Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:04
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe
-
Size
2.8MB
-
MD5
e9700cd8979ce3856caaa33daabb77f3
-
SHA1
50b30d76f77940dc3b329fcd83af6e4922798475
-
SHA256
1e7909ba98a00409ba16c308c5792660043453f431214b6df8a14d5ca345ce99
-
SHA512
22223f16e78d4d9dd38d45203a2ecfff2864630aad2eccf81ee8a6aa1c7f9400f7aed01b18a59e51920226899300e33055f97074ff55b7ebe38cc2044b537d8f
-
SSDEEP
49152:iQ2GkXOaeIKYMbmluSWlIccm4/WWu6BRFctXnhW3/59N0zNDNui0hBdH319JE3jZ:R2GH6mD08WV0tNuTBpFnE3Xc
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3564 alg.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 1248 fxssvc.exe 1384 elevation_service.exe 4000 elevation_service.exe 2884 maintenanceservice.exe 760 msdtc.exe 3308 OSE.EXE 368 PerceptionSimulationService.exe 2212 perfhost.exe 544 locator.exe 3636 SensorDataService.exe 2936 snmptrap.exe 3548 spectrum.exe 4912 ssh-agent.exe 3384 TieringEngineService.exe 4128 AgentService.exe 996 vds.exe 2256 vssvc.exe 1788 wbengine.exe 3948 WmiApSrv.exe 3680 SearchIndexer.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fc87bdc2983eaefb.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1D4B5551-822C-42C0-B673-53AB80587853}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f8467bfde31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c5a44c1de31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1e669bfde31db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd72dbc0de31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5e042c8de31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a46d57c1de31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e037e0c0de31db01 SearchProtocolHost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\"" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\"" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1" 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe 4900 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3300 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe Token: SeAuditPrivilege 1248 fxssvc.exe Token: SeRestorePrivilege 3384 TieringEngineService.exe Token: SeManageVolumePrivilege 3384 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4128 AgentService.exe Token: SeBackupPrivilege 2256 vssvc.exe Token: SeRestorePrivilege 2256 vssvc.exe Token: SeAuditPrivilege 2256 vssvc.exe Token: SeBackupPrivilege 1788 wbengine.exe Token: SeRestorePrivilege 1788 wbengine.exe Token: SeSecurityPrivilege 1788 wbengine.exe Token: 33 3680 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3680 SearchIndexer.exe Token: SeDebugPrivilege 3564 alg.exe Token: SeDebugPrivilege 3564 alg.exe Token: SeDebugPrivilege 3564 alg.exe Token: SeDebugPrivilege 4900 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3300 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe 3300 2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3680 wrote to memory of 5076 3680 SearchIndexer.exe 120 PID 3680 wrote to memory of 5076 3680 SearchIndexer.exe 120 PID 3680 wrote to memory of 468 3680 SearchIndexer.exe 121 PID 3680 wrote to memory of 468 3680 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_e9700cd8979ce3856caaa33daabb77f3_ryuk.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3300
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1108
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1384
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4000
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2884
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:760
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3308
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:544
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2936
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3620
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4912
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:996
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5076
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5520ed9ee1952dcf5635b6a4d75301eb3
SHA12fc3fc73842186e99e10b8381f93b6a69497f1c9
SHA256b17e23c210c449e30ee214d8ee89652a27eaa5b3f9980387859058bcc7451d7a
SHA512298184b6a22c0a453fa252d2a57379ef2589987966c8dbc62cc4450b7dfe53039ad20840bb3e4442b2ead6f4c1a74c05253a201e8954ee7b30430dd0eb0b1589
-
Filesize
1.7MB
MD512f159de10ac067a1b163a2804feaa49
SHA16b1e82f677e644579b7ad3c47d543180e19d867c
SHA256c6b668e5b69645e26e8251a46d6cb7a0eb7836deb38f8de12ce370252bef025d
SHA512060bd5c72a850bf320d7a1a3437be88aa7e8a0bbd3ed3d4527f59ad56ded7abf02c47e946be14d6919e42f76e9e63ea1d331462d4f16523abe1cb29738f112ec
-
Filesize
2.0MB
MD5c437a80e1e154d9c3b8d54b7c2808606
SHA176a6c36b2d8134f68589ec3b5278fb66f06c34ea
SHA256428ff2ee02693353e60db31d8b32e4dea8c1a2e8e7ec7d4b8f64d7b8c68cb9db
SHA512863cb36efc10034691b6b23d596e97b30d790f2c1d6e1294575f1890ed3ea39dea80fb37bf0c5510ecda071e2c7d473e3978aeba5221cf88c49870aae8b87698
-
Filesize
1.5MB
MD55d58f19314c2f6449ce5af0c92c812c4
SHA14c1f85bc29a4de41f71647933bca2381b2588ad0
SHA256bf50244059c7ae843788b1e7bb6d6d17adbdbbf9aa4173669e70f459d9123a5f
SHA5121a869a991952b9437353531e05b6ff07e49c97911f99affbefd0c28da344961331575a973a4b49588656711e0e347904a18767735969658dd22e57bc90451546
-
Filesize
1.2MB
MD53876f91a45e9543e2ecb8d1f7d27571f
SHA16d3d1fe53c68a05d749db0a38b6ba5eaf7ca803a
SHA256993a9ee048b1f0f7fa48975e3706ae0a09890b5aa61f8be5397d2ca8f9b6002d
SHA5126b4f28307b60bb73995a3a234df642e65718dc1c83b8e9da082285cbdc24602f4f8453b5871e34d9a14ccec5340cb831b6589b2e7adb88fddf58a7eccc1c3ab2
-
Filesize
1.5MB
MD5c56705f10ec3201d24714db2f298be4c
SHA16b36043b3e5d7ed261b8733c198b043e08bb9998
SHA256e129999a54226db4e34cadb1408286e9051340ea386b0ca61c2af36470a81cd7
SHA51206f7cf9561bfe303428b8141085c335f44ef35405a57b8176f6260bd579aef4d3bc78364b3371b540574b1c5d2bd9b45d8eb2b63f430a34938f394ac74ae5e76
-
Filesize
1.8MB
MD5be6ce4d499be310beb39287621584598
SHA11965b82220b80bafc1ea86dea8dcf327d5b615b5
SHA25627ec8b45118bbfc06a41a63648c97b9d575a24922e9a3758fd43512d08da232e
SHA512a0ab388d22f14ab5b0c44508a465480744189c318749c6670d5cf894e5e1c8300c0081f726fa36b9f97186867a4b44e5168eade1c3ea0a3044070d44aad24f2e
-
Filesize
4.6MB
MD5423a30f0d194e68eb91511ba8e5bff75
SHA16a46317c03e28c24134a58ca020d00c1dd61c6a4
SHA2566245cf769c91114f15a5d235337cdd1ba3bca7f6e7830ba6d560a2df994c0497
SHA51290bf9cfd4c4cfd0a4fa8f265374da1194e479847a518cfa847cc5e7e416ba0e0c21ba725d45b8f8c1e8572f7dc0219b8f031a0cbf2695eed3f965cf8ecb06e26
-
Filesize
1.8MB
MD5f0605fdd5aec880c41f80543f858d1b1
SHA1b36416809a7718639ce73dcc3297e26e6100243e
SHA256de136ee55ca3d853ce144cd581219ca92b06a61352106cf028f817cd9a0f5af9
SHA51294a2f1c9ea8e15190b390dea0dc8b1e725bf4675ed05568a35adfb7578e325aa42302b71e4aebca64aa1bb90321e09a974e277200d9f140f22cf2534f36e56be
-
Filesize
24.0MB
MD5ff5cd1d46f5e9c7083c3953cdad71997
SHA1245919e0fdca4343ef32080966d007cd2e8020d6
SHA2569c33c391bd9d86a8ad03253dfb565870d25b93a9502248d43a2d86301883b4f7
SHA512b8fd783fa318f21c93546191e80058279c6d0af3ca7834d396012ae54e41c2ef504c6715f9f65a8474ce7b4ec204e899514b1cda2252140d8bcca69b49d4e41b
-
Filesize
2.7MB
MD5962d264e4d5a3ae1c923efffa419d545
SHA1e58e464206406fc69ea4e3c36924fe553f5001b6
SHA2565376e224fdffe39524180e8f34c3a8230fa133a36b98044dc013d61b6faeb013
SHA5124e1728f33b0b146631d9c43372a83ddc79fa81873bf6bc953842c84e8c086433449231453815c11162acce3b74083a60f09555b6f9e6f3c3f535e9214d709e9e
-
Filesize
1.1MB
MD5472c9176067f02bf07f1c69b6592500e
SHA134d9594a34d92c4796d140316332ea90e03ada4d
SHA256a56a01dab74909224b73a5e25ceeca018604ef9af46b2fb53c7b20d73ba13dd9
SHA5122fa79b230ebb7777fa6c2c55d5a81abae2c88d9e32869cff4a106cdf98a4486011b88d69a295ed52843006a18b04412bca87d125412e1440aaf6fd8e0e9c819b
-
Filesize
1.7MB
MD5500201a308cc611d559ab1f7b1bd7b85
SHA17f7e9cc2271f5429814aff18376256d8ab26eae2
SHA256efd66899e2eef031411d1d4bf48ae06becfecc68c0f83d2d1d38d2377c82650d
SHA51292d6eb1e71b5865940469f938f6206ab6fd4109289b66e51beb46eda306138eb0593b621075b2fc4525611c23054c37b6ceaa788079499f73f83fcc36ef787b1
-
Filesize
1.6MB
MD524fc6ab37dd90c139d8797c8c9528e15
SHA1b59dc516b5c768a65fb40697b9fc946cecfcbb74
SHA2561c20982f936478fbe79d67dbb32330431452e27cb476eef758b4659ece466510
SHA5121e7dfd2702ce0dfdb9bb0dc43ec417b8c01a17397b681dec7c32fea7215a62919a167842089050eb8e7ae680b03dbc34ed3b7f25ba985a24a860881098b50e0d
-
Filesize
4.6MB
MD518fecb3421d0acc716d35c870423ebd2
SHA1c714c448f30ce7b16e4c9cdacd28d0f47ddd2c0e
SHA2565a4cffcfa4a4aca7d472d0351d1d4999040a02de92311fee00451d942092a1e4
SHA512c4d440f21cc67cfbe67ed8b4267d180c5cd1ccd3ca5243db9de1dc74379b888b243e9ef1dfd13a281bf620d4ad10ddc89789c491412c6f8c5e4b57b8451d8647
-
Filesize
4.6MB
MD571f75b0f5ad81ff8790947ed50a51fa8
SHA11be8137f47a19e3521b48aa1f514dc90823aeca2
SHA2566e176d86a09225948ef10373753c20ad4abebae0c4d9e3b69993475755a28369
SHA512366fafdb6e0ff5134b4c5c3ae5512459abc682ec2317fff85731708d15926079432dd1b622d44d892ea6a1cab93fb3837a7653825e224ba7055aef687805b7eb
-
Filesize
1.9MB
MD5cb94a942c4e8b1abad51224b4dc0b536
SHA14a592b05d86bd8f7a96a13911cecef59e87c02c9
SHA256340c1b31813e0aa838feffdb62cc582273f7a446dfe0256e0ebdb4fbd05d7755
SHA5128238db52f2ca3da4ab485a2ac7ce3620ec83e8eba7982eb7dc2fc8daa5aee511f4de5823a481d4bc52f273e5fb8277f92488b7aff7e8fb555da05415b42475a6
-
Filesize
2.1MB
MD5043b14706371bf8a727c266320e24a80
SHA1b68f48412ddfec7225579282c1e8a9189eb9a694
SHA256110c5ba42309853b9f7a0653e031d778d6c02d43ad70f5cc7a139d39304d59b6
SHA512514a707d4f6684ce872c48d51f38574d1d07c8351e682bef61f37ed0e706865d1665f63462cbc8a333c31af507d8a6d636127555d422e61fd415c53676160606
-
Filesize
1.8MB
MD56a2b2b12316958b9d2baee57048739ff
SHA163d6a483847c3e36cf88e02eb451891ee44aafe0
SHA2560ec71ccf5172b44abd26a97c0cf979e912079ca17ec869f0f16d960016d48362
SHA512cab1cae38dedd799a21387ff5a38ef8776041bf44bd655929691ee0dd9a6847619f55b03e8ab7f7983148801252dabf2a941eee116408499a0de3fec40aabc1e
-
Filesize
1.6MB
MD51ba725bd0f355c504e336b7115d5c024
SHA13c4aef8f5fa1968d1d2c5b9fcfe5312da34e1055
SHA256fa97c239df45140318d63e1ebf2fcdc5a1379287407e981351fc0eada04f92e8
SHA51211b1a0f1253521c31baf6413d4b884fc786d79c00f7c0c0f91f3bb8dacb9263062efca935ccd026de6c02c728a3ca0fa43473161871e1e520e495f7103cd871a
-
Filesize
1.5MB
MD514a0755a9ff73f28d238cfa8ac09c159
SHA185b68f94eeed1eb87e3b78da532bcc1c5c618e3c
SHA25680fcfc1d5c02355dff242154e2bf49efb23403266ba6c8d7e819d57b2d521587
SHA512ff78d0bb15f82882d3521c05b988b63678111fec990f63c46f26d94470a7c4a26073113a17ff2340408df6a8244aa5a8d0767e1e96046dd12ff0124dfac3feeb
-
Filesize
1.5MB
MD570c6af15bf2017a46067206f995ac155
SHA1c2aca9758a5c513ef5a56a458dde0acfe77b1ac6
SHA2567a582c74ab3b29ca5a1597c5bfbf97c509b8cf18d3a0decdb2f7b23ddecad00d
SHA5123107e8465cf6dd370c9beabce0fdc299fedf4d9c753210aee801c3b03239b4cca97dfaf9cb98898be388551678a2a16bbf1ebefccb36df144e50f4cafe74953f
-
Filesize
1.5MB
MD57c175fe015acb27c36a6734b6430a294
SHA14c76c4ac90bf0c07189fbb5ec29aab7ea87732b5
SHA2564fa8dab0d8ece90b61c46b1f79f93e3c2bb7376c81c10120d58b0418b20c18df
SHA5124a6e8da9664dc746be69c1a2593dc5271ad3f94be39277461cf8fadfdda495b7077b03d5ee43dbef6a41dcc7146fd3cd32c1f0511ad97eae1d93a8db0aa19e81
-
Filesize
1.5MB
MD5608c67d4ca4fb035bafd0370fd3fd613
SHA1a39baffbed2551d47a478805c711aa290215dc05
SHA256de367f2de7db41eee4edbaee1bbf33dc75f5d133167717038ede47f4e6917b5d
SHA51205d2856eb993ff74dc6e60a51193d6a3a7e1190056c56901f1c0bcd97d2221b2739f69bf43b27217e8d93b81066b546812f2271d6b7835cba89c2bacce990b02
-
Filesize
1.5MB
MD506bb6b782d902e6cb19c949580027325
SHA11bf32e30b64e8a808aac5780b16706b98a2fd433
SHA256fdde340576e022b4fe371cc74be7c29c59f1465e9267d73eb25ac8bb10cb679e
SHA51292bc653c086284cf10f1c886de9b31decf01a2583e80acccd516cce59b300c883ef5560a36d09e9f76a0339b40f7ef10a04107bca30a2a283892f7b4c7796830
-
Filesize
1.5MB
MD54405d707df7e1baf5cfc750476652ee3
SHA182bd4e79612ee78d2014d8b494da89dae1a790f9
SHA256bbbc75cf212e56f64e2dcbb6cecad8757e0645b18e976b4cf79d5c4bc1793c6e
SHA512f9d7311488c6c9841ac72f1a2a5ca5e2143ab43d5c4e6905a9fd0245b7b9dd9c5007aa89117c6b664e6fa0d7ab03f12bb924c6024b4bbb2e95b4c091754bb880
-
Filesize
1.5MB
MD528495762de5e1537f3f5493ad042929b
SHA1b2452ca88e4040d051c0f1caec439eec035cb728
SHA2569f79738d4bb806cf282e5f7dea981f564522587a79f14836f4903fa0645c1c39
SHA5125817c62c3a140f46be3ce2b5ed669e83b729a77dbeadcb4d5f847989b48b0a85add904a54d5717b76f5adb5784e311afcbe13fc1f50c1a84b8ada4dfa3141a67
-
Filesize
1.8MB
MD510c2fcafefd240050c7e3a0633cacdae
SHA1a659fc10bd0f5009a1547cac694b12d557de1d0d
SHA256393ac654b83a365abaac5f40a309a256fddaf5b26872a5c92e8903b4ea79808d
SHA512c0d0d66b81777df1847de99c29cdad6b942fde1ee63eb97fe30f2f27347e307433c03ad3f85bb906f2a173ebe2127e1f295aef20c057a28f647252d52083fa26
-
Filesize
1.5MB
MD584b229682a81a0ea5c02bf8399ac51ed
SHA1a334de3cef9c6ef9e2930a808092fd16aa74e56d
SHA25661f41befb49593d6cc24ebf3e4b067b84add29511cb1a11225666c27fa4d9abf
SHA5121fbd892c5788aab0696f191bc77258ae6acbf202caaa23f3dd28cb9fe749dcbec77762cf6081fe8bd0893ab61fac01d015ebe892b7d88e9f9ff8955bc360ad95
-
Filesize
1.5MB
MD5acd29050d069aad4244b2f27876fafe2
SHA1ca66d4ef2caf6bea8b8286fcf58f709b84365b19
SHA25691f87462bb71cfac72895dad6a6780f126658133dfe52969ebdca945941570f4
SHA51265605b17d23e413ee845c197db3453c8cf00b75eae232b3349b2395138c80fc0107564f2e9ef2f252c802ae8a906c2646c4128ffade2698257cd965ee422b2b2
-
Filesize
1.6MB
MD5136ee143cad328c31ac2c5ad497eae08
SHA18f54cfd223c1aa655063b0f770ecd74c96dfb749
SHA256684a57c198d02872a12cd067cc3dd4d8b9454e33ccfd81f1fe43f4dcb3598b2f
SHA5128c68b42dc6d6d532e0014fc4209713e303fd329df6ceae92cae784673686535da047faddd3d0e7ee29fed14b8b5141c169ee15007ff2b0ea06e153a15f3b8bb0
-
Filesize
1.5MB
MD5117073ce001be70b677fec2ed8880f21
SHA142eae1beb9d33fc301beafc9856139246cd69ccf
SHA2565fe4e190f56fdccfb782736864330a93b568422a7193b0e32dc6513e2b43df67
SHA512b6295a9bdb552179c8aac3edb2b639771ac73bda37708fc453e55bb2fb1fd2b8fa1f8ca4d547133fbe2d92f650237047e985280f260836eccea5be80bec17b83
-
Filesize
1.5MB
MD59d0cef4ed201fe02702b627a51d4346c
SHA173de9926751ab349836d4b9e849d1e6794545914
SHA25611c315f6f96faf9f55f8429857648b83dd8cde56cb87b3f1a6946c3a351eb289
SHA5126f85069e7afb3d935db4711591f1ad4187ee4ca45defdc33ceeb21c4055f11c5d384017debb3d926492a284f606f52677f472d5dfcdff7b315f4a1c2a9a2ec11
-
Filesize
1.6MB
MD519cd946c2ff70654633a0269edb8b752
SHA1d5b6a9e0c1f043576be33e6488f31221dcaf5c67
SHA256cfddc3c5d07ee707b23b99ffc6d23a032d29126c2e948ba5d8ab938991c53fa3
SHA512218a85cabb429c238b6894d3962154b7d29fbd13bedd08cfcb709098fb123989dd3a0bd2b1526a9437d906ecadd7f51f94710f39469a5b1065df7789af1bbfee
-
Filesize
1.8MB
MD56fee1bcc226faf1312fa2bfa00354d8c
SHA1fc53fdc1598925c93c791b9326be09a5d30289a3
SHA256020b5a68fff4178753def0f832fc113ab3606e29c4ecaf970db2a3033ab25742
SHA512502ce54831b86e8e865863bab4a747d85c09d83ad31c7c3072ad1818cbcbc8675492f3428abecd524a4dada9c1cd403872111ed31169a04135c462207b03a4a8
-
Filesize
1.9MB
MD50aa107e6478b9be40df07cc91e24ae9d
SHA1517d970fad0a5364be148d223f5fc268f6550e75
SHA2562912531ac5183d2f380e51e3cf595cdda68adf981aaade6dfef3faea962e4287
SHA512ec1dd9f0f4f9aff7db8df16d001c0292b0962866749cf30c3a89986c894791aeb32d855264e3d088e2308cc138ef23f254e6b4778c5f15f9721e493996a926a0
-
Filesize
1.5MB
MD5b6f5544c5f1e91f8f31ba39d5e256515
SHA1d071834112575ddc6d0fd2c6aeea0f0be12f6f55
SHA256bafd8fc912e29b1cea84c5402e9eea63bd3c142de1532cc582c7fcfe470367cb
SHA5124311df2af342f0a1487d5c887786c9fc33da09503de732147cd103e3b2e5344af25c5474df81f943f9e5db2a84b034bd128025b834d2f3445c39f3040a535b59
-
Filesize
1.5MB
MD5efaba74f67b9fb2b2fa11421d0c3e783
SHA1a714da0272c46a8e7bd1728b66f4a75f30d7b665
SHA256189c020b63d539133586f58586c865ff0115779c97fe8d9d2f85705db5f08e7e
SHA5127cd17d4e7956c7b873791d79c16e942747c46702b218b9daf16a3009d38ca8ae646beb8602a303fd40efcde4dff152167e88d47f19de96a3304033c8afa5ed73
-
Filesize
1.6MB
MD523fa24930a7c2e74e6444d96c450014f
SHA1dbff5ae556550ffb826738f1c19edd23c2c41abd
SHA25607228e234ce94e635dc7e200b6ccde9e42eaaa6710e55a48803fe0fbc4a64774
SHA512f7a0dea6a439ff50a66819591d44db71cd7b7036cb18b8410e5ba66aa3492151d37b931bcd153d691eb1539be8c04910d032deb2ae11c21c07873e5202bc39ff
-
Filesize
1.5MB
MD5035289a6ff81443f7fbbc557b8d81175
SHA1cb2c9fe80c03a24062e958416666c6d2b74c850b
SHA256f78d6a78b4ac3d8bef9a412baceeb40ab6730fe50c5a8b14eb8d4f810ac71076
SHA512a7002bfc96d8e6e8802f714c21f6fa1f155b283f72ae907e9309d59d9a293af132d01c68349dafa88cc6fcd855ac630321276fda470cd67995d0129396ddf3de
-
Filesize
1.7MB
MD5ec729ff35f4febf1fb94b96ed9adb846
SHA1c94943b8a7332218237189075ee4e8ffdeb19bc7
SHA2569d5d149fd5035a0b9976974f9033a9e1715777b42dc502834c495dca5c4a2a42
SHA51281c6e88832df1899ce7bc211389b9044109c6584005dcfa444aee34a3c9c8b9b76e70e67a6edbec95271952c441efdfe03e80dbf0d8c6cf5b6dc3369108a33d4
-
Filesize
1.6MB
MD5a2e844820d30faa788225e99ba315cde
SHA103224219bdd5e76aad08c557881a971ed26a2346
SHA2566e5b351189135d3a9d9b90c908a41b43d367c377a75f8f572b7c16d648ac23ec
SHA512e0dcd11d45ffb16c83c04210bff71d10086c1e9b4a79655d21a4f78dff9e159fe73c032c7a8214a919fcd6e9a45ce6ff2b8add664a196d183e0ac56e4f25320b
-
Filesize
1.2MB
MD5e7645809d5296e8052d732decfa6b9b9
SHA14b42b4c02ff68d9638ff8cfd75a5527d8f1f1004
SHA2560509e83593e7f74681d0dd155aae586175a00e05d8ed00b9f10adc7bb8f58a34
SHA512fd2b9d5cd1cc7782a01aed2c7b7b8c1b1fa4524182702a9737d4b4046efc1a655f13f303b85bf66a8a716340dc938f6922d2afe40d0164f3708b5749eb0a48c6
-
Filesize
1.5MB
MD5b3bdd5048bd997292d898952f888051a
SHA1ed19d73001d193ef255283fb0b6297b5a7362038
SHA25618a8105ac5b51ca0a278896913ed3942eb152954a016184dcb802a1b6b5f57ce
SHA512fcf773e0ef1e8aac420bb7c70ec8e5d7139eb35347af0d0b1cc3df98b757b82aa05e8885c490fa7cb1c3b79fd4148816b5ba602fe4cb8ed93453e5e76ebb175a
-
Filesize
1.9MB
MD545e82859e51ffe38df076bc3a2067aca
SHA16f9cf87cbda42ea12bd2a851bc8dfdd1a994bd82
SHA256cb789a0de3ba523352c3644ea5b635e7b89aa22a7cd1985ea88e534b98c5b6aa
SHA512d2571685f33fc3564a7d7cad1674531da2419bc03d4146dff9844a64568addf8229a33afb41d22d9a7b13ba466b53d368a3dce12a40ab7174f07f0c1b0f66c83
-
Filesize
1.6MB
MD5c79d31cf27524dfec8904a80f3832953
SHA13402114ced6cd34a0b21969ffddd8381c121dcb0
SHA256c72de4f59ca5c7c6c7d466548763b3f334ee0883f2d57c4ef33bc2f7a88aaa44
SHA512745270b39e8a285d739777687ac42d6fb15bca2c0ed074f166b05637fa5e736c8764868bf3e89d81abc95bef79a0c6aaae286f6cd5dc6232782e642a239a17a5
-
Filesize
1.4MB
MD5a7be4d354300fc2f25e4848aabdc1e57
SHA154a9d70cea8d8ce5c3ddeff830b3d482548c4c95
SHA256c720b2cf75a8c6ea1227ef9848e7dbe2af01269ddf8f48eed497f37149f8d48e
SHA512fb2dbd5406f9f9fb486241e75f90f03b6d789a7ae6adc84019c45bd28bb8bd398a272951319a4339ce1fdde0bb25f1418dbbf4e2174c87cc580bde7fea5eec79
-
Filesize
1.8MB
MD5c3f8cfb56435c08f3ad9601dc3064200
SHA176587281b248074e8952c4bb73e2de299dc7074e
SHA256f7c505541839bbf50a8d1573248758b7e5ba02e55c90da6fdec9eb1f7a8e064b
SHA512785993079903ff10b421dac0377a14d5a120cddb2f810a70ef8224252f511cdc48a1e16189264c0a227fbe6ce1031a49ca6226ca75d44b2a00fd9daade306538
-
Filesize
1.4MB
MD5cffbfee3f0fa9a6397a2896760fa9a54
SHA160743109cdbfab44e9da2ae6c99b9a2ae1354dce
SHA256f9ca45b7c93bc903c5c7d7ac9d154dd4f282e68f0427da663301bb942ec514ed
SHA5127576c2565aa2457b736a894c0fb4624d437c707f9d1435232528add22cc8d889f496f2102328b4690d6e02a565b6c603e36d042d5a60149c4fb06055445e3aa4
-
Filesize
1.8MB
MD5c83aae057661c3305139f990017b8e47
SHA18046e4ace708796e77ff23b025eb4f043cadc7df
SHA25668e3dcdc95f107420bce6825faf946d731d92b2a808071697177edf123d84888
SHA5123195b822f33cb8aef40e97af70bd71ed225cf4ae42b1f75cbc23fe249b904acad674d1f0e87c7a48461d53f8a1ecf33ef105eb40a78db0e749e3051d35f9297a
-
Filesize
2.0MB
MD51ab97ba211d39c552a01ecd4166cf552
SHA1f69f5e86c14e13cab75ca8a183e8f7e5ae8f8b89
SHA256c454114d8a217399575ee9215aef6377dde17a0ed74269a1ed0931e72ba195ef
SHA5121cd22b04f7fcdeeff2232a1b8c4491bfdf81378e3bc5ff459dce4f9bf75380521177279f81dad62193d06ffe41edeb480749a661d6cfd2ebc9d72c6de925f16f
-
Filesize
1.6MB
MD58ce756a42793c52f733be5eb930a5ce0
SHA1cf3f4ca7edcb7ad6a80b5a749415e344ca9febd5
SHA25627c55ea12bd908fb2d312c1736a18d4b475d83d118500f70aa616c20f6894953
SHA5129e588f0cba6a0556c0f04b9798a38bcb1bdf73d870a583ab91de61e62ee518a0e499b30a163dc3b1f0998ece9b6c6f022deb6fedf6f90d9428e624b8b2f9cc17
-
Filesize
1.6MB
MD5fcbe2af760fbfd89dd314432aeacd0f2
SHA1fb26a3fe2a874917aa29ede1abb09ac39edd2ac7
SHA2560b47c4d57d119c5cacb4b835ad62bce078c2a1c5f4f4ddf06bdd8b87ff5f98f1
SHA51292842aafe84a6b672158197dd6e34fe7a311df388e2acafe5f801d948eb4eb02ad9b584d6d3a987ced7eb1b3a2e287e8607b568d6465328f6a4d1fe388a6ce91
-
Filesize
1.5MB
MD542fdaf9581b047cce54b7490155a4e28
SHA14855bb808695c37d9625d66a671647cdddb65f70
SHA2560e7faed6bbf6edbe7119869a7519e7136cf5c2ba6c09f9462ab1305b8a188c28
SHA51215e64a66cbd732e577868a8969b68ae3acee7ada836d0eda5f4b82066a5b980385a8c0c23034a041079ee4893a3dc4abeae4e0dc37b0689ab438432f84aecb85
-
Filesize
1.3MB
MD5740732c6648c3bbcb60c3abc2b450db4
SHA15ca24c37c8d1bc3f162897e8f88bd8add63c5182
SHA2564ff92d41efaa77738623ea8b93f41e908f480d9966dff078a64c8d5dbbd4bb72
SHA512834104e06a7a5003742762d4387a2a668ef9cd811958659a0d3f2e0b6437ff97b529e94d402a78c1e3ae34f9b0dbac1bdd9486362c59af24b2b4b1a7ac5ed864
-
Filesize
1.7MB
MD57c82250cab6cf9c32f33f1094de0353f
SHA19ea31ee09f6e13f8dbe9a8f6904bcdd3121a7dc0
SHA256b830d86867fca05b432d2539c11fa2a081a5990b5fc9299962e5400259452e8e
SHA5129d22b06105b09bc2df939abeb4ef5c8666fd6a42443f9b196c38f2cb5f40ef5623a734a22d30538f15d116338f4672972e6b1deaa194008dfa397eea057d9992
-
Filesize
2.1MB
MD557eadd69fe72199e29ab84513a22e679
SHA1d7606005f9259ae2a672e95961661e72b60103e9
SHA256f94a8b99357c0f32afa4a348ce68f4dab7b8768a432e2a15aef26696eab07b91
SHA5126f93537354f1cc54403a55f7257e2f4d48c1407b00f290bf954ab8cf644159a62ceeee7ac1e8dd209eb64ff0e63e1d7674d62fa887ef6450646c5f4c1a6736a9
-
Filesize
1.3MB
MD5f4322b067feebb4193adb1e8dae32cb8
SHA1cbacc0de156c0aaf7691192e83af8a6cd4c67187
SHA2562ae2d4dbc8703b9329fb8dba5f5310cc8856d7b331c27f45dfbaaca0598f62df
SHA5124dc544ed927188c298d6e045c6103b57777ed6949cb63ed547aa0f36ce79ff12c0fa451d8ffe2beb77383ea1626d106749c01aa0320e7248adecb69756e6043c
-
Filesize
1.8MB
MD5817b51a9ad9446291b0816594db6756a
SHA128b33a2e83803a63684e1fc9a454be954015c2ae
SHA25639cbaf003b576f1af3b07fda3590e4d9b0c333e8e0f0ab36978eab7a2eb669de
SHA5123ba1f611b5e1e11107835d837c433090c0853a8881edae6a0253f1b19208f0640c2e8448b0f604715d18220cb29a32937434f74e35e6a8adc12554563579fc32
-
Filesize
1.6MB
MD58a56a6cba2d34ef028e6ff1eee1ea9e6
SHA17dabb5664a3183b12ea745d2e541299d7499ca9f
SHA256d555ca33c5b07d9df84e9ece530367119c0d454e4e579ccbd37dc451e5b22876
SHA5121e4b3cadf806b54ec5ad3386a7595f77ef511c0c3181cdea573a3d415d6af8ac6ff92802d4833ce9a0c3ee55a9e5d72418b44e86505d46a5d7268596c46e1fc5