg.exe 4012 elevation_service.exe 3776 elevation_service.exe 4860 maintenanceservice.exe 4896 OSE.EXE 1908 DiagnosticsHub.StandardCollector.Service.exe 4864 fxssvc.exe 3132 msdtc.exe 2136 PerceptionSimulationService.exe 2748 perfhost.exe 5068 locator.exe 1600 SensorDataService.exe 4632 snmptrap.exe 1660 spectrum.exe 1924 ssh-agent.exe 3192 TieringEngineService.exe 3328 AgentService.exe 1544 vds.exe 1416 vssvc.exe 5084 wbengine.exe 1464 WmiApSrv.exe 4588 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8790268f293b476c.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e3e1a0e37c6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065b22f0e37c6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003be4030f37c6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e44b8a0e37c6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db6aa50d37c6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4012 elevation_service.exe 4012 elevation_service.exe 4012 elevation_service.exe 4012 elevation_service.exe 4012 elevation_service.exe 4012 elevation_service.exe 4012 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5060 2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe Token: SeDebugPrivilege 8 alg.exe Token: SeDebugPrivilege 8 alg.exe Token: SeDebugPrivilege 8 alg.exe Token: SeTakeOwnershipPrivilege 4012 elevation_service.exe Token: SeAuditPrivilege 4864 fxssvc.exe Token: SeRestorePrivilege 3192 TieringEngineService.exe Token: SeManageVolumePrivilege 3192 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3328 AgentService.exe Token: SeBackupPrivilege 1416 vssvc.exe Token: SeRestorePrivilege 1416 vssvc.exe Token: SeAuditPrivilege 1416 vssvc.exe Token: SeBackupPrivilege 5084 wbengine.exe Token: SeRestorePrivilege 5084 wbengine.exe Token: SeSecurityPrivilege 5084 wbengine.exe Token: 33 4588 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeDebugPrivilege 4012 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4260 4588 SearchIndexer.exe 114 PID 4588 wrote to memory of 4260 4588 SearchIndexer.exe 114 PID 4588 wrote to memory of 3316 4588 SearchIndexer.exe 115 PID 4588 wrote to memory of 3316 4588 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-24_0ba9c74a5e01ff231b623553dd9c5c78_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:8
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3776
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4860
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3708
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3132
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2748
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5068
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4632
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1660
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4492
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4260
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:3316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f14061a3ad58d3e07dfdc739dff4f55d
SHA1d850f167ee117f93b78026e56c57f5941568a33b
SHA2565959cdeff55f8ead07b11308120d19ea9ab70b6b5c794101b58ed2eaa810e504
SHA512d889df01a0011aa9914926d6cd1fdbb383d5de4bd10abe7795aea9255cbc6fbad12a6fa82bd32c8edcccab594a5d1debee66f1b5f9bb783b43fcec396d12162a
-
Filesize
1.7MB
MD5c03eaa1fdc59bd150cbe588466085c5d
SHA19e31d2ed665b3b702a2f1e83892776f90a3bf0ee
SHA2560b633aab97a01883feabb29cde09b45336221fd31751a9b400c441fadc3f0e2e
SHA51272b4a85af2486234127bf912f0d259ba2d1c51a536d387c9b99111ad815885bee918a6a7fa21325bfd471e677cca61ab79c2fc3f2ba3ede6a7bf26f35cfe2f1c
-
Filesize
2.0MB
MD5185dc6fb4c99494e1128453ba2e05d39
SHA181a93743e7bbd33f30bbf092968594be40daa31c
SHA256711e4197a09737747d4dc8b7c8c3029f19fa248b9c4e0e234d6b4b2e16adbe04
SHA5126f05d164885967c3fc1a51cf5683007736db4a394dd52c75e18adafd336f2b8004018960c1addba6d1b7839416f53748141abdd2e0d0852a8df3e473289d016e
-
Filesize
1.5MB
MD54c6dfd72b405efe630fc1981506910e2
SHA12a574640dfc4b3fd91403f9988666fb00255b032
SHA256f6a3570edfdf66adab68f17205a6491ec52f1b6ea8f37865788b7849f409fcd8
SHA512da87db0dfc9ba0de458539b95fe2670dc5e7eb0d7aa8936938ae2837472d1fa45140405512e4c792deb2506477321d88128740040ef6c5aaefd2e7bd5c4b3244
-
Filesize
1.2MB
MD5ac4e82970c4f40fd649c6f262b62f251
SHA1ad66a71d447e0f76fc400a6b149eb236e213941c
SHA25659d161ede5a573da442f9d2713e56c3654032c9ea0939aec722d8b395c7850d4
SHA5123341cf3462c4ade908a4d98b4c51d0846455bdb31c8b17c6cec05c53cb8d723ac607042a9c2c404ccb08b1b04f8786577b7b891dae02f99729be11aaa8abc106
-
Filesize
1.4MB
MD504cf7336f3c666aeff6d63a59ffd4340
SHA11a87068e978b34182a4dc93e71491ce17a3d6c1b
SHA256f84ee8088be8d407a320de72b05367a4aedfd2fc3b52046ce8daa16f413bf65c
SHA5124bcb4781832fcf3bbfdb34c9fd97524556e3565c2b3aa068b0e903fcf56e35ac57b08bcc1fff10f90c802f94d2426e5336569b29ed4faae92515c4930e279efc
-
Filesize
1.7MB
MD57e566e70292b04c8ce1746cecffb3c3a
SHA1c6676745b051b9556d236d76dde1c473d51801f8
SHA256beb4f96116f878f543e888a8df243a12a90b7d89cba455d76088ee8d22444b28
SHA512cc02cb7685e6ed61fab88c18610ab3350df3c938a92a1b7990b0518079925bb6e39e849d6c0ec90a31a2f071c24782c866ffdcf654b03f4197259d6236728d0e
-
Filesize
4.6MB
MD5c84db0cf2784dad0cd710a64ed2a8c88
SHA1afc0471d29ddfe8c8c9073d36cb8d45303d12428
SHA256ef194618cd73cc53678cb977326d0292fcd91770e4e716433153c71cf8ef2f02
SHA5124c5af7384b28020e38f191cc85811d64b198fca7a4605bb16584cf180f57a63e2a11c664807a2aacbd3b9465e3d2ff957bdff2feaef3c74578991d89c39c0318
-
Filesize
1.8MB
MD51b67b9c6972964d10662471f99522c69
SHA16ffd3e0a3b83420f3b3f0938333aaf65df6d29fa
SHA25687078f9cf4bca83354cc0ce16687b4504e53dc598db5675ccc09cef34b27eb74
SHA5124945d0dd3f670ea930a66dc5fc1339130912c4176f8f96edd180aa5c0b6b9f6c03dbea491dc3ebefc34b91c1c25164109a940ee6ba68d3248dfb15327e8d5c8e
-
Filesize
24.0MB
MD5153ac9c0b02ec644acd4b91c5ae26314
SHA17f9c2445b9d7c3fe69686912c7f1a0805abdfb16
SHA2566ccc65adb45a2a8f0cee9dfaabb1dc0a973291201c05bcb0e32f585316912a75
SHA512f680e558577aa0ff3c82e632892a8877d47f0ef145b87b6c23c5696c027331a97f1b1fee9b353603c7aa2e95abeb2b4db4e11407559d7b4220995ff911869b24
-
Filesize
2.7MB
MD57d17dffd038e8c54d6a0dded0db91d1f
SHA18abfdbdf435669992b37a865b38dbb8b6c5f7474
SHA256624e22c5a5094c619221136e2dbac83d6085f033b5253f041650c1e65d79f34e
SHA512290f206d7a465603f5e3b62210423e8ac20f8779e7d746a21214f4e2cc38c5ecaa3f37670d08585d05fd2a9af46b84c86feb4f6e6e267ca8511534937bb0d15f
-
Filesize
1.1MB
MD5db197c7370b914cc4e9e481b9f35a1e6
SHA14c5d32039dd7ebe912a270429fbe2f04f02ffb02
SHA2566067e17371177a8f52f20117d6b564c5b276d04e435e4c210d9e001d6a0c5bf9
SHA512f163bb1b61e92ec003f669903da2dd6cb7cf478de27d81e6b0b7a4bddc963f91f0ef8cb79b8f1ecfadf956958879de28f628dbc90b18f361ce019aa66cce6cf3
-
Filesize
1.7MB
MD596af64154d84739d2502ba0b07ef4d3e
SHA15a56e3d12aaa5fbc32c8bb122d918303b6c33c54
SHA2563be1d2b07242771ceeddb50e8faf18dc5c7228ec68868be66821f93eafb358e4
SHA512260b20334bad101f8589acfc602db79229eb99fcb7d9d1818e067cb2834c714e94a53538340beadaad30075f0784e87cfdd268062f841c1af852ded70ec5db12
-
Filesize
1.5MB
MD599e63b424275863962a21a86fce14eae
SHA1d63d358981fd85bc69c2d4a00bb3750c8dc350ba
SHA25679932653d714f4616e1cf67884ebcf8efd2cadee2e7b83d8abe8ea5aa027f4ae
SHA5124f059cd4f64788b047a0e5cddb4084f8215bfaf548e6ecb222a0a3169c0393393095070504829385744b51c7088563e1ed11750456882f4ad400819387bf0bcb
-
Filesize
5.4MB
MD56e6326e9fa7dd34292222dea0510b0f6
SHA1fb6c3f65949f3701475912da7c5d66550dc4a409
SHA256fbdbe8a688796df72358b6804ea94f4735bf65451e4f080bd0af5f4b35eb8390
SHA512cfa0fd09ac21c76d6557b45a874d57a6896774af2e52f3182d89be46c8e66e7eba0742057a03fa1f3fc50eb37b5a0651f56a79e4313b8d930131fa5817e84fd3
-
Filesize
5.4MB
MD51c6b156741a1bde4f75f64e40153d172
SHA163a4fe24dee26376a6f0c159e95233d1342d851c
SHA2566b6ca4ec956c7fc8cadbfeeeac551568393491923b452dec24ad391d500ffd01
SHA512e49a689c71e1305109aaa8f1ba66958c1f0dd1883381812a8ec5b55f3e410d735a4a92626a7260ebf1bad9d1fbc96c4f593911c9c01174de67ae212c293afc90
-
Filesize
2.0MB
MD54c94245318a2ca18d6ba234f91b2da3e
SHA18f024ea77a4887aa5cebfd741e4c0a3c374a6cb1
SHA256cc7c85deba903930150b62c34f63a2772a4555ecd65aae18dc6304ba09604f1e
SHA51210e0eef93b68249fc928ce3fca94e7dec8673aa9fab0b61cd780e467f42a9b5d2c0e8450e9a45c552053b9057c80e039d0e6a9f1c0194fefa1de95bdb381f9ce
-
Filesize
2.2MB
MD51319bc4589b0ead83849cdf0100de575
SHA17a798ad8ed61b644ad7d676df3c8c37347153dee
SHA256237447e4bd855f79691107d3a3c890d5123688171b4eec93f1d23eb03048e572
SHA5127acb2ebf8ced2edcb2df95e793ee1f74530d349160ee2a138c5b177722b61cb52e2c5ca3a403e103aae994af3894d953a4c16042be8e3f43c9c74029ff76e242
-
Filesize
1.8MB
MD523d43870ea34dab46c96017c56704579
SHA1d0adb0305cbc6d3e1106736fc2faaa0511c7236c
SHA256f85ecf7bcf0c0ca325f40d64a8d8dea85d78cd9bda1a70f39a7e1c35309a3ca2
SHA51263799d8430d53c1272392f089979eac829bb9904eb22a55777ad81332bc946cb2a64eee3bb533b1e6cae527421a2a483250e0dc7040f41d574e9af6444c50cf7
-
Filesize
1.7MB
MD51d2a88e49023f914e684bd7bb41d9d61
SHA15bcfa77e7b459ddd76f8df9aa85bb7f93de6ebb6
SHA25674e188b98caeb9a87c1a4e0cd2b1cd7bedb14704b76bcfca19ae1db5ab3ab08f
SHA512a0ec596d4082b1495911777db42bc272310bddffa8e0a1d0fb1657356c527240aab95e8fd0351024129ec6fc9cad877a9e04b935d481689d178b95f5982d9819
-
Filesize
1.4MB
MD5e814f4b4aaa9a51d2c67c9c40540fe09
SHA1cc8a32055e8b5282a7f984130c78ac4fcc9c43dd
SHA2565fa6ea33b8f750f194cc55f51b66c79e4d403eb7b0ed3e72b3ecb3b438af44bf
SHA5124edbbeb657f99b0019331fc9a3ab06240df37c061a079bde5ef5785f2fa6f6a7c0c593d4ae29059b4b1e777406e7a36a019f0e967dd5f3ee304d6d88b914c4f8
-
Filesize
1.4MB
MD54e8db6091f5dabd91617b55d7365185d
SHA1890c9c5b7036be1ef181c696feaa6163d154447a
SHA256794692ece0a007ea8081d033e0fa33764aa1838b2065ee63b29603d442947710
SHA512352606fb62b54b04a14a801df928550290c77059f51423087259424df9803db37484d2ce461f83820ce3e4ed6b6ecbddb717bbf621a9840fdc574692b69eeac6
-
Filesize
1.4MB
MD5b17ca698ccda5f3631715c6b80566bc1
SHA157d652d3f33acc565e8b716df4833571029609bc
SHA25600272f79757f5a19345f85319fe6b26157f26eb637d3bf376b2195754fc8409a
SHA512311766751956a4e4a6d45fba8d6be58ae37f4c98fb28a0f076f4546bb41c0c76e66bd915fbcc413b4ebe57a902144a82474ff2f16e3cc3e28b34a80bceeccd79
-
Filesize
1.5MB
MD5131fd17e4dc3cade4ae109cf9b501f2e
SHA190dac96638c5df92c65d3648603d4e3b1a33979a
SHA25679e21ca500de720d85aadc5667ee4cdc3ed86bff6dd6e523fee64cdd24853109
SHA51216618bf56f24336631a7cecfaa76e9be8089745a5203e230bcacd3ec2d5860b8ace206f197a2862d26c90be0c0902a6d8bdba2b760f6fb6a88b050394d42e4d4
-
Filesize
1.4MB
MD5c116133aac8d4eb4b1883c50cb6e7f1a
SHA1fd6ad5ed6142d91d247d2f5c62b877576e558443
SHA2567804e54cc440e4b67d97bb83dabf6f858f6da8220571b5ce04caa9992e932f29
SHA512027c9fcbd642f9d4136cc9a5cf117f912a3f35c0409a8eeaa661360ebb714e5c6197199625b8fe99db5d5121f047907366ff94222f3f864bf5c3114538a2d133
-
Filesize
1.4MB
MD5c306c16382a1cc04f5d19a8e042c742c
SHA1d53ac59f5e86a81aa258f4cf199031107b1a0cea
SHA2562b33c04f5d7c58d0180e23c34d6f325fb2ac84bac7ac65b45806ab10ad253f93
SHA512934a38c7496e2b3e2e3222e2a261eb556e3156a7ba310cb6fe30b1e88fe46d7f7d7bae5adc94c3b35c3bd6b4408626afccd2d86779b9c66e56107ee3f9413f9c
-
Filesize
1.4MB
MD5ef229c50f93e3c8b1991095139bcbc30
SHA18614676717a77fce25fd4419cf9c592f7f51839a
SHA256cd3af21fa57b99a69b9b4e556eda4b9c245ca0d03cb8e14ed1a32541ef573bb5
SHA51289275403cd0d298337df6d8e47ed6303b9b24c47c94ebb31608cad0c4449fd5d36fbe0a8781dc104ad4f7804de675343af09f3e2d0d937ee25afc4a6ad50aa53
-
Filesize
1.7MB
MD50b13c1955ea31287c49e1d316151685e
SHA177a21ba878fe86cf28f4bf0bae5df776a96fc663
SHA256e709e395cce2e69302348fa7ac1c9b3d86587bb8e188db423adbabf6bad28b96
SHA512550cd2fce4af2a79ebec791265e6dde4b931d117461c23570c97d32d8d70dfbdd71ce325ed6298c565d96cbe291315c1d75caafb9f349f1c95bfb6fe04ec422a
-
Filesize
1.4MB
MD55b4d1fbad6770b9dfca5a8fd60404bd2
SHA12082b467d1648336eeac9700d30c94464a500b36
SHA2568c9b607ea22379e2997baf8530675bbdfafe8355d7c02986895a2018ac95577d
SHA5127a78174a27093aede130125551a9d07994e8a6b9c4f5cbec0f95ebd97f15ff6e16bffada001c04bffaf33b5675060e65bf09ada7c29019bfb4291d4877a3d8a6
-
Filesize
1.4MB
MD528f12265bd6acad3ca013c35ee01c963
SHA1f7431e6371aeb10c1ed4316b8a67a8aff50fb96e
SHA2564876c426b0040a94b8406d28a45ddf84222491490d0bf1e445ae7180b838ae6a
SHA5125c288f835290f0c82a8e75c29614212b408a82d650350237fa50a53e9e8d7da1138c0ab099ebd43f310393a98cae2dc08e3080511e05a0b9f34bb2f1d986f445
-
Filesize
1.6MB
MD5131028a4854f8d024814c5f2180abdf5
SHA1cc29b0c26e640b45e9cb95d693dd17b0bc88e471
SHA2561cda4038f14940974b99fcc3b83f1303ad821796eb7ef0ad27d69bf8eb3252fd
SHA5128edc48f1e1bf27d029a09d445a1b2d826b469b09b48d4e96d9ad1f55a10627ded32d8a6cb706c28791ff62d10737b1079c2cab15742239d18437096a50a24961
-
Filesize
1.4MB
MD55e915f454b976177af4223361fe5a944
SHA196e6417f4a3be189dbac6d380ab735ee9ea64096
SHA256d12f074e61e5884334d48abab0f7f5cf9e024095628bc9310f79282004f76ddc
SHA51259837464e6aeb92a97e9d93b30083d06e0c1c98a0672bb3a3890c2b5405f4758270bcf1308a128d09e172c4db8c636e6b1e33fd7ad8d9768955a04bdb1e0c8f1
-
Filesize
1.4MB
MD50478c5c8509aff896c087936abaa4bee
SHA1a236174e26d00098896b87544709dc3a2d14846d
SHA256cc5192ba3836c9500fb180801c08d4af4a5e156639ec10dcad0e46f4dd4bf7f9
SHA51288fb7339c4929b475acc3b0e1b9301788f032e9d03ec99778f2729700418e863257961b51e60126c8ba2b61cf4d9ef585c26f2c43877cf28e23b03cc98e8d1e1
-
Filesize
1.6MB
MD52ca0b898878659381a9c349df399ba1d
SHA1033e12b15b24bd38e0b667cffa689756d82f30b1
SHA2567a6beeaecab092e5f8d31ba32f54b8700f26791868cf72a969c9a519e5ae8a25
SHA5124a7f94b0b6f7a587780cd7aa62b1060fedbc9309c48d20bf79430d936f9d9fd636adac55138952e71003811b9959ce48860858f3e37b4ebace338b9ae0cbd889
-
Filesize
1.7MB
MD55b0ad15d209ba0e15e2771a25dc37cc9
SHA17007335f1d798a70038c3060ff463166eb9d3fd7
SHA2561e2bcc1a85932a89457badb88bf778a048f20f57840c6936fef5f854d893f01c
SHA5127137dc16bb4be0df7b50a9b5f5e0648adacd01dc0b86b910b107672836fb1f202ef4443ad7cf86187794583f7fb3befd5f849b0a6ce00eeac18c65aec5c7cfff
-
Filesize
1.9MB
MD55e637edfd655dd882a704fbd51b4cd97
SHA134367addd5386860fe60ab838dc153982df8aa0f
SHA25603e46100cb2e53bd120e5c2474b2a253b0ecdfde93819202e62f64fa72a8e767
SHA5129d44f6a5b41ff6f2337ebe15b4a11f52c5d1b2cfa91b38285e4810c1a1f1643b51212ba52b920858e1a700389d41f6b1b454e8d26327b51e67de8418e3d5c552
-
Filesize
1.4MB
MD5b3ad3b31a58e9ee85e1787045b4b9d78
SHA1284acc4fba087cc1990553081144dad9c6eb613b
SHA2568c53ae56fd0e81be2d49460816f939e20635f6d9b9c80b5d7e28d99654e56562
SHA51253fb7b52fd96cf2926c54bd48d641ebe014ccb2a4a241d672702d010554a4a81decb2e8cfcd763a6a8db7d14747ef8724ed6c74ef075b158c99db12ecb4d8dff
-
Filesize
1.4MB
MD51cda8bea22689a5213999fb9da97ce7e
SHA14180ed091f6a5d38a02e080e6d6c4341fa410e5d
SHA256bb585b4413efde1c56f85ea8136383d0769477264251ec22d0747f40b41cc0bb
SHA512666edd3424db01b69103fce073100da1253aef66f0fce94d05122faee67e23b09c031216ae842ef59eb918d80774ef5543b616343906b3b365db275e50105d6a
-
Filesize
1.4MB
MD535edb59a1a1fe1d85feb1cdcf594f740
SHA1f49e18ba29a5802166f6db2e3aaad2137d9d75ef
SHA256da88b5c9e4caad5af95db0e26f574408b0ea470cefb5e64a340973e8db65c37c
SHA512e39df1773f6cafd4300be7dff8a5b7c7006a134e8c2382ecbd70d7329985f635e9d70cafa0f8847817dbe1e2b0866a54c3dd08c795faf8bf81f9e53f7feb5046
-
Filesize
1.4MB
MD566e2a6cc35441ad6f5b8a747c2b9493f
SHA1dc6d9cb37a92ad619f6a0258ffbfc5f0f6c050db
SHA256ccc3a3bf3a8520e0a96cb94df6fb8e1f57b029a776526d945999eb24734494fe
SHA51237f4d17476b703e2544cfc89d4a0cadd46ffac3e3da233256cec6ba0573f9fad2a8f6fb79cbda63eebcffc0232a686ee13655dd5079f5223d6cd49487ae7c8b4
-
Filesize
1.4MB
MD599f63513cbb836e3099a1376d2a2444f
SHA1c201fffe4941d00f80944efb95ca6d85c5585ab9
SHA256e95e32a91c6c82c04dd0d3d67de0890879da841d5242a2c926f09f5235fa851d
SHA512d424db7a28ab11622096d7cf86bf191fe9762d67c3d47a1dd439f804e70c4336fdeef3adc59dab583adca517aea941fff0fdd091d027ec1ffa7d7d7604bf28c4
-
Filesize
1.4MB
MD57f6c4d173e688b8ac0112e923229b9e0
SHA1c49983a29292befb4ef6352716c697eb6e52cf75
SHA2568b9d838b79fcaf775999de6d9f0cce27428c3b4564a441bfaa9fee8a5635b4c4
SHA51297231c06a68f222cd94d6bd909525511a10ed0f9753ba1b5e4eb767b34a472e5255842cc30ec448da952f7a6468896610888411a5a21b42e6ba35dc0eb0ed61b
-
Filesize
1.4MB
MD5bf6d1af86543ac24f949c56901675a55
SHA139459f045542933f04951a4e8fca52598f9b1775
SHA256e1cefd9c1c682795fe066a570f6ac1040c29c7cdc7f75393b19049ac2271297b
SHA5129bbb10cc477a5054e04093fcbf02349f5980cb87b1c6a0ff09b17e5f4b8071ce2dd814ef57b8803244185169b17d2512f85aefbeb12449a871dd0f82ee12c88b
-
Filesize
1.6MB
MD5213db762d8cea2f6d56214e36ca8657c
SHA166c3104256ad5ffdf33af590a111df2b26c4ff38
SHA2560e6cce3010be4abfab9f6605f4f1d58cdfb4757afddb85eeb0dd6be5d33ee9fb
SHA5122c1fca2fe20256c5a384b9a5a673ea387485b8bee763e13fa379ac2a362759df285b52643e45f6de2e7bc996434b40182422e320b465e5d6fe6b0ff6dec6c88b
-
Filesize
1.4MB
MD513059e88c79fe8f1c1d36216886e9e41
SHA1a83b6b8d1a018b194a919c9863bfe09fb317e1cc
SHA2568f852f9701db756597981eec0d7cef58b9ba19f267b7439b7eb35f5ad990bb58
SHA5128d552dc06f0dc9f2e31cf3ee942a7c1ddaca482296dc65b1693f2221a0b255950877f434041e48a8b1d110bb46227870053b7749994b0ea4b5395aeb29954e91
-
Filesize
1.7MB
MD5c61ef9624142e224fd68244ac03c0e0f
SHA1b341bd123d285ce4e32ed431bd692770a3baf7dd
SHA256bd50c6cdedb44e17bb4302a37d76434bac5429e06faae93dd73adef915cd4c3a
SHA51223db2ecc40956b3c861eb26f9ada16dccaeecf5da73a35ff9c2196e0610a1ad65fa33527e2a4f1eeb494f1db407a6acf5b920603400c31f794a6de587abfa4f3
-
Filesize
1.5MB
MD5d2a5c333e93beffd4067270158b59a99
SHA1de33c1b620238b45d676340b1b873656725b6a75
SHA256f85f3ab8ee33ff007ebeabfa13beace031502a403a068cd2fef4c6280336453c
SHA5125cac847f8c031ae28d015428825d18ad7b03570218de06071e695042a77f67ae6c66539ce5b6f6cf285db955cc0f4e8cbf13e737b9f7e7fca09860c22e78ed50
-
Filesize
1.2MB
MD5de035bca5e8c067e813d24d52508e4bb
SHA14d085b78cdd5e71170cdcc3ae8c05c8da520855e
SHA256a4c93a12e94d45c048bc156af98f9a6d92ed95d2cfac6818ab5a3f9a7886a223
SHA51284b6d4c46a2f6b0139e97a2c05cf9c54905d22d13c6d85281279d511eb24e6fe436308bed1e0c8f36b4f6e3b079d214915d2668b7998f8b955e208b5ec2106c3
-
Filesize
1.4MB
MD5041550d64617e0497fa54d8b226f8c12
SHA15dbdbf9f7925e2aeac0cc0f02ca0ddde83810164
SHA25691f93be20edc9063516f76ef828b83a8a54ee5247ed7eedb05a9fd045bcf0e90
SHA51200fa0643c6e47c074dcf2b2e32df1f2e4c6c71569e08590cc9c55439455bd39c3e5d289612bdf3234e0040d793ca1462fca48167c66d4929ab506a7b4a97b292
-
Filesize
1.8MB
MD5acfe34ea5941f6195b8ef29265c3066c
SHA1729d2dd1b8fdf31a2ac83c017e5d81729c7c807e
SHA256324b1b226d167af2f08f5ce5207f69e16c19b73c299b8043e8431130d2d99267
SHA512c90cfda16dd13e86356050c3740a2d9ec087f63e4c1b176194436431cb143e595c082ce01934379a9aef263adc3da509b01f8753d923f2fb80bde12ba8091e39
-
Filesize
1.5MB
MD5e0f97e71d215ff639c60f6b80d179ee9
SHA13e33eef1fd4c1eec99c37c86ad457e7032877394
SHA256690c0cd1c6c8872f44385b83dc8238be8e1f8c63788a9f6d726efa304f27f991
SHA512814d9bc3c0694d56799261bda92b546db02458bbdf859a7b7722fcd9a98832dae20191f4372804e2db64fc60eb57b6f3f2d32c3a9433b92c6369491119a2b41f
-
Filesize
1.4MB
MD585c3ecde0de474c08619ae6909c0a874
SHA194e8155d4518c8fe507359042a40a22bee49a099
SHA256cc5bd17e9063b246e79a3ae3a56818392b9a975d958d6baeb578b7436c541d3f
SHA5126ee92c85e75f281500b3a138c020ea44b96ac5e8422595c8fde190acf7ba97056c60361fbf8080e1d05abd5de74ff2e7f5d9efcdc48c96b06cae38d8d8fcf0b2
-
Filesize
1.8MB
MD59d566ad09574e7fb418e9a6bce205207
SHA1acf4cddc4c8e89fb03de81e6d77947e456aca330
SHA25691b5a31b17f3ce540f252694fc5419cc6d185df56e85316fc93c3ff7987a8d82
SHA512a7c9d70939e90b9c0b41a0bd0d2cc4ce1b0dd8bc8991d04ccd62e2ccf29463da16d9c2196abe814de11737b0d242e9109cb67ea770f7367128605db5c55588c4
-
Filesize
1.4MB
MD574750e118ab444f5572aed0e7d9052b7
SHA127970f719fe381d5b154169585e928131496e991
SHA25639a3fa8da3f5cfa62e468fde34b7290edca5bb497657c6bfb42a807c1d002516
SHA512f6406da5ae904ca712cdd1626ea4a706b1fc159467e3212bcb33beb573f6dcf8a6fe5dd8b6587a9b2077edad34e3da3085792641c0c80c964a931dcde1eef673
-
Filesize
1.7MB
MD56d4d4417e581b166a02b895a3c546ac3
SHA1e0504b42199f307eaf84928b35fb9933694b4801
SHA256b6fbc5d79990ddac490f8eae6b4233958d7563a9c0e7d9165719e381391d5563
SHA512e21320cf09965cd31810b4c4d8710d1d650abc56f45f9b396c39bb5e89be31aefef6b86e47e5bb4784f1697101e9e56c10b71f872b66589d83751ac01a840d57
-
Filesize
2.0MB
MD5471782ff89506d99a1cc81d97819a814
SHA14183d34ae6ad2b48b699f7e491c8e24189cd0aa0
SHA256018494064ea86a82d775804be373e270442893e8b52ccece3de1f4928cb78b82
SHA512e51ed879b31cf3cc1bc988d13be57eecf1fd4c1f63b1c82e3472920c05bd749a0a430901704657088e0c674bf76021a060ad3561dddac81ea17f1577c70b80db
-
Filesize
1.5MB
MD524da6467d787e5c5b7228d6ab05b1419
SHA18ea7a0f6afedcadb1766c1ac47d85b397d9044c1
SHA2564156baed3b27697ec8f91e3008f40457db10b6d456e01afc65524d7161af8f79
SHA5128eab1c6b55784b321e3c564036716c98e5cfd6abfa7079e71d3586258bafcee7779ea3f4819cb0467461d891f8b56058ea7be7fce3860a269e81273a40f1010f
-
Filesize
1.6MB
MD56c1843c2e99c234de0b7e136d70ec139
SHA1841d1d2cca56eeb2a799d3a4cc7b7befdf4270fc
SHA2560bb703369f3befdc0049a4581832ae5d821205239846debd9d61ef755f563e71
SHA512a11999015b7e7bc5eaa999b8ed462f0e8b464c2265974631b3b08ca22208f9f6a284601205dc5ab1eb9a23e94501552612a1330e2a09a283a5998b285e3e9361
-
Filesize
1.4MB
MD53d99509bc79598b029855d39e45f7020
SHA166582ddcf98d0dc6d35f0b1838f90f9d69ef00de
SHA25629d6e8fd871da7cceb9d235a7839895ff6251447e5038660c6b7e650bf485323
SHA5128760bbe076881ce962656baf45c5a6c4ebe819d9a8d2aaef2d828aebc52653d0066f6801c5d6d9cd2171216d871ca6c9c02d5f8a948676269f27ea66ae044cca
-
Filesize
1.3MB
MD535df8b13854123d8157fbf4978a3e68c
SHA1e58044bd1691325582881b478a9c4a5c5d99d6d8
SHA2561dfa26f15ff6cd49770728d8b51a9d6dfc063568441fdbbbc66ac958e1335a32
SHA5129c10e8df59e2f4588dea3a88829a220ad2cd141a0ef36751e21ba86cb3b28de56094da43f8b589430cbd677f4de113af7fbe73a85b24dc2fdaf9d5ae09e88de8
-
Filesize
1.6MB
MD5d61b45fa8c40747a6e96ad75c1030bff
SHA1cb0803a26988a85fbff2faaaa66e415be18f81d1
SHA256c836110f211a34451d4917417b55858b1b59136647cba29907e443bb678320d9
SHA5129218e97bf23eb9c39f6e2e20a1fe9b6ffa358794e6a0db787a00b6e62d4cb4003ba46bc4e2d8e9100c21c94e9f31dcfa301dde08084a32f2aa5e736a96b0e5a7
-
Filesize
2.1MB
MD526cda44a76164f31355f28f9e9d90ea0
SHA11de93a9d166281b5e62fb9829c7cfc94574c3985
SHA25607c7e70c5d7ee6febdba6cec641d9b4200ea2d70f78c01019bbb95c31081ea78
SHA512bbbbd48f34f4c798d965a2d6a06d4f49e365ddf0a469bb68625655418974a6feeb47c900666166593927fb53da1350c5a584a356aa22fdbbb308ff3edc46d758