Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe
Resource
win7-20241010-en
General
-
Target
2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe
-
Size
1.9MB
-
MD5
b06c0b4fa27fb529f88ae2d0fedc528a
-
SHA1
24cab86a199978c43a76852ebd5ed53d9855444f
-
SHA256
8a84c07c0250fec425ba1a5aae1466cb03b0274a520e400abd5de5cf2e8021a6
-
SHA512
fda6cad8b68dc5df0ca037780d3411978b650d3c4dee365e700db5656f66055814a3da8763ca1d7d1d53b99f450d8d97744e0926889ce0cc9da5ca43720e258c
-
SSDEEP
24576:36V6iC/AyqGizWCaFbywatr0zAiX90z/F0jsFB3SQk:36cMGizWCaFb1aB0zj0yjoB2
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3312 alg.exe 1984 elevation_service.exe 4224 elevation_service.exe 4748 maintenanceservice.exe 2056 OSE.EXE 4176 DiagnosticsHub.StandardCollector.Service.exe 4236 fxssvc.exe 5016 msdtc.exe 5116 PerceptionSimulationService.exe 2260 perfhost.exe 4712 locator.exe 4808 SensorDataService.exe 1288 snmptrap.exe 4292 spectrum.exe 956 ssh-agent.exe 4648 TieringEngineService.exe 2304 AgentService.exe 4408 vds.exe 4708 vssvc.exe 2296 wbengine.exe 3504 WmiApSrv.exe 1184 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bb9f1dd1674cc675.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e3e8c545b27db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f32414555b27db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ffb4a555b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1966545b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8b9cb555b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2f7a7555b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a800cf545b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081cfa0555b27db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 832 2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeTakeOwnershipPrivilege 1984 elevation_service.exe Token: SeAuditPrivilege 4236 fxssvc.exe Token: SeRestorePrivilege 4648 TieringEngineService.exe Token: SeManageVolumePrivilege 4648 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2304 AgentService.exe Token: SeBackupPrivilege 4708 vssvc.exe Token: SeRestorePrivilege 4708 vssvc.exe Token: SeAuditPrivilege 4708 vssvc.exe Token: SeBackupPrivilege 2296 wbengine.exe Token: SeRestorePrivilege 2296 wbengine.exe Token: SeSecurityPrivilege 2296 wbengine.exe Token: 33 1184 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1184 SearchIndexer.exe Token: SeDebugPrivilege 1984 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2780 1184 SearchIndexer.exe 137 PID 1184 wrote to memory of 2780 1184 SearchIndexer.exe 137 PID 1184 wrote to memory of 1844 1184 SearchIndexer.exe 138 PID 1184 wrote to memory of 1844 1184 SearchIndexer.exe 138 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4224
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4748
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1432
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5016
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2260
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4712
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1288
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4292
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4460
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3504
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2780
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52c4a03545c6ad18545b6d70bed32afd2
SHA1578e7755032743c714ea60ccba5babb057ab3fd7
SHA256be43bc420cf01ab9d077387a6741ccda46dda472b5529073f071e126dd989623
SHA5120a9d83c7d834865c9c6a21788dfe6628a64f8c1056c3872537a8ee6bd128071d41eb5af71f6573856160e425ebd2f70df387a5188392d915322fab3043827e6c
-
Filesize
1.7MB
MD5589f57f15ed7cf4157f08fbd2ceb48f4
SHA1a92aa2d00875941f50fb021a2b3eb67d8f9054f9
SHA256a71a32469646fcbdd003032cb369725377b244577683c5289bff9b709fd20e8f
SHA512f3c0e58fb9c8defd1467f1c4800c67ec3b1a02d69a69c23a4e62a7a39c57862491f63340926c04842cb16681e98b193a95cc4e87e91ac307459b59cae65aabe8
-
Filesize
2.0MB
MD5760bf9bf7dbbcf8ef20d360363b56761
SHA1f05ab5614a25b6091d381adfcc29d07a5d2e3868
SHA2567bcb16efc89bf761a4578c913c6ce4585790fe853f3aed9f2784eaf122fe4e28
SHA512417829a6e0a593b5eca479feb0d761a21e6dee801bf63290808b5bf5b33286a2c5c348a3502bfb197002636ab849310de8737c55b5f88581ed1daadf2b3517a6
-
Filesize
1.5MB
MD5429810c5df6c03cc3b9be88a6fc75a39
SHA1bb3d2aa7219cdc40a7fe07b702b74d98de3967f7
SHA25618b1f737046780ad800b77b443607a22e1f008d0a0b6ff9ade53487f9a839ee3
SHA5127c90ea787a001e5a533b312f3bccbe07ee5abb241abb4ac9be8eeaf64e80899a46ff3866dd856fc5b2f8f9e40822e8accac29e394a174e134640bc6f977a42b5
-
Filesize
1.2MB
MD5aae97a656b5201fa91cd467a6d64a81e
SHA1464febe387247ceb9e72ea9df986cb651e652c63
SHA256d431e6f9e6ecf80a53ebff7337605b41b4b6d09cb5b4d6bda92f0092554da273
SHA5124f21a92ccd9cd8bd4732633e126033043241c53b4c9e36c740354f6a80a6555e31e994a9eadeb3ec5591d3151e2882732a96a33460134b27e4b6846dc00c80ae
-
Filesize
1.5MB
MD5aa30da41f721a539134675ab426f9ca6
SHA15d465a8e1a61071c51c17fcd94155ecf27dce5cb
SHA256108fbc94904b87a3b63d258b73028e728a96c84f2b7beeaf64874fc8d505c5e5
SHA5120f907f8c6d0f73ecbddf0a844033c97ac63dd9d5ec7805abd1a44681e14a855312c2b9a2b441c2ffc0b423374d545a9cefe6eed10439b48964e758a483064b74
-
Filesize
1.7MB
MD576137ef0849eedf5ba1c4b7c898b686e
SHA1232f78959bd123b33aa9e94925007fdd8901b0e2
SHA25654f01b99ad2958e4f45047f7a446fcc534a13d3ffbbb0da575a18aff66dcb9b5
SHA512b581342354396ef8f6d91c7b763e3f30f481ccad5bfd172586a64cfadd05203d8e784e6ca94a52f02c373d77690eac0c6a6b0c40f6c490a8f7f73781fe55c82c
-
Filesize
4.6MB
MD5cebb179af426a29b3c7c62bedb606cc8
SHA1190cfb09e585c4bc1fecb24418dba5a019ac3571
SHA256bf8e2abfd73ce4a32f843ee395dfcd44ca7c75abcb2685cee899f8a0ca7cf21e
SHA51298dcea816aea5eee41ee479e3a8de37547b7d4a2a8aba440c93d66073b93b4329c34c84ed57d0c13b2d74d0ac93854f6996fd3c8885e925d220d69755ded822c
-
Filesize
1.8MB
MD5fd9cd5b66362f75129d6b3162bc0843a
SHA14aedd627f0a96b0c6b14ec8bb9e803fcb73d47c7
SHA256f4b732dee585e9443cd76bb44a800d7734a4b4ae28646c828113765c01e6abb7
SHA512f30985689f30db3e0c4c855f6518d24a67a0e7990f30c71f3e944bb4b7aa537f0a0f2d42c8960b62e48325ba956836e283f2adbb26526a151ff13e8f86276d37
-
Filesize
24.0MB
MD57c7b74323607a45ffa4daa917e13028f
SHA1259b66ee8b2badfb7f0a3ae2cb7efc1ad884b27b
SHA2568f5dc1a2a40b474e1a3389ac84a135aecd05a768de58c2d81e90814adc4ed9fa
SHA512e93f2cadff783a4347370e11398ccc9cbf6fb0c1086e5a8689c53a561bc98cae7e5dd114d9720d9573977d8b6cc13b19d5f59804d50eabea9b25ede4659f1851
-
Filesize
2.7MB
MD5b53ed81dbac26725a4b0ccdb6ad48354
SHA113d0b2b63978ec1fdf337454dff7cfb026152f27
SHA2560818c91e1a6637f9e0190289a359a3ba362b82e860dbdc32e45fab2637d0228f
SHA5126805108f40206d50faa36458c7060b5d4e359fda5fbdcb9c92c0eba5f1dfd85c4c31a4f3578c4eeca95eaa028a37e08bdb68a9a6874991912affddf8428d8fc1
-
Filesize
1.1MB
MD59c677ba6e335a21975f72e76f3f8af21
SHA1ed0847b86a8ecd5a40e12cce7fa5ca4955121835
SHA25625d1069172e2f25a6e183aa393efbd10ca3cbe97c01d27eb94d1e0ef725d1ce3
SHA51281e84c61d00f660a78975f6b9a03a36a637a133fb58083e214496db30b01c9db3619137b463f659373b96b34e9e6c1614c2570cdecf7d1bcec6cb915d92700f9
-
Filesize
1.7MB
MD531e99d5443ed5f43071355770300f7ba
SHA1cd42509359ae270775df8eb95f3f0a7c4eb69d6a
SHA2561a3ef6c5e7f372c92bcb1ab28f549863e16a6652e25d264b3fb84dd05f10a1c8
SHA5125a368626d0918b9c05cbe5905c3e91fe8e5a1b9c66436b6b9cf9771ddd2eb9741589d05c7ff463e93e21a4a4ac29c86cd0b10c22c087bddb321ee80a4fd11837
-
Filesize
1.5MB
MD5cfc3b068aac832bca741b7263a541667
SHA11ddd00d19e78bd6a492a76dc53a44736e8866ca0
SHA2567c6c38d3788948ef39753c5c1f2b05af312f8fd0dd846ade721e36258cb9dec5
SHA51219a123727ea13fa9b772fbcbb1788cd3a6b64c5d1416e5edebbf14115cd0483eaf51f77e7569c70790b3a602572f4c506b3eb8f911db5adb860866ef10d4705e
-
Filesize
4.6MB
MD56ac68686511602d1a101eb28626b035c
SHA179a7f951767be233c328e9a3418063fc05b1ea6f
SHA25609bc6dc4cd634fccf48f53e540741e30a93123321faf0eb6784d0d8e85643faf
SHA512f971f0d89201f21ea20e60006991fc9b113df13fac50ccca17a88b53775e2d88777c695b39a2ef1ad53485b2594f8274780aabf37e3301b21b53c66b599016a3
-
Filesize
4.6MB
MD55899c5d77bd21ca82b960e06807d4ebc
SHA1dfd91d4c87b465edd53f7366b44c20381390915d
SHA256d19ad4a1d1722e91f2e513180e984de9ad772173e46cbdb681a65f5a10ce9b70
SHA5128c86b983fe5d551b87bec324ad6b1ed5ecdb40f8117af35261a654bbaaa0c68a315a5af17b0ff00c1ac1284554bf1897da1236c479cd501a236d1a4e0087843c
-
Filesize
1.9MB
MD5752e065d86b5b071f0ece7a117819b83
SHA1a5c111a0494b771e3238dd0f036518be145b0efb
SHA25639138edc99546c6aed36e36d1588bf1a45625d558b152486d4369e283754b3d6
SHA512448affd4dfa544cded897c8f00b1825b7eac90c126ad0104016ef88d962c32592e4fa09778de9cfe1d3260acd43af0ffe416cf2fc608c16abec2bee0660f87de
-
Filesize
2.1MB
MD523c45488665414e967b5e7715fdf36da
SHA14005bed3b2f0a4d51875305794f79fa2402170f4
SHA256d7a30aac2e0086a90e5217c455a0c68c6bb72baeb8f11050eef8d94a9011d66d
SHA5120eb8a17809ea93763ada0e49e40b3554e0c3b061ce075440c5151cc4f48c09244d2403fa4a2b39b581d8e3c9aac83d3a8da5fcbd1489db0f46b2be29f51076dc
-
Filesize
1.8MB
MD577dd3250d5572214effd24d0373847d1
SHA1a20fc995402faed792b5cd89775c18ee00389e71
SHA25629cabbc7c08c31000f4751c4b5f62cf86c9612a9b84a31fff650beeeeb7f2fb2
SHA51276b8211b5ec4fd0a2af67e332f6d73787614bb1873b15bbeceb68defad59a35fefd26c6cb6f4f53d49fe5cd410ff4fdf2518cd2b44bc0b375316cd9fde4730fa
-
Filesize
1.6MB
MD5bd8932a0a0e7b3faf0240c09edfc62a2
SHA1287d96f13f90ca5c8614a8ee42739733316f4922
SHA2566c4c10087bb28f21338ff3ade10988d9104655194d2cd57292514668d588f8b8
SHA51246dafefedd019950d67a949d9fc3bd061f398f25864e3a8e9e38fadd5ba5b06658bfedf732a0931987c0fe676d8758d557f13182611036815f2d80aaa3139bcd
-
Filesize
1.5MB
MD5fa12161d510c634846cc72a82e842ab4
SHA121d939d0648e478d8067610290dd3f6fa06ba8c3
SHA256c11d96c4b5eb59064dca7d26cdccbcfb945988b81e3447b189a56d79f3abb6c5
SHA512551baacf40f940fee65e1f1d2ea57cad65ca08ccb5fa2d049982959fd81e41085ffc0eaa4fd51ce3952f9cea1118d57ea3201e8f9b612cdaae601b6dfa5bc92e
-
Filesize
1.5MB
MD5c58b0e0a00545b2d66006b588be3057b
SHA1e5fc5356e82bf43100eaeefd84c92fd65bf57af3
SHA256006ff9f63be5db4c9463fc0adb35bb63deed4ce2cf1f04496058f8ac2d2e6a2d
SHA5124ea6675f5ffcc47301b0f89be8ecbaf1cf4fca631e26436533ed2ba98724c8ef6ad412815573eefd469302e5360160489ac289b8b050dbcc343e37e58b4a1977
-
Filesize
1.5MB
MD53c87b2256071d1bcf4a9b07d8dc59811
SHA134094e67d9abb0b4ba0d7f3ae3047336a8de765a
SHA2564af07866969da5eb81a0300fc3894ef8f5bf5ad6649c19391f22972d70825dd2
SHA5120eba61f51f56cadd899401af930a4a609418b45f0afec84b761e57d27f46954d8043927836288ee494ca2f6d3bbac1ce97fb206fca9d571a0faad4d8484adec5
-
Filesize
1.5MB
MD5709458b04c8d48387d39f801c561206a
SHA1ce413a51ed02596d3ceb0d69d100fabc7b7e52ce
SHA25634eb1b28b5b7003f6e8a44634147e7846a1fa103c13040660e5653963fc16f80
SHA512c337d7533a482f394fff9de34c2b59d689366ffc7b43aefed10637e38291206e9d8615f17b004c636a19514b12150fad532f8bca6b2e10619aa1f74275299121
-
Filesize
1.5MB
MD5f6ab221babeff659601a24f6c9f633a9
SHA15a34ed318983537b3c035d224d486cd46aeb0168
SHA2561c471d35afb08625708818b1d24f9519d1efcc515c8fcc319f8ad87660919e9e
SHA5127d7f7313455c1c23cc41f043ac6f6a274aa0f8366bf7d3e57d38fc5e245a2419c9c0d5ea386cb904fa59acc21e32d6fc286cbbd5782cc6900af64b34d75eddec
-
Filesize
1.5MB
MD5013ae0c21d68e2ace0e69ea166fe9350
SHA168bf07a2729a519fac0b1fa1531bf71a2d2cf11c
SHA2564383d70f66cfbb5fe8246f0c3432797a408f227760762f009d9d1ae93c0ad4c6
SHA512ad6184bde82667afd51cd3520eda2dc66631b70d4fd0faeab66dadd4091f769033083e42e127ad609d85ab33520581621899af871235ac168ca5b9811ba07199
-
Filesize
1.5MB
MD57de83f59c7372fc1bec24a0cf41b50f9
SHA156cb844e76b7f58344ecd749c5976ef5c57a2fa8
SHA2566396c70319ecbc46462cf778530a5214955bfa409cffd97cc4c6b52d9a898d4f
SHA5123ceb84347cc6ea51a22e70ffda06e192d1204016e2c60ef15b45a771e8e988c0648184f208048bb45e37eacd4e867d16136f7419099c203b5bef96614598eed1
-
Filesize
1.7MB
MD5582e91f22fa727a11556975796af56dc
SHA1ae63020bfdd1e0d367ae8362b93475d5f8a89843
SHA25624ed96e6fb998e65d56fa8e1d75a4aed2f54eb47cdb7f99d3cdbc864a319dffa
SHA51256ff3ed4c7d1b1a37b71bd50fe3493e004d2f3dff44a67529d9f5b3d7c2503444a173cec132426e4b5786277c1cc50469225ad3322c2362c37d086cad1792484
-
Filesize
1.5MB
MD51316243735711c8335eec80d2e92e537
SHA17986bb41176e0cdfd3dad8f65d8fa5bbcc89d030
SHA25610a6ec80259f2fabc9fa51292b78882554c727a0ca1b13fbfb7ff974e257e5b8
SHA512cae8089ffadec08dff0c8bb32e7cb8ad6988194c1d48db39f21d66604bba8c5b732f687a79bc8ff436995d3a6a2d9eff6e5b89471e520f991bf091b2e88ab829
-
Filesize
1.5MB
MD50105abe10c5d060559fb49c57033b3cc
SHA1fed5cf56367f79fcad161961320249c9fc87ff66
SHA256d149ed321f3cddd0f5b376f845067e60579472754d5a23365dd9708bed2fa67e
SHA5129fe70b7762c7852fe78e0acc5e46f819f2d6ab7123a399fd74f7ddbe1fca1a670cf13964963999d1f07b1ebbd79b0cfd5ce231bd230a3d7b5ed6de04fbe7a899
-
Filesize
1.6MB
MD525c1c9f06f09d229f46abf847c3bb3a0
SHA13ad0bf2945afdd772300819add00fd6fcac7e4a7
SHA256ca6e84c267c00f33e619fb9abd8510c7085fde3339e2d2f82e6c3f03c40137be
SHA512591eb21ff873cd90e84d327ecb8bd0e77e6bf77241ba968ad55f180631b47d8c76ef48f17e531d7580b0170c53daaf6c096a009a34b6e155d583754da02322b8
-
Filesize
1.5MB
MD540fe1b9418a28a01c8cdd7c28965ac29
SHA10741b62fc8e9820386afcde67ddbcdbaf67139a6
SHA2564e26bc2e7e4d0bb8b5273ef59bf3ef66fddfefa36b8decfea3acd0177269280f
SHA5124bb3cfd00b96e93a2e24b4578b74b1c329027ad729076c677187053f38dbfb090cdce4a5fff8490ea3e3897d4c7f71fd4aef776eb7b3880ec9f3cb2eab8fd97a
-
Filesize
1.5MB
MD511af79f241cf87fe97d62d48df7cee6b
SHA1f1f0a094ac65b3d75b1507d66dbf8bcc4a3c82db
SHA2564a14c8c2b05e8476534446f88fa10dce33aec43d40fb28f2c56dd675abfd44d9
SHA512507828acf3d56322aa785f71cf1c570b0c5f2b032f0687fdf4fee6999e689a75649810c12ea563039d964400cb580789281248a19bfcec269a2a2078f254d80c
-
Filesize
1.6MB
MD5ce23a872a0bd316caf62b8b1455f1538
SHA1728cf749bf2bf43718882c00fa15b229dcc36d9e
SHA25652ff2fb256384dc4cc18021c6e74cffe8c358e9c0de9570081b9083119cf92c5
SHA512765a7327e7959a9b3e2ef69c658b2cde173c420e4750eabad5b2aef7d5cf6f5fe5f733c2db536414fbbb90a39741b5c3de5a74a7265968944dc1b5afb43f4df7
-
Filesize
1.7MB
MD5b67f91be0841709809cd8bb7ff3d25e4
SHA1690431c93962afe08adeacccbf9fa915a71f2e04
SHA2564db2b570e8eb48cca7f827dd725476cdc1f4aa1b1a371dde36bef6c09151cee4
SHA512d88dc3841d2d1b622bacf05f2db87a70803dc4f8fa19059ca1ab02067cfeb67b026a203826e3eabb75a9f6d104e8cf467c4920c0fc00715f8ede0b8d3c9839e0
-
Filesize
1.9MB
MD567b1a331210eeb859ccf3bb0d13daf3a
SHA14743b1b324e67ed3527562ab0577be3e596b36e1
SHA2565d6f60ff7019654e2fd0c072cdcdd8375d2d622be558ddc42d5bbabac30c6c5b
SHA51258a276554e58e19295ec36982b451c195b0a971e29dbb4e92a7a92d9b08f8fece68c240d2094dff5e5663e9775c949ff32e553af5f02f36e2de5f469aca85bd9
-
Filesize
1.5MB
MD5940bd96bdc0809b9e24e00f758a3a4d5
SHA1845b19b989cd3d34c241c579a2deabe0970672eb
SHA256750ff86637a5f9d37d162acb5782e29b4925d833201de3e6d6e1f7700d0ed555
SHA5123b8db963d91a2cd2fb311260cfb95fd255d6b5f79caecd9408bdf93b330e37efdb63c98681c394d748d7e1df2f91b820524e5e597dbe21b75af8947efd5f4272
-
Filesize
1.5MB
MD5902553b9eb699e06f29f7c308abfdac9
SHA109a2b69e9b0e48ba50536338aae667911abeaa7e
SHA2560e21ca73f8b8b320d8e92187ae476ad5c5f156ca559a001bbafc2922d7275566
SHA512417aca9e59febff1c758fbb0eb4c69bf7139160ca41445f0065c1e0d490a37b859d28c39ec3af293edf2bdd11909ce14ed7dc111c3fd343f2de8d445e53beb7a
-
Filesize
1.5MB
MD54d5e741d5ce1dea9ffe7bed1bd9aded7
SHA12c9bf5a78251bbb0afcd9aa5e7cf3a2a0f26beaf
SHA25668732d2a7c6f658ce419a6f0f2600bc3c105d15adcdefc8d2daf3f7ab554826b
SHA51275e73c6a85ce9a048428ae3b84d399a21a156ac845861550ddbbb0a01aa45eed6d6a4a8bce07e253eb11368a9ef90fa2fc824531acbabcdea236edfb0ac49046
-
Filesize
1.5MB
MD5dab339594c5b993942ff347f459297f1
SHA14c2ec9acd67c43615f9c5dad74beae368df74b45
SHA25681f05fa684cfd9b0c0bbdec7835e15242bde0ee9a7596445d89a5d0e0805234a
SHA512bb0e82d5f53281b55dbbfd9c11dd67b09edf2922b6295fdc134bd5374721910700500c4622e7ff9a882941453db288e779887558522643510372c248475662b5
-
Filesize
1.5MB
MD56955b4f551c2ae6fc3c97a5819c6d588
SHA1164d4d14d487ab5a300a1b3f481ac307175973ce
SHA2568b96300f04fb107de8f5a64adddfa759e718a77a41c51cb2aec15997dd846bae
SHA512e5d19604598f99e134f6f9d2e1d6b3a354e055028cf9c83a4d5f5a4d1f20a3ff2372a0c17dbe1523c3c076c2f92becf2a909be9ffe9ef78ebbeeae9aba0da199
-
Filesize
1.5MB
MD549f8890f68d4982def25d314927b8be0
SHA1ea3fe9d0f6ec80b3a5c2f94fd1da0ca33c37e572
SHA2563363ba6d9798ac8721dad41fc5e48aca433db3f0f33570dfc9ac16cb387c74fa
SHA512439113b3ba6fb0edb0cde34c6dbba7b7e8d71c22dd3f36202599c6b1fadd48011dd555acec779bec3b4de7031a9bfcb2a5bf25376250073b7e51b91d09a75557
-
Filesize
1.5MB
MD559d9b7778fb9fb3155b8b19b91930679
SHA1dddd50cd77d096c3cb1404b6975663d227b5ca4e
SHA256f1a81e19edbd236d2516e2c97533f4e97c455236314ab04eb7fca73410377659
SHA5127f83268047b8cf19b031e30d57ac2fba0001bba6b81def63cc1c5966fecd2ef4e79409906923aa714356565be8284fee9db627f5ac18e4ab879f7aa10214f6b2
-
Filesize
1.6MB
MD51b92401a4daeac774e2e7a4010833b14
SHA14a04fe2c979c63c73ae84daacec0cf3ec0f6a678
SHA256aca5131e80589ba5eab0d91c2b38c1181b405dea643f8f656724c8cbd2d2ed90
SHA512c8c314cc44b597c943cd3287a53cb90d8ef8a4f305a6747f1172a06bee62877104c541c5e9ee1f2848e3aba97044ceaa6d7523b8ed34c6fed178d451b434558f
-
Filesize
1.5MB
MD54ee8c3f3401c286ca037ee594b10c32f
SHA1c513570d0e4d80958c0aa891858d9c2eb4aa33e9
SHA2568010913a4170df34c7437b171aa22e0b1bac2c5096d232ed93974eaf9f7e6499
SHA51255c18e155a840e7521c4e09fbe2a1ca6cec0849fe7adc93fbdc0cfb1050a72275ce0436a2a43bc7fad116a6c7ba3d73ca09f311c73f66b8e8d8709fea0d1db02
-
Filesize
1.7MB
MD58a5ff7d29f7104a667a2c9cf87b1798a
SHA1d345480b0389b5b3e080183926c657deabb77a3b
SHA256e43e3ee9067e4a89c1867b3ee3e23862cc259318a880ce6819663a5c5a3c38e9
SHA512d03fa6173af7fc6c1ba7a7cdfc77f493cdc739415c6cdb45876cd51cae57570057f4873136beed5fabae84f2c1175d8890e652faec52a4d8db31fac4ddfdd598
-
Filesize
1.5MB
MD59685320185f9de5786633b9568e65957
SHA11e7fc375470913f422516120aac49576b7b2acf8
SHA256815b2a509b568e4071090c6b7b00b6ad1fc0ea50863a5a77566932bca32a37dd
SHA512fd1fb422d90286e501ed1b28caef2d97ce5d0bc52f11d08064d7d6863120841043edda81c9b20465965aa4c4584523a22bf9a228eab6866220fbfb6715bcf9e5
-
Filesize
1.2MB
MD577175ac9155846b4c68f52ba3dbbf9c8
SHA103510838cdf6903700e09e195d53be01a28902f7
SHA256d92b9c999702a7a4dde10060316a9f394b9580895a8b6c842aae1040857428a3
SHA512b839c13187989bb88bbc78ff2d0f6126a80858f999c12492eac262b45d07460f09c2fe6d205056253b69b22b2d35cd26e0996387c4b6d5d7555848937944a413
-
Filesize
1.5MB
MD50e722440205864de5473b8471127fb1d
SHA1c6043c340ddb27c7e2d03a672851eebcf001a358
SHA256f903c40ba9e09344b28b65fb11e0ee849e57141b241c5ed47d958184c2decca3
SHA512f990b6dfd0dc15efa0e4ee41658ac4deb58dee319f1273ffd83102910356065ad204b6790434c74d47521d8af10cd7fca0c682a96babf89f7f2e77ac1c355804
-
Filesize
1.8MB
MD56bd8a05b6a6accc6da43b5c04961f175
SHA1584b9854ed50e6772677430350a5a0e753f6519c
SHA2567416fbb62a1cf11fdfa940ffaf23668674f467e49368eb94290e19842bf67bc1
SHA512429d38e6f43edd79783812e32deb19cabcdad18fa47cd77cf361e22a6d5a044f8168b60e6440ab52a3cca929b3b8807feeacf20a8969c490ddb237d031c92923
-
Filesize
1.6MB
MD544f5f90d716efc481c1642300675ae81
SHA12a76a28b9e2ca0a946c99c3b223f8a0dfe70f93b
SHA2565d951ceda4f2e8024c3f750546fec3b5aa68639aa45da2c9bb70be46ebfd7bbe
SHA512d4fbd894e748cabbaf15331b2279b371f346bdddb3187c302244df117e0005e3c3ce08c55b0e7e0f51422a9a29097ad3f9eb1b9cfe45c77c133d1d678fce9db3
-
Filesize
1.4MB
MD531e0cc5ec6cb24477fb58ca19000ffce
SHA13da19968a48badb5a592314457d96821c8921de2
SHA2561e965bd796f6d9397468d4d0b1b2b66a820d1e4b6fee5572af015e688929974c
SHA512e925db7088d57a4ffc92129ec856f43bb2691259d245fa20f48ac78115014eb2efe654506cddd53e829eb6209cda1193050aa55a81c9789d5f9808e5fc1448a7
-
Filesize
1.8MB
MD5ebc0890d79e19a301c26d24f2b429740
SHA143cab3ab75d1458302f82f932125a32116410f2e
SHA256e082a94f60e8b106be6dfe7cea30360b8e04360a63024c426487c6f6047d9565
SHA512231d0f61977ba900cf99f23210e850343d0404926d0b7e3f96a889685bf2c16eae660ac78bc66d350b98bcc25288d0ad9f19e7e1e00a01431708880384cfb97a
-
Filesize
1.4MB
MD5bef6c9aab5231da4c2f0006643563f04
SHA1d09d8e305fe3f5d56087002a00a08aa666d44777
SHA2561aafc94d6c24664609bcbba0edd6a85683b4230f0991ec80b0bc151efc1243c7
SHA512ab6bf86a9bb7b26c6ea9e7e4499585fa72acf4e65fda2b8fc7ab1896e75f2c46bae5051c282e2f9e13f9dc8aa832af136f35e5038d63fda5fa7ef417efbce46e
-
Filesize
1.8MB
MD5f69fece397b51df8c5eda50a99ea5c7b
SHA12a95c9588ee62024b90414ee6b6618d87cfce254
SHA256638caf3bbfdc41f2793794590fdb3c3f09952c6b2ce3a7ed221e0404397be248
SHA512b209ea646ab90bb1925c80a34b9e667ae1d8fb46f65a40742ae782e2f65a5626597676328b89da91e33e78d38b79407dc5836ea84a76f94bc90fa21a9b446567
-
Filesize
2.0MB
MD5a179396337fdff6b4e0978a36a596b1b
SHA13d42ea9c2e0f6c244fb3a39ab6702197db73ca17
SHA256e19907f43d5f911250d53e9a8a1a093ff4845bb117fcbff101969d387310b28c
SHA51253d227a984069b1b900eeccd2f95ce6082efaf7461d468a286fb42b7d2586beff6796a299488dbeb83dc1d7db4a89f243b561b8a3dafcf5b826dff9e60ef01f5
-
Filesize
1.5MB
MD588643217a3cf46b3785a1d75549408de
SHA1c69b0a4021aab5b846181940d13b7e53260b4f59
SHA2564916804ffd307c52fe3c43b5cf3aadff3857d7671cafc487912a4bf252144a42
SHA512ebf1d8ff433009eec520abaf10a5dc5c72610e49f4350fdfa91ee74c1b5beb80034dbb3a1a4887033bd132b99b0725b0e38fc14c9fadb24890c5a982809de911
-
Filesize
1.6MB
MD5836e224b25ffb0c4fa7eb922bcd4df6a
SHA1215070fa73ad8b404335aaf50fa6528933a2b540
SHA25654a93b5e24ec40b2c4e0851f99ffa320a43476206352ce75436be99988939ad7
SHA512e7d478eac2ae3e0168b7006fc93b6189c129c6581f05bd23247b142ab57ec8bef06c77c086396e24907792ffe11586bcf878023c288e242596f0103371c8d628
-
Filesize
1.5MB
MD51201b1486490c7a869c35e8767859966
SHA1d674a42da51e8efcd54198f66da698bb56a1e224
SHA256e7b89b041ac3e45f009df117b70492fb59d2e1bd6eb6e420c1489fb6ff826f5e
SHA512c837abb63ddc50da219b8bb2bc106b0a715419dd0b55655fe296dcd307e7a6851bc1a3ce8f859953092e4f4058b5ccb22401c8e80d9d13383ace3e690cb3bdd9
-
Filesize
1.3MB
MD5066c9927be33677627676be9bc277a44
SHA1a6c3d3f70466c9c71bf705defb1485e3192ff06a
SHA2566debbfdd6cec2df567889fa555ba1bac9d8be9679840b16c9bd38bbdadcff562
SHA512ed9218dd48d3329a294a20f95747c94374372d1f217ffd38ae557cfa67c9b0ae5302b2a3c9b7de8dc399ac60e63650e78d4b30057f9082c11b35a63bbdad2e9a
-
Filesize
1.7MB
MD54413af54500d274a8f3ffbfb44ed34f1
SHA1c951172c88e0423f84b190d3f14ff56ce68847f5
SHA256bc2e7aabdc5daa67512e7fd64218f01439889602322696e04f9b9472be7c0c84
SHA5122f8dcac387565564e5379360110ba44605d175954ab1894584070a37bdd9125562422669364a516903ef6156f0b2507320c66a3c1b880eec1d5d0c504ff0cc26
-
Filesize
2.1MB
MD5e49dccfb1ec6246eae84d1bd20ed362d
SHA12f3f881c74fc1b13e3fe6b52ffc53c3152794c05
SHA256aa1c006429c023b787af1ef4aac98bf2315103062fe689f7cf0ca908afef0a29
SHA5120d58495bdce47e1e4a2bf15abba0af3f8d9ef66f9428c30c6b91f8ccecda8cfd0948ce52081498311d396d5fcf7e2f2d4f92863beb1f9d9b6c1993f65ebe7bfe