Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe
Resource
win7-20241010-en
General
-
Target
2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe
-
Size
1.9MB
-
MD5
870aabe31135188f5d11268cec10db27
-
SHA1
1452325c9134b8e65cf61b7fb722b2775ab17dbe
-
SHA256
83c90bab42d120928ebfde3f04c144626f520c5828f9459c5517ebb70e087fec
-
SHA512
fcc6191f067620ad8f94e5eedb5c90ca1f5dc598770adecea221c074f6276185b5ec094a851422ff9c15b3510ecfb55e488e38c9844c5562e8a9030f8cc5202c
-
SSDEEP
24576:m6V6CC/AyqGizWCaFbyZatr0zAiX90z/F0jsFB3SQk:m6csGizWCaFbQaB0zj0yjoB2
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2704 alg.exe 4568 elevation_service.exe 2040 elevation_service.exe 1340 maintenanceservice.exe 2904 OSE.EXE 1100 DiagnosticsHub.StandardCollector.Service.exe 2936 fxssvc.exe 3988 msdtc.exe 1988 PerceptionSimulationService.exe 4352 perfhost.exe 3748 locator.exe 448 SensorDataService.exe 5104 snmptrap.exe 1252 spectrum.exe 1996 ssh-agent.exe 2160 TieringEngineService.exe 4500 AgentService.exe 5004 vds.exe 3540 vssvc.exe 3360 wbengine.exe 1124 WmiApSrv.exe 2464 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3f78a1c99262766.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e15e6ed5927db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9e06eed5927db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016d728ee5927db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b102ee5927db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000467caaed5927db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4568 elevation_service.exe 4568 elevation_service.exe 4568 elevation_service.exe 4568 elevation_service.exe 4568 elevation_service.exe 4568 elevation_service.exe 4568 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1652 2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe Token: SeDebugPrivilege 2704 alg.exe Token: SeDebugPrivilege 2704 alg.exe Token: SeDebugPrivilege 2704 alg.exe Token: SeTakeOwnershipPrivilege 4568 elevation_service.exe Token: SeAuditPrivilege 2936 fxssvc.exe Token: SeRestorePrivilege 2160 TieringEngineService.exe Token: SeManageVolumePrivilege 2160 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4500 AgentService.exe Token: SeBackupPrivilege 3540 vssvc.exe Token: SeRestorePrivilege 3540 vssvc.exe Token: SeAuditPrivilege 3540 vssvc.exe Token: SeBackupPrivilege 3360 wbengine.exe Token: SeRestorePrivilege 3360 wbengine.exe Token: SeSecurityPrivilege 3360 wbengine.exe Token: 33 2464 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2464 SearchIndexer.exe Token: SeDebugPrivilege 4568 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2600 2464 SearchIndexer.exe 125 PID 2464 wrote to memory of 2600 2464 SearchIndexer.exe 125 PID 2464 wrote to memory of 3232 2464 SearchIndexer.exe 126 PID 2464 wrote to memory of 3232 2464 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2040
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1340
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2904
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1100
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3952
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3988
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4352
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3748
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:448
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1252
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:228
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1124
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2600
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f6dc7fbb049c97327c2903fb82c14ead
SHA1bfd7594681f1da15986bacb19328c0504eff219f
SHA2568ca8ca870dba271b0365d282d548fac9287ff059f8f7153aaed726a7433e53fe
SHA512c056aa2aa5532e0a40c17d1cb1a27b8bfad9362cbb04927104e631ab09f8c1a5d9b293cbbee2aa6cbd4839110c37f50ecb632ce6690fe206ea2f945b733c106d
-
Filesize
1.6MB
MD5a953099bff2ca3af89e28df06f96d837
SHA1a40b1458abd3e50ecbe45dd95e2bdf63cc27229d
SHA25669af1bc6cdbc5f5afd2baf67a154b2778d0be23f73e02fca0ce7aa777e4a349c
SHA512d24a682efcefbfeb07d5127620e7051019c38aec35912d8c45418244135c98e026043d5140fd9efe07f646d8208fab20eddf293ae8cd88b5b1d3c655c5c079cc
-
Filesize
2.0MB
MD5fdbde44e0f2f469b14c2af17d9e85616
SHA188f0a47b479eda9360995d25532e82159410914e
SHA2567f496cad5de889f3b8ec0f9f0b4565fd35f76e248d78d6ce93154e62bc274005
SHA5128625f743260f7256f20122dd458f779056dffb03844b9dc5abaffdff99524511bf9afae2da2612594fbaaf82f8d2fba56fe5bf28fb7abf06ce2ac83b9c9cd164
-
Filesize
1.5MB
MD5231d0529fcfc4e17502926d4ac68f564
SHA1d42227d642c9fc38a3ab46e35f1b8271eae3a523
SHA256fe301bfe0e15b37c65b458d794dc8cf75dc4055bb4b9e34db444c120827e81fa
SHA5128662895fe1986a89a904602fc65aecb50173267d75ca33a9deaa299c9cb6935722193376c8e7fb5ec93d662ecda42f56c2f23dc3e5c9fc0139dcf10773f076df
-
Filesize
1.2MB
MD53b3ae7a75edc2447a8dd4354150bd9f5
SHA1654397dde7264e7a82e895e1d18be9a5df661d90
SHA256832245dc51bbec1f292bcf129e0c720c48031ac735b957c2f54b30f2cde594fb
SHA512107c752a1190a0f99f7517f28fb21c426dc49cbb384f6a97ea021459873f6821f83eb1e7cb58f889bb4f037a553c275d648628d8f3083c673599512d1ccda5d5
-
Filesize
1.4MB
MD5b9f52eb5c7c6de22bbbf7197ba29a588
SHA1b2891a4b1857a21edcde664770d180494613c3cd
SHA2569705517ccf178dcde5223ae7297000b73dea6c2c5ac126a2cb471e433e367b2d
SHA512be0fafa4451b0979e6cddd1c57722db3474b8a344a1165e9d9d34555688f29954e324ed7e10dce0bc8c2c1cb80e1acedc9b67fac70e0d4e2c19969f7625fa114
-
Filesize
1.7MB
MD5400ac6f5441cc36964bb02496c670acf
SHA1a9301aa3c2d9c963d878d09ea661f11593a93c83
SHA256a880d0dba79ac2bbffee839028073f0e7d9e31257a3b8d5d222a4b1d4d1bdde8
SHA512160c33000be5a2ca4b8bd9a8a9d4330f9b7245f38b8eab6d9f875e71cc873c38aadeb5034e00e013a03bcde7dd8c0a71456866142a11c4ab5fdefe8ea890d34b
-
Filesize
4.6MB
MD5559023e5bd03bd0cade7f2af34c6101d
SHA176bd9b60bd8f5fe2b418b0f57a44188e9a642fd3
SHA256c0cd99285933182ca1c7a9102a01caf839d21262e7e594ae5845c5c7f296ccbb
SHA51263e05f6abb44595bf4e035d3950bda8f6d077f1e464c830407612cd3a2755406d19658b1cfa727970ee1431f5132b8f3468d7ef66ff69ca260ab7f30a80af2f7
-
Filesize
1.8MB
MD533b86cf521de52d61855699fe93871f4
SHA11678ec1023a041b6171e36738a85676e2f49c4a5
SHA256d4849591ce33bc1917907db4c9db9259ca3e371dfc95908d43716d94e7658d8d
SHA51226c7a94f28a2a7869a7f5cf2689acb39392a5135709cea78bc26217f7252c384de8a725d95e2fed2bde9567fedbb7ba0ca915f75359f20b093ca9112b2e2d00e
-
Filesize
24.0MB
MD537122b0c9ba351750d5b77703a2e1827
SHA1ecd6d57f2454a4d56adb9a985316327fa2dabdb3
SHA2564904a8832ead34e27f78eddf5aad41ee175c0d6aa5197c6f8f12ddf4e651a427
SHA512775aac4028f71c232d1459dcdc28fdba06348d2c85c84ea45bff7e04e7af89963e09470cc5e4e5d170348b98bb045fb8766c8af1dbfc224e8260890ee73684bd
-
Filesize
2.7MB
MD55e2bbf0468d56ec7d429866a22cd1fa9
SHA13c23606a209edcf1dbef4cd27e69f8e02f8c0ca3
SHA256f2c5f593ff10a0bf44600390a883d1af72b56d9d58d81e7db748969aa1efaf49
SHA512a929bcea5832fca5024cf9ff2d8ee3b38f595e1c761e78436faa027baf38a481a47289829350434770bb4a38148c8228a1eb1d3cf93823f5d9df87c36c45630d
-
Filesize
1.1MB
MD5d5ec7a84397ea329da6f97adc3866d9d
SHA19a53e91c05daa34886c6aa64f5d9ee24f6a6e2b5
SHA256ed4c4eb7896c0aeb161483dc19556afd15d287e8a3fc2f1f28d380d726cfbe0e
SHA512c9cb98b79fd21ce7290b7cb5a17cf0bf52a0de726fdaabc992b1f7e2f34cb30f572f3615d70e1d53758a9a178679afb3e935235d15a580baca021ca5c6b45e47
-
Filesize
1.7MB
MD50c8428871e8a6196def21dee6d3cb3b8
SHA167b3e7620049318248b1aa81ef30a92f51eedb44
SHA256cf8d0e929ec27a41031e009287857f677dc3d57fcd7fc41e166b3b2a109ff661
SHA512e3e5f8da26f25729cebee7c42b1818843da4e74be9525abff47752608826d86762bff80bcd802a3221c73ea30c86eaedd296712f8241439ac234fe446d5781e3
-
Filesize
1.5MB
MD541d85017efe0cdb87a5279ce78c1c75d
SHA1fa55df9acf140a712acc644dc2fef67387648f9b
SHA256b7562d2522cb4c5cae44279590a226e587ed03afd7317f54abc2af2fba701d56
SHA512f2978bda7bf2860ad80e544658e1a5aa40efb391843ff4c576d96572bd16d8fcc2a7a4f2a8159df610f1acfa6914f8bbb485a5ca5f2d0e5892c9bca114561424
-
Filesize
4.6MB
MD5bd8cc132018b9b2986f5a6a8e9a4ae21
SHA171607c62e006eb67baec35d6d7e61043091bfcaa
SHA2560cc8668770117b52c689fd64397162134a4887086d99059bcc1f9faf8a4323fa
SHA5129ffc80e7cac6d08386486c5fd1692c3336a2a78039535a06170670337b0cbae6a394570bc62232262cb8e3f9f77c517a4ea92c4ea40463746e9a6d3998a4d7bc
-
Filesize
4.6MB
MD5b20b4e352d156897fff53ccd2570c7cc
SHA1cfc39d266c5158a87b67ec1253b33ab458f31b0d
SHA256b70d871da308a0561bee4bcbff3bc25e9e929a93bd6727a1d64a909366fb2c7b
SHA512fa4e332777f6cdd36ea6454ce5d11f15ac22da1925824b74016c2949f56d6aea715e75d794f817cfb0766b5e822cfe828f09e5f7bfe3d4d7779650570b0a99f5
-
Filesize
1.9MB
MD5d30a766864e428820781ba3dc150e471
SHA15c1965a1d193ab014d63018f68f949e1ccf639e0
SHA2563fb9fd7289ae5ac1f8a02ecd3c63d99e48ec9b17756aaff300efd8db2c19e027
SHA512d132ccf4bbe92b6c405caafa4c924a04513d48af773842716da0cd42d5c2bd575237a70fb7a1faab6cb20b7846678c248e7af6d21dc9f88b1a6f4bb3f1ab7ba4
-
Filesize
2.1MB
MD545482ad050305b755226f597e5ee8337
SHA1ba5aaf6983e1c405916cc8165be0af62869b8e43
SHA256691c9069c5f8010a62c4dfd1035382e078de6437e303e46940fa9ccd19bdcb2e
SHA512b28f0dbefb9f3a219a83e6a3e2ab7e9b4303201b2a0efef3754a2336e5b4b86f92831b4de83c3ab3bfbc90a5ddaf568308c54e5d951bba5126e72a54946a9b34
-
Filesize
1.8MB
MD5f62af1c81bbc922ae52e0c968d333c5e
SHA106308c8cacc504773fea83d28c043b282002e221
SHA25687d0d2ba6ab525afc18543e13fe198f359e8f6839709eb97fde18caba3ccb18d
SHA5120823da17df0242b2c7e297efdad591d15bc91276fc86756eff2d7a85741f34cbf498ff60360a7b5f5f9bb88a8a750547e3ca82d7b673be847f9bbc715926d788
-
Filesize
1.6MB
MD5c1bacbd328c79a19fc2e052a34785c96
SHA1c7f8a25e96c4b329cc77de1b803eb4ad568dee0d
SHA256ddda86c1fb3e8eb95116f3484f76dfa64d81456e430da250c03020c128b114ec
SHA51241d9549ee5db5e17bc4485d953119f7f179bac4f3d29b65f9dcf2875c1ff5e269bfebe37d6a0b886f578e8e75325ed3122ae2a1e992cacb4b02b1742cc5904e6
-
Filesize
1.4MB
MD5f5a40eca52af590b01b8ed8be4920123
SHA19bde2898c38e440009c34c4582af0ce98e5095c4
SHA256d2697579bc904cda7ca7140cde537e439636c984754102114965a4746b1c3c75
SHA512e1916b4a57ce43fbf2a53e0ce66f33c0e2cf4277bd816b76cac274d4dd3b9205d20da169d560712bb1fb478e567757c61cbb42a0a332e15cdfdee780310a3f8e
-
Filesize
1.4MB
MD5c2e2061c3698fefec7f361bcf3ec4d12
SHA1cff1c8ebbfc479cbecd96e46b28a0b43838adb27
SHA2561281448acafe2fd79f9c167882848a3e1c68fcf5a043c3ae75627504e0d2c3d7
SHA5128f6e139654b7a0d890f6550de0d60137d5d24b2ba26f24cde6110e0afa604e015dd89a5e313441465438be80406a1dbb10542f925be3d25058a3129b8bf80313
-
Filesize
1.4MB
MD5dcdcb95657b262c2cc4ff46e8aae6f3a
SHA1d464e02e13d146c11287d3ce7cc2e514846cbcd0
SHA2563a384de59d301f019866855bd836f469eec5c2a062068207a332292f829b98f3
SHA512ddc60f66747fcfd90b6162b483111a7ff6edf6fd6c9016bdfc07192456acfa3a9e727902b068b1bc6d3e31adf9ea8c367c59cf95a85097082c9595ad67bbd1de
-
Filesize
1.5MB
MD559a48f1d8400b2748651fc36fe4be394
SHA115d824a5792857a49803259b14472bdfc1f32c33
SHA256d612386e7b5bfc66f65ff5a3d3aecc82dfefc962592093b66b15a83bfe0e39d8
SHA512aaf6d8df361bd3bf9d179a49c9da055fc4349325ecf671009adfdd6604b3755c88f4604b9eefe9eb0daacc18257246af275267e6fa7c22dce329f9cea81f003f
-
Filesize
1.4MB
MD538a07e46232c0c07f3b7d902030c298c
SHA16ff7114af3502c4d3ee89f5054487e7bd747fdc7
SHA25634810b0beec3b0b2d489085086cdf5fffcb7ba231396ddabbd2d37f9072e7acf
SHA512427e6224a490ef33bd0e4bcd72c8743f67d481b87a26924ce1add2c43561b080349cf43f56ccb57e32b93758e9ccda693819d10de0839cf6f35af3732827e71c
-
Filesize
1.4MB
MD54365db55951768ab6ccc57bb77b94e8a
SHA1a444abc35f7ed8c9e86fc47cfe1ab9d0cb729c39
SHA2560d34da30d47644884225e725675736a37a4c05ed13ad725828657432cacef428
SHA512f5ad5bd5805b82cf9644835368abe73f449c7b936bec4cfc35ce961bc946021a1cdb2f830e2b4de012f07b2602fab87409bccbd73ce44b9c938c815cf3310901
-
Filesize
1.4MB
MD50eb2fa099efaf2df48efbea2f69b874e
SHA184953c98b1285e841e6084ac10fa27a889323e02
SHA2563205a295b281ab93214629e6607cc467df664879781ae96ffac6111bf3ca0f55
SHA5128409eed3876e7a207e6a8c973f68995ba2cfc022d69ea8a18d5f866d8648bb86be782d1d452dded49b0d96a5dd736bd2d59122f5c373a2811b23da324aee69fc
-
Filesize
1.7MB
MD5178741cbf2cbf6e2c2f3e7975ad50153
SHA10610358022890a8280ba1aaec2ef9816e82a3ee3
SHA25633b4ddacd8f229311e6345cccf2aacc7a4ef7b5d22c2431e5cf92ab37a876f6e
SHA512ab7838d3376486e4f86e38b8cd363109645742783ec6fd299edb1981e61f2af0ab1022a3dbfd0c10b9504551ffd5286a3114aa4a31d374f45080a352a940c4f5
-
Filesize
1.4MB
MD5a81b5d0f97537617c25446226c11fb73
SHA1f1e80aa31d014144cda11cb64a8229fed8812413
SHA2563a5dd021aef532f25933304303da208e39f1ac31797ef8ae9390c70f901708d4
SHA51230f68091d221a31e8a134bd5d52bb7a0df5abcf6a93741adc35ca185bd8532e854eaccaba82ff6fbcad3b4956bdeffa7ada825528926207cbe90834dbf687b2c
-
Filesize
1.4MB
MD5478648931a904b1fa9d6137f44233dd3
SHA1f109b60bfbc05ec989ce5efaae717737f1918432
SHA256aac455e8c43af35e6df5e5373b55944a3f5b0c1525e463c1a6fb3b756168c1eb
SHA512f21ba3b89c7efaaf84e1e67a69c08708cec3c57300d5addd0e1fc3d057dfa2239c237a6885c7b1c8d2a1f5a0684abd63fc747eda66034b1e7a638ead62f188a8
-
Filesize
1.6MB
MD5af6be041f20226c6c137ed1f2c4fad3d
SHA135f773125e4f23924fb2344ad98f7f43c2007791
SHA2564f56c9c16eb9a3e1afaf9287550b58743edfd3a21d3ce9df5d587489445b560d
SHA512a851fbb040e4095d4b99e150b82d0e4834d9fa24868769e08734aa390e21ac4da7e391a37cfabd3319b0281f35d9ae32fb74fc286db6e73da35f58831eef3202
-
Filesize
1.4MB
MD5597753c7fe110eac4d2f648217f97c6a
SHA1ffec7752dc27fe4325fbc0cc4fffaf831040dd76
SHA256c03b971f667068afa6c5e72da46d2f2a19253086ae23752ba36eb085bce2e045
SHA512ad2eadca2f0090c791297e1677897ce8500a94f9932f6a0793f991da1ba081102a4d7b1c4b341d9da69554a263996980da60724901b5845ec292aa707a44ddc0
-
Filesize
1.4MB
MD5618317928be5f23e9e2fa0aeb4748d58
SHA162344aec65eb533a9b787431ff00f53fe1199857
SHA256f938f7ca83d037e2cba2811a076c0d9dec59627531648c1429b69bfcc5955c57
SHA5122e116280c848153cda937d6181ac12c33a7a40e1426f9608e97a0b51c114d6496a5a22f163da3f0fa889f3350d40c05810f969aaed67712a8a1e592494fee919
-
Filesize
1.6MB
MD5184d62e1e3e14571a328f53e87aa23b5
SHA13817e7899d2104a761ceb19059f25abaaf979a39
SHA256bceb4c13aa32551d775ac3b5f44993a034bd12f60767b9fc8f35f3c282fac024
SHA512c7d899a7c2701ac8212ff1f14cec9b55831819e0496d434b62ce780474d69a4e8b1621abeb1f35779180a42a6d968502dfd48257124bd81099618ae97ddfec9e
-
Filesize
1.7MB
MD5d2973064c63ab30e75e5c3119f78976d
SHA19f4493382916d30f00c48f737b6537b77ca5e00a
SHA2569e6f24c680b229c1557d7a819876b1b01314c137646fde0758f8b740b6a7aa50
SHA5128294afe1d4bb707d3f05a2357afcd88f8689cb3f90687b0deb6927c75721c8be49310706235e7403c8137876889292c0536dae899f62457222cb5612c3f6a2a8
-
Filesize
1.9MB
MD58669c1ced4768244defdcc6c7eb58958
SHA176afc75f99bb285a03e95893dfcb8dd9dac47433
SHA256f6eec5c3ceafa0bb2973d3218616e29b9f3bda7e89b1928b28f299202f950fd0
SHA512458ec33585d4b44afe3bd6a1ca9b85aacbcd8941ba86766bef723285e6f0bbca2418b8976500bdbca705b36094aac47da2a3e84984a944d3333d3ffcb683d68b
-
Filesize
1.4MB
MD5f8adc606ee652cc0c79d2d23dcf60f78
SHA166bc3e3a24335f0cf460bb76ba75e9533db68071
SHA256e72294242796a44aeaa4e7bbcb00804ac0c30d42eb384f70e85381afb0ac5c7c
SHA512008587be7bc9e6cac21513f7c5e3690aee761b72842c840383198f1b58a99b221f9ad49748d04537f8d93520c1f98f219fa4251764b9e754fa6ee08dba8006b9
-
Filesize
1.4MB
MD5353c4d049735d64d6a41d76fbc785d81
SHA12f8cf02b31a64f2ab200f44f6c4abcdcf6f51ad4
SHA2565abc5f577ad3cad73b9aec80c614eda05efc436fabfb2031aade82c437503a5c
SHA51256289f5c36d85a46b09e0a075ccd7c5b8c5e5a0466e9f2a5b59f58a304574a457f43b28ec293f2ec67708d05c70574630d76d7b4d49b1dd9cd54994c526f478d
-
Filesize
1.4MB
MD50e8f1a21d23817928bc6b7c0632d768f
SHA1f0927669a5e10663d0702012ea2d6e8080ea33f6
SHA25622ea40ed9538ba8246d492ae53b4f6b947b51d0304a2119d2fc017e01238b949
SHA512b010a605de9c580b1cf63ef71adfa613c12b8c1c2b5c70931b9ae810adfd06cfd0ebed1d2b18871541fb9332f7e87d6178f5512d6300c8661557c317de5d0065
-
Filesize
1.4MB
MD566058c36c9fe8a8f08b61ed8c9632dd0
SHA1a45deab527e6d47dd04900e1b6209c3f60af205e
SHA256fcd249a6d1988bc515a1d36dee9e273bb51497353547859206850791654ce6e2
SHA5125dd09f37e7befe46bff267a5b3ef326579fd9b734cfe3544a5ac1c5d8f04ae3aa1b7e541ea56d315d8dd9c1c4f61550a1ef25dbd259207ab19ead869a9ee97dc
-
Filesize
1.4MB
MD568ba98eecd6888eaad465f22391c51f2
SHA190d1a9b66ed6d6cae81e92c7d1a19c2f0c0b42ad
SHA2562e6f76b0d1c001454e05d0e85c40ee11bb592634e873e062ed20f62fb5703fff
SHA5121b0d92d570e1da0ca32736f94bc4c4a5d8d0ac89b955fe8e5f9de97e136b784894e9093dcf83099a70e687cde06551cab5b5a3d3102bdeb613e0454fabef5623
-
Filesize
1.4MB
MD559e827f25d62fa32adcab948f489f5bc
SHA1ae90ad43966e4e0174a08f52a6a1548a7686f172
SHA2560b8697e8bcf1782590dc1dc4cb6c4eafda203cda2888eddd7314a8959709be43
SHA512c22261c81a15afa32fcdf0d5bf093cd4e5d7c80c5432871981b42979b90f2e61206afd7df0511757df2ed606d2e5a997502d9a8f2240df57d6cb3e06445359fe
-
Filesize
1.4MB
MD50d1de5fcff1f9ad22928cf4af61c839f
SHA16b4a648dba457715d291f9ddb889c19692aa1a9c
SHA2560d94c80884d32418bb62294d4ce1317d85d47d9295af01c9b2b19b13913f2183
SHA5129cdafe13f94aa5d8c0b105b873e3c148bfdd8d557f308df1cad4c448d486a27e84572a6cecddf39232695ed89fb2b27939a30bcc35376e9f4d31b8dfee2d07cf
-
Filesize
1.6MB
MD510600291ad95b436f5d6651da7516ba2
SHA17c40028fb1cf1795118383edca88ebbd7e2a3ba8
SHA256dab816dedd5d12bc243ec7ffb8ed6ca5c0258bb2f237873dd5c6e3382b353632
SHA5125d2fb49f17e1d3aedfd074c5cd4a998b34462f0fb622e3da79a5d36d9fab9a9dd2c359ea6a3d3ed015b47f4d6759dc3a12eb9517647b200733f5f09bca189fcb
-
Filesize
1.4MB
MD53b0b4e36acfe61de02be9179a09585d0
SHA1b63236eeb78f651785c8a305f12e3fdcc767e489
SHA256a86160a5022e1fd4707c887f3bdbc5034ecd4cfc406b68342983a549df26cfae
SHA512c3c008f3f88eae4317e81b61abacc6507d4f56003ec1a717b8e6802761b07e1dcc9f9fb6b971eff54fdc94e599e9517bf73d45f11b0dc2081379ea1c695127f8
-
Filesize
1.7MB
MD5ea5f3942131f0bc02b6c78fd20254f3b
SHA154340ea82c13f48a5bf78db5daba9f9a50b246b0
SHA25652ddd3a924034b18f9b9adae66060f35d45d4625a445f9de502e0ad7a33869df
SHA512c907d146fb18b1c3e19f35772e1736d3a34eefbbdf25bd1e189b964d32174c8a2c2df78a6fd368e22b7206fbe8f1a5feae86d56b5c7c52315332b36897e67e13
-
Filesize
1.5MB
MD560b8146d43d26c922d136314ee1856cd
SHA14614df1b3aaea8d7b6b4601fec42e8ccc3cb7b95
SHA256aeaff1966d96689307d2c3b5c00d63e6915a2c13dfd9ba88144a47f81b6bb695
SHA51296c8f8c982a5dece55ea7467745f4c99c729b4f5c80e635602cf5211e5a27d63760d89b6ecd859377da4d105043dd746ce12b4c98d7da5f4c1ed6bc37a9fdd9c
-
Filesize
1.2MB
MD5840a54a527d634b6bd3feae9d3b8c91e
SHA16a322456c09de0fe11e2b5f6618716ab429ff575
SHA2564f9200bac6781c2ef7bc8adbedb0e01250c0fe1bb5164fe869486cb59d107e1c
SHA51207f280d953231c0ce6435bb442466d89ced2727f3916495f447e3682f46537208b66395c83ff5bb3ce81526e065ff3477e13703c8beea25ea253f2c68dba80df
-
Filesize
1.4MB
MD529efd2ee7bf3ed332d67d160899536a3
SHA1ce2a3a1abaf732b725aee6e500e696f2d6a63f62
SHA256f892a43cefa38e567fa2af97ac8e72401d2b94345d3cdf4859d203fd60d30921
SHA5124bc39961dacbf3c1a8657330d63fa145eb40e6428df4fd0872cb4b229ea19560ee699cfcfd475ca002233a0a5204f158119966ac1df92b42ba6110af139a4d2d
-
Filesize
1.8MB
MD5296be9239a8423d460d72cef2966ba72
SHA120bacaad080dbcb942e3e199f668e228eee06dfa
SHA25670f1a99bf5478cbb899b4db98f375b783a854e62b958efb7499763e997c758bc
SHA512db66f66ce3a075026c5e37a3085706e505602ba30eaf8432fe29c8f654985bccad3ff3e93037ed84efe732195c77f0213ddf0a91bad46465a25de5bffa136bfe
-
Filesize
1.5MB
MD59fc565314d2e1573bc67e36f04d46d77
SHA18b28d970508067b4fe207a63b5d7fdd14cb48e12
SHA2561399eb2fe16cf42f0062551b6a11e2de54e7fe9f4825b331966034d8060d33cb
SHA5128eabe3eee09d24263f45682d7f4bfdcb47278ef47ea11afca0174107489c6064af08251f2f5a88933b9b58027fbcf2c3df9dc8ea58d2c4dc367fc5755d9820a2
-
Filesize
1.4MB
MD5f2d9951cfc9feeb2a0c8162e3a02787f
SHA1989e37251ce0af28e2b22f2cd4540e055d4c490e
SHA256261afe47533255f1ccc46d9a766a768cf1fe52d6cce067f40ee018bd2b556aa9
SHA51210b1499514efe202517de3a490cebcff8680cc061b15701f863e0fdeb1a5706293ab7c41dfdfb1ab8b3b2098cf709e276754f84db458be120c417abf7bb29c5b
-
Filesize
1.8MB
MD577e45aae2b714d2c30fa68a4e9be3105
SHA1b757c5b34c94b662083852d1c0b96a9b411a54ec
SHA2569d3be8d0d92f980d503bad19f4322ac62696006b8c7d9aa81c1e71d593f66645
SHA512014e6e5a70cc21511c3a3c82c25f906cccfbd56996f74706c187208147d518a1f88b2bea5f0e20fa46f6b775ed68d9a277f793d85815879d0d689c2bd12dba6c
-
Filesize
1.4MB
MD5061d105d6879a67f1462eba71b569a82
SHA19a15eb47ebef03c62e4c38316ef7f92e105ab795
SHA256b460284a95cc1df959ed58305832f3fd9b86b63e8b73b840b42b12ca14cb48d8
SHA5120a3127eb6a0db84cedf2de985ce9a5b8d0e4e83ee44623f91439f40525f7dd7192677ca4544a279a311e4c155c66d787ecdbe5ecf8652465306b6ca8c207d169
-
Filesize
1.7MB
MD585bcfccc2bb7201fdd2e1854b87dd17c
SHA16d56bd99c77572bd71d4ebc5b3408d90404b01b3
SHA2567d350b2d359159a139b4a08d8236c86283689ea49351b0c1614a7692919404e0
SHA51244ca89fb4b4a8ab9dd68a0c448706e3be20f644b3dee8f836f378e44c08d83e8de9e291144a97c968ee4cd94dd543997179a8929b95afc937c91604c3842d744
-
Filesize
2.0MB
MD5cefdd72fc233129c292aaca9a27c37a7
SHA11b178d1c74d1ea3488da844acffe0aaf56aa3d71
SHA2568cde88a21175e413e973cac8151d371ffb67c3b9ad9286793191aac7a917c780
SHA5121af488192110f50ae8cc565a90a067b3ead41c40d2baedbdec4da4b4b2d27ec1fa3c730ddeba34dd88195dc53fd0ab5336b17dfd9181f10173ad9a9e7493bf53
-
Filesize
1.5MB
MD5b524b0a177d45fe6cb16658b95d4390d
SHA1db7ccd67d45f25dfadc51678023b3ddeafc64db6
SHA2561f6743c7555d19f1f24dd1a119c8442f5bae16e2361e133f58d5a6ff70e98876
SHA512892fa928be181f03727ef91ed487293b0cc8273eb1d5507a23e46a8d6793ac42a476b665da1556ffc1ac4320165561595d4577e36e23829ac9f56a24babad6c2
-
Filesize
1.6MB
MD5af8ac891bcfd1d1d6119bf8db95ab0f1
SHA15c25117524ea71c3b33291239ca1ee276c17381c
SHA2567e08faac9d13f780b64cf7edeb6fd0d340e00c878dd54d6c65d79aa3b008a9d0
SHA51203c542d14e496cc6bdb3b44c622c5a3aceed25d2c8f5ca5024952292ec29125b9e5d704289e3260fa264e1f00f6c6cc3a58b8768b67649f2d7419152fc3713ec
-
Filesize
1.4MB
MD56293e5be32a672018902e04f3f1b455d
SHA1cfc00208bcab0750dcfec766e306f2d743117999
SHA256b6ff3ed1711852159cf48035635dc7e6d7f9ce093afb6c79471711e413a0284e
SHA512bb7d8b8be757a2a6b52e9f414cab59e9bfc2add3d46fad8822a4ad7695c0cb34049551eed42d7eae021e18acaae96fd44fcd052c5a3fe15f4233e784cb697506
-
Filesize
1.3MB
MD554950f8b39b69219cb53fa6d868f521c
SHA1832edea8226ea2c96f8ba564bdf0a8735cbd0145
SHA2567c09b2fa2df79a484ef0f4918143ca5d5db9583069f62b203bb3b1caacc18638
SHA512704e3f042cc4eb3fc4afe88ca1decdd56e9a89d834fae0173ea47c3f722057694e40dfb5d866b25671d31b961064e3e8f58ff049ca0b93fabae6a1842d0905c6
-
Filesize
1.6MB
MD51ddb28f3ce8930baf8a1e33192213fa6
SHA1c52abe1cd7fe71e2132cea75d39223e0bbfb3c51
SHA256f006f18766e11e6da398f0ff0c758ee7269cd5224763f6ab7cdd740d9b2ead7d
SHA5125b7057de16e04595a0644a295150c2446f649df73e6e8bdfb2b74c5b6e7f7254818bbda69bf133f8930f32a16032d8acfa087d01857cddb5cd9777bcc731219c
-
Filesize
2.1MB
MD511cc1b516e2ba102eab6368a7aafbe6f
SHA10160fd4ab9bc01fb14059083e461dede74fa6eaa
SHA2563c51738746a542910f13c50a1e5d201c764e799dca8c2aaa37351942f19c1b27
SHA512664bc94cfa590fbf42a17d93652d263cd70aabd0e1583cccc62f3fe0e23699cb87bb603b649518af5562e5b414fa636268fdec794f9b568642f13f116da9e68a