Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 11:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe
-
Size
14.9MB
-
MD5
7777965385f9180b50b561a78fc44ff1
-
SHA1
2647dd3fc7b5a911301474af679c4db9f33f7842
-
SHA256
29847ebafcead5a736de54c9a6ece3966787f43fb5a34542d56b77c5145d8acb
-
SHA512
ab23b1b9536b27da1f8867bfc4c3d2795ffaa7b1b4cc407546b9184ca92c65255ea4919e800ea649236d4ba9e967777bd4b2b44c4ce3770b3990acd53c1939f9
-
SSDEEP
196608:S7AP/NNECwHrc8u3x3AEcq/fByuKlWH3CToufqrR:Sa/vQHrc8u3xXJ/f4uUWHd
Malware Config
Signatures
-
Detects executables packed with Dotfuscator 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023102-70.dat INDICATOR_EXE_Packed_Dotfuscator behavioral2/files/0x0006000000023102-82.dat INDICATOR_EXE_Packed_Dotfuscator -
Detects executables packed with SmartAssembly 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023102-70.dat INDICATOR_EXE_Packed_SmartAssembly behavioral2/files/0x0006000000023102-82.dat INDICATOR_EXE_Packed_SmartAssembly -
Detects executables packed with Yano Obfuscator 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023102-70.dat INDICATOR_EXE_Packed_Yano behavioral2/files/0x0006000000023102-82.dat INDICATOR_EXE_Packed_Yano -
Executes dropped EXE 22 IoCs
pid Process 2624 alg.exe 1028 DiagnosticsHub.StandardCollector.Service.exe 564 AgentService.exe 1144 elevation_service.exe 688 elevation_service.exe 3336 maintenanceservice.exe 2420 msdtc.exe 4892 OSE.EXE 2372 PerceptionSimulationService.exe 4148 perfhost.exe 1512 locator.exe 4352 SensorDataService.exe 2536 snmptrap.exe 2764 spectrum.exe 4280 ssh-agent.exe 1092 TieringEngineService.exe 564 AgentService.exe 1748 vds.exe 1644 vssvc.exe 1612 wbengine.exe 1412 WmiApSrv.exe 888 SearchIndexer.exe -
Loads dropped DLL 7 IoCs
pid Process 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f7ff08481e53832a.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_128703\javaw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_128703\java.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1AA344C6-371C-4E33-823E-0C10B79FCB5A}\chrome_installer.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" AgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5a1ab234c66da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" AgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a39138214c66da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003678c0214c66da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2ff07224c66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" AgentService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" AgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000902eb5234c66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd9057214c66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef06f4224c66da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" AgentService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 2116 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2116 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: 33 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 4500 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeAuditPrivilege 564 AgentService.exe Token: 33 2812 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeIncBasePriorityPrivilege 2812 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeRestorePrivilege 1092 TieringEngineService.exe Token: SeManageVolumePrivilege 1092 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 564 AgentService.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe Token: SeBackupPrivilege 1612 wbengine.exe Token: SeRestorePrivilege 1612 wbengine.exe Token: SeSecurityPrivilege 1612 wbengine.exe Token: 33 888 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 888 SearchIndexer.exe Token: SeDebugPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeDebugPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeDebugPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeDebugPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe Token: SeDebugPrivilege 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 440 wrote to memory of 2116 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 88 PID 440 wrote to memory of 2116 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 88 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 4500 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 90 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 440 wrote to memory of 2812 440 2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe 94 PID 888 wrote to memory of 1804 888 SearchIndexer.exe 120 PID 888 wrote to memory of 1804 888 SearchIndexer.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exec:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x2d8,0x2cc,0x2d4,0x2c0,0x2dc,0x140325960,0x140325970,0x1403259802⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_440_YAWEZWUDSAWJXUCS" --sandboxed-process-id=2 --init-done-notifier=832 --sandbox-mojo-pipe-token=3512868907126487890 --mojo-platform-channel-handle=808 --engine=22⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
\??\c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe"c:\users\admin\appdata\local\temp\2024-02-23_7777965385f9180b50b561a78fc44ff1_ryuk.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_440_YAWEZWUDSAWJXUCS" --sandboxed-process-id=3 --init-done-notifier=1400 --sandbox-mojo-pipe-token=14112224018033169729 --mojo-platform-channel-handle=13962⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2624
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4412
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵PID:564
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1144
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:688
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3336
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2420
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4148
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1512
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4352
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2536
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2876
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:564
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1748
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1412
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1804
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:3608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD54cd4672918178f84ee5581312de43a2a
SHA1ca22b5064e61003858b0b4f22c3a1b771806fa39
SHA25690ff6330250e220b298455a74ac75707917ff0e3beca4f1a60ae7daeea88ee5a
SHA512d747a3488f02620212bbf5eb4195098048e7912f5f495e384ce16a72bd60fb81253e95775298f258a78b9e5df2a646be9449eee036ad12e43a151e116de5942f
-
Filesize
405KB
MD56547ceb639dba32bf4c659dba7290376
SHA18fc6a7ca5ae13baf7a6e3698383297d57be1705d
SHA2568e2ca3354ddd4b1990dab6d3158afc740c84033cb6a548aa5948d8ec92f4e269
SHA512170e1bf6ab29686323d602e4db08445103a2280f9dd26df48b5b378cf8b6c916ae9ddc8235b2328d9c93931ac67dcb1a8f509d5b991e5460257cfa4320604838
-
Filesize
11KB
MD5807691f92531afb281f08a7f0d8a76cd
SHA12a38a8bee2adf90ee06e6fdfba92ae4485d1be99
SHA256f27bfa6e20bf5241c35e76269a42318bbcda1be3380c24ba38f2d31c78705438
SHA512738b087e70a2ae10fcb6071f70886601b56235f9202a2a25484488c8f452a4965217879fcb87d69a530ba20e31c7b45bf66d1c7dd5b056c36dfe2879bc2f4067
-
Filesize
286KB
MD5751a1aab73d3015ad6136d08c1aecd2f
SHA16927d2cc238510a8dbadd2100d3f54e44bcf75f0
SHA2568922198953fad23070f7c61fde83d30053b32b70e04bf387946eb3a2d100fe5e
SHA512721b4416df6a95f693fd0bacc54f45d6df91d2994424e366af1e7010ae578613a93bd6b5ea6b8a8b489a8075e5831da546eeea2b89b189b4d8072ee76325148b
-
Filesize
1KB
MD5c0e27e4e7c6ca766e475020e2c8773e7
SHA12cbb476ec4c819f3a3eafc06413aa500dd3d93cc
SHA256b8ac6ad033e6f4751cf15c723075a2e7b2062273cfb90e9b1de78a88265796c9
SHA51285c300f7b5abce11a2342ff8492682111dd3d1b1b4d2cc930accf42baac434ab954d7acfcca1031d6d87e85f81a4139177eefd5f436abfc831e0dd46872af35c
-
Filesize
449KB
MD579d7f318441c21d17739e43990697d1d
SHA19683265bf401d11313b768dfc4b3aeb10015d18c
SHA2560ce49dc9f71360bf9dd21b8e3af4641834f85eed7d80a7de0940508437e68970
SHA51267c7a7d3bbadeff21951809d2f843311328771ed46bc1ca14edba486263f56f86922668dd89d11b05a16130380b7543f7c9556d79503c505807407763e9d3595
-
Filesize
37KB
MD5f8b7cac6e9587baabf4045c34890c7ce
SHA161814262c6ee5ceaab2c0263c913cae52e203af7
SHA2568b0613b91229c98dfa5398568a4fa40dde2a2d40028654f74923bc929d6b5b30
SHA5124f80021fa2a6e6bd3cdd8248d6139d105dca984a914184d5b1e251e97daa77e36c4e059ed3a617ad12dd998eb603accd34ef3951261ad997a081d8ac934b6211
-
Filesize
334KB
MD5023024d74374f4f324b7528ef680d660
SHA1cef55c531e324e730097077538c9872f0913f7b5
SHA256f03d7e333853fbbcd508f8674c703575f4c8f8396af85f62c6ab9e61def4d0e8
SHA512d50d481d834a1f3a41bf8b27132721d69014f82f01e5cc6bb1d3d1a14a1b767730f103456eac2bd51361a27d124d9f60f24a6dc4a667af780cc6a19cfdc0244a
-
Filesize
320KB
MD5fd3f64c102f03e5bab59708b9d2ed1da
SHA1dd6eb89b2af74d3932a39ea70e1eaf233a68860a
SHA2562bb890717df267bda88ecb5b503a2a3431291ee807a610e08475154dd12ad8f3
SHA5125c3c61d1c8cd4a7c128bc5019483587ec07afa7418b99f96f6a9e803b6e0dd5e72650edc1f7a2570f1009ff8444ee993a2a1a98e31eaadf64eb560149ed96d73
-
Filesize
576KB
MD59f6ce0db3bd04191069b114ca44efc59
SHA15f7c807762206b720d4a7176c92ea883d1f090af
SHA25677b7677239f4e1299a7c7961b478d5401add74e4e27b57f64f8ae6e868b5c321
SHA5120302a6e330878bc2d35fc6badcc9d7e682cf0574f1d4914c799faee7368e19862036d79a9f9bff5c3050ab1dc3a664792eef09a6cc5cd91af9d6f272963af720
-
Filesize
508KB
MD5df307e7183f011688d5f0d037742593a
SHA1c534f2a5437f11d980f592199ab1b618dad6a60b
SHA2566d8ce9827768ad0366a2cd3d4ac61b048f3791a20c70c93046fc1d3634b03210
SHA5128913ed466b64a54495b29d9fa22e29d6a30ebd051d8f8f3a1ab9b4182e347dd57a41ec7ccc28960127297bb838ba842ea9aac5d1eea92baa70317f4225acbf60
-
Filesize
312KB
MD53c2cf9d3f974156976c9fd7f1cedc643
SHA1170f0a8e1f22bedc93f012ad8ec9d4d02cb4dc7c
SHA256b59238aaf90e9644bee14f22be878623c714ba9526e90a8b738b5572ef20ed6c
SHA5122e6ae7fc795d0b2e9c95e512f496726db6b0dc47805f1cc6338e3d80545b1e75cbfd8e64d3699fe51576d7c5bd90c6860cba9d3f94457a9bcb3d2149aa0c5bd1
-
Filesize
249KB
MD58855f9ef5e03fd027569a0c859cb636f
SHA100fbfc4b324bab201bf9271d5f927700c1b68300
SHA256f628959db1611a59e46bc45775d7ad6d78bd744a47911aad9fcf9f53e4b20913
SHA5120b3abb281c037c7de95dcb11da00fc2573294b2cbfd7ade55a1da70f992e60feeb2b42aa228e1c7166bbfda8c1f1899161afa8f36f6d6ea409e3ca4a83492631
-
Filesize
154KB
MD55b81a30b6effce3f9928929ff2f18625
SHA100f215c07564ec752887c5cd072f82cb9d82bab3
SHA2563ad56fd528379cc3a7df5ca952b3f29435e1e356ea4ff70cdb4b529fc5f60f90
SHA512b101b35040671759582deeff66417713b4981c14afb38df9423b5c341f64e5234e80e6cd5fbfbc9ef6f8a3919af101afc0f7b8de0775eae35d6f44b7eeb97ab5
-
Filesize
247KB
MD596721d710d90c5dff5630036652af0db
SHA1beb0ff0f7d5e87701a480ea2841345d9488e355f
SHA256ded5e986c7d7eeda1ca06550469a50d12fb2a232994323bdf8249ec3776fe35d
SHA512a7b30e8b76b5ff2c7ee7a43bddda11a4dbb5df10a1e5ceab75a8f8ab615b600c0a9b783be54ea9e5af5d7066e600c143f74a12ef2d34d82606ca086620b6d3ae
-
Filesize
296KB
MD53cf8c5c11eb46e6eb29a5b3ab85182b4
SHA1cb533cbfc83a3a8d55780ce0596b80027ed1c0d6
SHA2564231ab5a64ba4bd7838dc29b2407fdbbaed505a492da499e612dbe0df36c0a73
SHA5125f185d32d608217d208024683ad35f45f93c993bd9b5d1b45992c42f83cabd8218f1edf2ac5586bcf9a5b1b50f63cad8a04c69a3971ad0b1b48b07a3f721f2f3
-
Filesize
153KB
MD597e5dcfef1c46942d3325cd8e1afc979
SHA172c8ae17fa33a9d38d41d3d4989ab263748a6491
SHA256c18d4b9ce0b78300217b423eb9e1ed6698f25160a97a4e34dcc49cb59d8af099
SHA512ab94efe5173b2f3818239a359531f88a18d726ca0c310ade0859834845064829d6cb98d2a292ac753acaa2481b9ab3ef4eacb6955b656af627897defcb9e55a3
-
Filesize
49KB
MD598f259000317ce76eb78efac69479f4f
SHA175e7ab401bfabe5c55a8cfaa1a072c5fb6468ab2
SHA256c7b47b7e4524e4245a42affa6687429d9318a95e29d736a1a98416709edcff62
SHA51253b8dd0dfdf699e74be54eb0823c638836a8ba81ab5f77d0f8fb4493865eaa1be9601d0a9550d252695f4d96043ce243e3fa7f967652804b75b204c15c373cda
-
Filesize
105KB
MD5e313c1f95253e45a3f5aae849a61af98
SHA1f2883542d41313580ff772dbda6489ce98161b05
SHA2565ddcc4ff59517074fd6eda89ea8a01d6e5d5645436d26588de765b2254108bf1
SHA5122b859f6f174f51cf9704dd1fb6bce6f7997c0fcdcb6ced6c78a78ae93a2a27ed967edd7bd0c5b20ca0bf6da8cd99a4cdb91f7e97c4dadb2adfdfb573062ba887
-
Filesize
176KB
MD5ec37ff3f5b53e70734f5b4159441c045
SHA1cf22f5f4d8515125957417733d9855b309ea39e6
SHA2566df76eefe0052967b30143a07f41a0dd3fe49fa973f95931af9e2179190d7409
SHA512abcfcaff450ecf1dedbc26e0e092fb15cdc7367a85c2def501044117623f3aff9aeb0bf9a328b4f22c8544a571f9d4665e56e6366cbbbaad4675bbfc0c116dda
-
Filesize
29KB
MD5c20f248e9562a6e15962ecc6a29d4911
SHA1b7f5217d10e93420a2c0bf14b9071c1ada6977a5
SHA256df860892d6dc9dba848e14ff586b4a30c8a2f0972a9ad6903e85620e61bc0fa2
SHA5126100a4a35f3d681dfb72215370a244cb92800eee207b9e4ce42985415db46a0d0ba4acbc4a4aca5e19f9d31b5f8a4335cdd977e5ecf09fb81470316fa08fa08e
-
Filesize
88KB
MD572308cbd3354bf4306ccf4e1cea5fb64
SHA1b3e5b550a1965c5c681c7dca3ea6c6337adff2f1
SHA25677d8ebf5ca6079090673a66ac285e825f2cc527190e2ee64f0f8a9153c9ba66c
SHA5125d510588fd14b0d71a78081b085c04b8024c14625e7442d803195db0657c9cfecc8105d1aff7c8dbdea3a9be77b18e35390c6f78c0832469ec99c7a2a083951f
-
Filesize
51KB
MD5ab36a64677244dee02ed25ea6d24bff1
SHA1028dc6dc3c3ba24b7a1309d70336589c480b1f08
SHA25658d720fecc2bda5c881e224059519792901748136b8d97132d1d9a61b173fd10
SHA512b5c0d06bdd7386f561c2a48ed32ce2a323c29fc81ebab0f83356aa0114e693e0604ce2d0c19c9791e1ec176e14ef02c6780251c721942f9781d36934b2bfcecd
-
Filesize
209KB
MD5fc06f9ee33f2a7a652eaa626fe2218c3
SHA11677f8320d98883b5ad58744a3667bf309602e82
SHA256790b129b861582e25d0cacf9e48e02f4a2a6b2e73b2e04da558346293990eccd
SHA51221d8e28e547ef96132dd80c38f690d7b7332241bb25724785d489b3c822ed970e13e7ff1aca017e7eb738365863eb7b0462b2d53b22e9c6a2cd471b6aa85ca1e
-
Filesize
156KB
MD5153547a20bd7bad3c5e2183a034a6a3d
SHA1c7d2890bea3bc8ca6ee827af8c4f878b630a9849
SHA256f6582ce1d31946dc892b7bc367e87432595fe23754ff1a53842aeb712d79fa32
SHA51278ff38317b1e7697102f0f27a0c2be3b4984f993c73c505d88e7e715ff9d0a9964e652c3f0ac66af58cf4a8f1b4b7d467843fa49c295dbb4fda2c04931a1fe4c
-
Filesize
351KB
MD5dc111e172b64b1c903ba7aff1fc62102
SHA16408b63198da32a508cb5a5b1fc363e96351f29f
SHA256283685bc61bc6c41485182762f8c913d9142f3f0bb03cecc53c6bff9845f9452
SHA5120efe0c00cb1fb2d16e4b131e5c4a140b8f8ce7f9dcc81ba00de696bf35a6e43060ea9b8fd89eeafe8f117aca37d8dc44c22f7871acb632dfd9e346d05201a9bb
-
Filesize
284KB
MD5695710dff97449d17e524448c09d7b5f
SHA1f240c6a144730480345a108b776296ae889ffaa4
SHA25679c280ddfda5d974bf0e70669f71d05f4b8b5830613d2c170f1ce9c18dd99f89
SHA5121ece4ad3864b8a6f8f558f6ec7a2f21e65c06de4989c9e191b12a34cc0a4c050fac105a79ec328f152a303877779383d71f5f973dfcba50679af1e3fa24f9d39
-
Filesize
551KB
MD5fa87d1d61d1afdda0074c69b7a973c28
SHA1ef049e6e17f701172e09f83713eb3d138badcfef
SHA256497b5ef22b8efe101ed276925c6ac30db1ba2353e672310dec43cd80aee51778
SHA512564b521b408827d1e53d9981429ec8474e3e325254ca9146ef440dfc47e4b6ec99310fdfe7f8ca41d82f272ce9af55d737bf0c369a88edf2d184cadb5badff0c
-
Filesize
34KB
MD519603fb9ba3dbd2b369117be950c50a8
SHA114d07fe7bf64901f85dc262037f219ddefdea04e
SHA2568e715bc2d3bcf15459bec9033506f1933ca20be734018f32c23d9168f8d339f7
SHA51226e93b42c244e3515c6b3cb84dfc082be923edefa4a20cdd55b347b1eb946e587a2f7b3b3f6c0a9cadd13bab250a15b7c012d8241481fa46885642ef1215c8d8
-
Filesize
123KB
MD5e0535fcae725d6e45ade82647504103f
SHA16b33f459233dec19782485a31f564b13c8afc86d
SHA256929190a5bd03e07d01e39887d8df2971d8035c8263607f701a6dc90e5f53af15
SHA512608ab990c49000b232ec91e2371a771564bd6dd8eedb948ed14fefc54534f621f0e6e8643c4e8df445cd92b1670eaafdc38a785d5474ea01f91257b10b768d8f
-
Filesize
42KB
MD5f57f146d714eb7caef0978352f2416eb
SHA1c774aec70d17e1b0dff2e11d7c3b4e3a5c67c7ca
SHA2567ac813dfb9a37463de8582c2b3a4be9275ac033bb9005cf0412448afc51527eb
SHA5121d7165c013631ef8d93b73932b03b950a9ac0179eb6e210f51cea2c22f84dc57a4816df4e103d30958eaa86b4d07c1ee628ec3977370738dbfb0b399b857921b
-
Filesize
174KB
MD501e150394a3f9387678930ff2cc954da
SHA13b0f8a89333f9d6718788c4d6971cf777fd16d2d
SHA25622fbf35010975b40850edf17cabae4a0826966fa7b66bd17d6f0d39885f0f1ed
SHA51230c5b9736f17c986b3823e32ff16aea8667e6ab1368866645cdc89f37f1c57af11135ed981bbd77f54a87ce9fd03b3e77af71e6ae2bbaadfc6280329b3359d7a
-
Filesize
40B
MD57f23abb8ea2977ca3620928e6d4f016b
SHA1d3a3106566dad39bb64dbfe22580337fb056fee5
SHA256ba2de2296651a49f7362a257ea33c0edf582dc208d84d38a75add2a1eac689da
SHA512845f68bb7c0b2151a9ba3a81799356241c8d96d7e744ce2d9042fd95537af2df949cd21d5f6adf25ef48e06e0c26cf07b5e17b7c856e33f010284491069dff4e
-
Filesize
339KB
MD59db75f5afe2b6449adf69fc5180b8ca3
SHA1b628bcc7e140a39b3d30d8cf8ddea3f32c0e539d
SHA256542e785b6d9bd520f4f4c14eda44d215f381b03566d9b1440a41e8bd17535329
SHA5120c83acb53c229b39a23ebf409815634d0be51adda1ea2df48d8e05e63c292f443d17f491799a5aa781a2846e41c5d8e493ce0139c16a78ed4d1f02ed879dd658
-
Filesize
160KB
MD58571cb2f77afb10e3c1685cdff26aa02
SHA1a91e8849a7e79a57cdfbc130ff63806167a58018
SHA256e1bfa717c8da2d8d8c59ae7ce6857e55660c04735beaed2c6323437d38a4491a
SHA512ae160df312da2a04bd78e796d8009011f17e5237f2e9c5e25011e057a50c19c183b3b1d5257e90c806bcd59ef0d7d4513dafa54fc7defdb2c11937a2f0c3841b
-
Filesize
229KB
MD57b62448d6f41b1c4738217341b28fae7
SHA1049255c1e31f1294e47384dadfc0c4d720e8b91f
SHA256d2a87241ddbae2fcd9a650b84ff0cc0d08897a034e1bd24d7c84cbb7bf4f2d02
SHA51236bd5a6df3c2aab1d9acf30e24634692a0fe8681938c33851c1fd79cc8f594f29815b57d73988a3133802edc217aab5aa0f4db76b5711a5f822fab6715a73cb8
-
Filesize
333KB
MD56f9589fbb74183b0a97898999be3667e
SHA12cd9d4a21f67d23eba5c77a01e93acc50f7dea18
SHA256f457acee1f041744bb45269d323749f366fdfc3bfb98c2e218e63722803b75f8
SHA5127283c60141d65e31df63534b1fefdbe37197fc0b365dfced418de9ac8f18f75228b8054781536e65242c7c015d9b6b72e0879fc8c5ba128fb9dde6edfa90a451
-
Filesize
193KB
MD5f6aab20e8b555df1637dbca6b097c129
SHA1a9a2353171a98b56097ea078aba83ac765ff76de
SHA256199bd67cb6f7f9bceb80d59601e768392c70a7f4c5344c5c74636413436b127d
SHA512ba89ca3241129d430ae980306b7a952897bbcce438ba15fa986a781d701783bd8835a13ccbdfd5981a4483993f46923f0d97b886ee948fcf6e16db84177bf359