Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe
-
Size
2.1MB
-
MD5
e18a9309fd707b82b6eb6eee892e109c
-
SHA1
07b9d0787b47f8b20e98be4a43c13de37c0d00e5
-
SHA256
7e4e58e274639adf502851b00140f9aedeff1e664b819cde56cfa332b34abd3c
-
SHA512
8bbd68c131e9045ad6356dc9db2c72457a2e4e7c1379e15c85ef4998bbf28b81b0eef707b9d41b3d0f7701164b3365a6484a7dd1b4903c58029979a21f6622ec
-
SSDEEP
49152:AsOwbb13ntb+g2nxDv1PZ1LTb6vHs3M9sR:AI13tb+Z3gs3/
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4884 alg.exe 1984 elevation_service.exe 2364 elevation_service.exe 2252 maintenanceservice.exe 3300 OSE.EXE 4428 DiagnosticsHub.StandardCollector.Service.exe 5064 fxssvc.exe 2928 msdtc.exe 2020 PerceptionSimulationService.exe 1688 perfhost.exe 1760 locator.exe 3872 SensorDataService.exe 4268 snmptrap.exe 4012 spectrum.exe 5020 ssh-agent.exe 2832 TieringEngineService.exe 636 AgentService.exe 4848 vds.exe 1928 vssvc.exe 4404 wbengine.exe 5076 WmiApSrv.exe 3044 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a90ee6672a644d7f.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000200729b6b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e14162b6b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ac082b7b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003edb9db6b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6b739b6b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e14162b6b185da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ee689b7b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cacc4cb6b185da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe 1984 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3976 2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe Token: SeDebugPrivilege 4884 alg.exe Token: SeDebugPrivilege 4884 alg.exe Token: SeDebugPrivilege 4884 alg.exe Token: SeTakeOwnershipPrivilege 1984 elevation_service.exe Token: SeAuditPrivilege 5064 fxssvc.exe Token: SeRestorePrivilege 2832 TieringEngineService.exe Token: SeManageVolumePrivilege 2832 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 636 AgentService.exe Token: SeBackupPrivilege 1928 vssvc.exe Token: SeRestorePrivilege 1928 vssvc.exe Token: SeAuditPrivilege 1928 vssvc.exe Token: SeBackupPrivilege 4404 wbengine.exe Token: SeRestorePrivilege 4404 wbengine.exe Token: SeSecurityPrivilege 4404 wbengine.exe Token: 33 3044 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3044 SearchIndexer.exe Token: SeDebugPrivilege 1984 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3044 wrote to memory of 464 3044 SearchIndexer.exe 119 PID 3044 wrote to memory of 464 3044 SearchIndexer.exe 119 PID 3044 wrote to memory of 2028 3044 SearchIndexer.exe 120 PID 3044 wrote to memory of 2028 3044 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e18a9309fd707b82b6eb6eee892e109c_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2364
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2252
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3300
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3572
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2928
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2020
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1760
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3872
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4012
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1432
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:464
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50aac88840afa0d49ff23d031428696e7
SHA1fba59ed3350e601bf431943f0162f0295dbad8f4
SHA256bb103eb3a38f0a29aba955380ea056093e7e88f122418a34e4d3f3a2ef99056e
SHA5127dee08ea3ef4c85c94831a80b1beb0122a0987e3f6b277fa5b1baf0b8df7b2977cdab0f7795c54e22c7314213b4154d801c02204163fa8baa185f363da253ba4
-
Filesize
781KB
MD5831e86b5c86869080f8662d519f869e1
SHA1be4052029ac56714dcbb7bd830554a52d8bebdfc
SHA25642ca181930df4712059e28a554b4e776974a9dd9f3693578886860d4d4719121
SHA512fb05f2ab7a7d8179d27d2fa5ac6695fef0fc08b833a01f30a4a242d0b6d382c20eb8852f242a71c300a618e3e952887ccc78679bf7ed7d2f1295ecd7a500f661
-
Filesize
1.1MB
MD524cd6fb7c26c8543363ba0d68b325fd9
SHA140617cf2aafff0c521c28b02c489a42a278b7dd8
SHA256b1cd5dfafa6774d70fa553fb695c3bb30d657306bdae1948afc3eb667e5f9fc7
SHA512269c4f16aeb95330334352e8c97ea02e6ae40d4f5d6f839b46d723e865feda1ff6b0359ddcd2aa585cbb760f2f7aa864c601e322cf31f2238a99ef422d4bcc06
-
Filesize
1.5MB
MD5ac8561fb76bb8cbec41dc92b69bbccc8
SHA1d36990ad037dc0acaddc2df6f926a99a0ead90bf
SHA256c8d7bc3da4ca9b342eba2d8e7c1e3963830b5c7fa131357fa8a6954c371103bc
SHA5124fe3e7c8356b5f1e3fa0668e2bc43357f1a35f9afd10b04989af6ccae08fcda5a8fcef92b4d914af212f2c276f31f6f603b4f6f2fd0babfc1484b0458c668a6f
-
Filesize
1.2MB
MD54d7e3e3250f0f9a6a5b2925242535828
SHA1c080f0094298d39a10ff1b48b845649652fdd4b5
SHA256db474e046eb15edd809365bbe8479d180473cccd833ad79a5ff94630798d4dfc
SHA51230d0f6d6bc20a531225a96b08d8440ad7048a813aeec24369fe11d7bf296d2754e7f04d89bc42ca87c3f7a022f04449ecf5a538a1fd5893f60b8a09117d1a582
-
Filesize
582KB
MD56ca10e881a956c93c28c3ec76a77bac1
SHA19861ad336ca2300c6803fa1554711c29b3cfda90
SHA256148728c8e08c6c71e0fec71c213998850f4708a6e65aac1dd32e4413a30942f1
SHA5120741c36d9f0290ed891c891edf858c64334350ad1401bd17153a544cbe9ff41b01725c28a9ea574d825f546226f802c67a9ea0126222a8738d7b10a4968fba96
-
Filesize
840KB
MD57a35248ac56b63500d2ad37dab05bc45
SHA1da7e7e2fb8f1faa4412998c2590f0eb746428794
SHA256c78fdbb3e73c12afbb2a1ed8c5c9531e1fabaf0dcf28dd94f5260800384baab9
SHA512502ccb8fff7718714e91e38c8e422018c302fde86f5f416e99e6649c7fbdca1367cfb542b1402d5d9b5b1862972e2c9e18c84c81a71d2c99eeeef8b12c2d7ed1
-
Filesize
4.6MB
MD59f6bfd97802c2c79afe4742ae82ee76a
SHA1405dc512500c9e99a85038677ffebf852322b62d
SHA256d1336b1553c380f99c0dd8ba2f3c604abf22e8227b749240d01626b3de22c6aa
SHA5124605bf18e49f62eec7e2d141e9e682641083a05eb02960eab47fe43d2afad22ce774c81d01de2bec01765d8bc6ca8903778c11a358a6b29fa90ff436f6b0958d
-
Filesize
910KB
MD523d39f0a8f6e775c7522e6c22ef0bf67
SHA134a3a3e18f498890ab82f3792eb2cc6309f47995
SHA25699b73dc3e610140a5c0d0644901b153784bfb949fe473afba6c37267a57d9603
SHA512583161403e39ef4e3e76ac039069c7976f68241c88392c4e9b4ac83fb645d3ba31e09ce473135b690354db51f54f40222dd1ab802496bc7c37a5b39be8aa3ac9
-
Filesize
24.0MB
MD5139ca2fff288ebb959a65b03698301f8
SHA19199dd07b656e88e1e9172441c4ba565c78657a1
SHA256ec480a9e2d7586c342ef93f75c24ef4a1f412b6ac2ed7aba24beb21c00d75e6e
SHA512572f66b9c4eee3bf196bc6bd6af887ae559a632aa6ef68a47b4bda56b1e383d986a814baed530aea130ecb1f1fd4c55b7d0bc779ebce55c6a5f725d8b9f9ec08
-
Filesize
2.7MB
MD5034daa882a93742bce7e014f0cb36115
SHA15c7c0ecf1fe3dedddfa5211c4dfebd6c413cd502
SHA256d06f2159bd4e630ba8b567092428da9a12fd7542bffb757571b045f4eed83667
SHA512248f28ce8c298f53b510b687441bd49d9af4c64da16419f6fa2926ea43b01e656e8a7709e533932c51211d688ecdbaf260622a0c581bf801a873a2c52f1cbee4
-
Filesize
1.1MB
MD5e34ae4254f3b0dd18eeb38b52e96a769
SHA17a56fc9735859edf86384d7720bf3f3041130745
SHA256ef94db0f5c8c29ad8008ab8e4478420320c43a8ae49feff674dd2db7264887b7
SHA512b0ba83b53f7143a0e1629d3062ebd35a17694b8af2a706087639c6b422ec744b0fb577818635f4dff4db74eb37ba7a653c736434f1fa8924d81738675b470e7c
-
Filesize
805KB
MD557880c9416e95fe69df6f6eb7a5a0b55
SHA15d9425e672329df87fa3dd222bcb1765d808375d
SHA2569ef5584fe6289c69d7aba001ff357b153b6cb99b07a5ba43208a2029c4928934
SHA5122284861a2343628d5ae3074b7ee002c6ac345bbb80327a87f78ac20cd9823c16cca256d3d69a86a8236287ce1a60d21a20658adbbe5b7d19e118380c4e8f26e5
-
Filesize
656KB
MD5da801beeb2579b1d1237d3525db42383
SHA1debd9f4ebfd891607362cc3421f97f3e12c95129
SHA256900a5fd7c84090a3b29912d0bad46a98c0094df04675ae8e2a9aaf7cdefc8988
SHA5124466b08e84596f10cce260e11e8d0ee96af5cd70d2714cfb2266ccc754acfd12a9891a1132e178245c71399383e2f1869aeeb39107990038cb3e82376dbbf639
-
Filesize
4.8MB
MD52bb393658c2218fd3c3a3d0351c20e6e
SHA120f28b42455fc3ebbb8272592d7b3110b2de7829
SHA2562b6e7faa995df166bad6ecfb6ddd7c8fe3a573f09d31b243f60c780a4e1aa0d3
SHA512af25da41449c0463492f5e54c2b0359fade3c3fb35b1f24a65ab374e9c0235521dc9102b2a01b7864a65f2f14fca5be11c9fc1afb5c0ae3d22b6d48563ecb448
-
Filesize
4.8MB
MD5c043e32c9258396fbad54c16f147c64a
SHA1048f0d2799c7adb4cfb45ce629c3699a399f4dca
SHA256ad334593c52f0c463f2e63f32bdb0c38046e9fabb8e2508032efed6b434f50b1
SHA512bbd3a0374ae82b84b620c52b40b4e1d841fb9dd4b5b3f32b853903504717805ac37fef8e1f2a4ffd9bedd599c466c9d944cf3564dc642914866f4074c4d13a29
-
Filesize
2.2MB
MD542d8edc63acbc9a933b6fb38a485008b
SHA189c0db4f052b27e172cdd9c31996f466cea5a262
SHA2568fdcacdea515860a47bddfdb13a7f2c7db4d8c11e7371fa855a71e09dff37e23
SHA512a1ddbaca7daffdbbe62049b99026489e30857326d75907dc90e4d26105e68247c042a6a5acaf820814a45e10dfff7e4ff1e08ed02a62d2868ed24320012b3ae4
-
Filesize
2.1MB
MD55fc668dedd075b421867f18b4bb814ec
SHA10907b2468736ae4623a1ca66e581a0c4da25c233
SHA256f0580da770627bf48d756c1fb9fcae48402c4d66efad7fe5edabd398cf461720
SHA512c905a694129edd28c55c39fd39ce2a097bf5f85fcdb2eea2b2b40213c5ba97fc1aa028f26d212efee55a8b75d9a253d469288c243784e2a89c3be85fc621fdef
-
Filesize
1.8MB
MD5fd34b4da1c51b1609e39dcdab05ae16c
SHA1190099452a5a2355a9f97288c276600c829b2ac2
SHA2562bff6502bc056a5275704ccf2d844353b611401def6b0d496a0cc9a8dd036534
SHA5120eb434c6b5f8d651983e00718ecb06f1e80c8b8c306e1c5b7bba1de57ae05547970bf18cafeaa84faa1f1e1d338e42fae67cdc673264a32885973ad9b0748309
-
Filesize
1.5MB
MD535a9d7d06e051658ab119c9d83847245
SHA1edbaa49e660541da71e36805b96810ec23b34533
SHA256a3ed4bbb7f619d91053d828afa2930f86c98e5167d92be5e973401a5ee6a441e
SHA512a6126cae5a22fdf12bc31b010dfdf772e89413f7893aa60a96aedf17db8740ab591a1e1966374bfdfbf7211d0b7eb764d81bba16f360e449b3c4a88ddfecabc8
-
Filesize
581KB
MD59436b47a0b972da94ecc927268422ec5
SHA1a503dbe0f9d8bdc593e0ff1a4b69e92d13bd14fe
SHA25659fc9d33ee495003b76eb0488d82fb07d819325897b38963efb4568deeef3867
SHA512d51dfb8603a35a7058d001c80fc4e8f3d6eb6cc2efe5d67766f1c390e4a563297ad82ee9b7739897fc3588d45c14d9ce82afa17caa3a9663df293b17db5868a7
-
Filesize
581KB
MD591caf14f6b2caa17018557b37417ffe7
SHA162b9719fe0d07ee858645ddfc2033465aa991ba1
SHA256d6672ee62a3670edee44941df9fbf9cf2c358c726dee9997f31a627a800c5bfa
SHA51267c423d30f9716977a8dec2d134506005c46a989ca5b1a42a10d9e128b7d1beba9aba2536eb7a5fe2925aaeb0f8b3eef03d949bd68d91c8c401c94204bb0eb89
-
Filesize
581KB
MD59f5da675cf4b7db20fed8f6b83fb96fe
SHA1e4fc01fd54c22225085706d50bc397b8bddca04f
SHA256b53b15197d968d11af5c98b89b7a2216c1897f474cbae5a2d560f494939a5aa3
SHA512dcdf4006cb14c9b0f3e87aab168deca1035f7bef4b02b6b75ec53f55eb4e1e6cf0549b5461432fd0463894da93229000183ba2fc0ca3f0551639132f40ec5e9e
-
Filesize
601KB
MD588e298de18bfb84107eee39c492b78eb
SHA1e8a322992d202dfe589aa89cccc2c87f365616d3
SHA256f49ba5fc4075a6f2e6ecb1e1f033bb1abeeca54577b1c77aa249b93df97c5c90
SHA512d526870ca7958e7e8e472701b0760184ae8bd2020c719d91b2801597eb4d71e3a8ee131f08326e9184f3cd2caf82e5b670c059b6c0cb27682cdd9597fe99bbd3
-
Filesize
581KB
MD56459d6d5f7dcba5db7596ce4f6a05d07
SHA12fbd4b5d98a5066d7b9c8ce79f0549662f79d4c4
SHA2568079c8d3ecfe4e06b31b0359bae40ea5df37228971eed6ad9ae6930e5b41ab5f
SHA512e5c0cbf84abde531b961bc5f9fb3c6f83af4ddb661b86fd957a48a818455c8b404088603af3aaceeeb213aabf6b052aac084a22cef14058b3d587463511103cf
-
Filesize
581KB
MD5766c45a1c604c65e25340a6c92779ab5
SHA16cdfa328970078ed32bbb6f0cc637a9d2c9216d5
SHA256a3d02e3f107239ba5b8b91afc115db20fdfa5604f94a4ade84f23b88f6454a58
SHA512496123448750c3eea818cf08ac16b39042923aa7e8db8e5336d827d92804e26753aad3dd3681f65a383b833d80bbe746a755df70537db5f7fab690b5e2b20554
-
Filesize
581KB
MD5777475fd77fcc75481f5989c582cfe48
SHA184529370ea39e2be6fa8cbbd052899f5d20e1af7
SHA256e5a1d0ee51c75e116ddfd5840cc63361e661793f9ae0837d6f489113dc7633b2
SHA5120191e837778a64eb8eb10a2a60bb64c2802cc5bcd487a0d7fb7a865fa75881d2572944b214d082253be7e71f1f8fd3c7b19fdd4dbb2d2b99d72b144a7223e58e
-
Filesize
841KB
MD51f8131579cad75b9a459c96f48b69189
SHA180347a05a287e6f89ef579678af40472ecbfdd9d
SHA256c347b7f6795c67dcfc8649dea24bb4e6fb37e1f48506b97717d1a7fc21ea1367
SHA5120674b00fc887214333b6a72e33cf8a86b6106a519f4bbfbba2279bc155059edb4ca145f8e367ae75f4e2b8ea34e20cc499e679076cf7a677e6825e0456e1551e
-
Filesize
581KB
MD50b6555890cfd6fb55044a00d5de0bf31
SHA1f7ff2ea5fc49fadfb1d43fbf16afce0e245a4137
SHA256d22fad9970dd04f419e213b1da342125ed1d98abaf769b2e9009a90cb5154f71
SHA51228796a75e57750c2815bc0dd3cde87af4d5426a7d47b6096eb779708cd4be308f2ccf34b181b3aee3f14439f0d387869c69c75606eec6d2133d5516c047d5523
-
Filesize
581KB
MD56bbd1c3f94cabe3ed120bcee7f35e117
SHA14581ddcb28566759045b8559861d148e803f04dc
SHA256ee8fe8e017704a42bd9dee121408e68e5ecbb4da630371ff8623f98b0e7223bf
SHA512500e0a5b87d359a3f986f36a81badee303185192bc3aff5127b1436542f3b8374d36512c5ee9c84c49b72fc32f0db435845f1d5caafac6509003d2b9bd0c5e34
-
Filesize
717KB
MD5f3c72057125ca5765e79012ef4c232a8
SHA1ec6d8cac073e4374e7663d36dbea8c2b34bd9dee
SHA256b60d57635735106b3f9fba82e012bcb64615471743dd55a232fbe1bb4f9af46c
SHA51224c6e6bb5985ec42c700982287af43e9159fe344bcd564ee7e638b6949b55638b0ddf1603d30122077b12a4ca3cbf94d7ec4fcbb324c2f90c8ebf0bfca24c701
-
Filesize
581KB
MD5ac94ac50c5aec4133f0ff875cbaec499
SHA1cd0b4692af1a51a75fb34d3e4db4e81ad078dd45
SHA256a568c86b1ffa47f3b317b03a8bdadc9016d4a3d30a03087c2d6b6e46e733958c
SHA512e6d357e08c918ec0eae1736ed0d28e3df7e19af0ddc8ec3325771e8849d1753f2235935ae11df5ac8d4ea200b8abda16a22280a818afddda16f1897436320416
-
Filesize
581KB
MD5878edd1beed522ee63664d810d4f4004
SHA182b3ec1682e867b8ef58ce1eca7fc79baf497319
SHA256f200c77ee543e0b0752cd3a0cb0baaea6bf1c659d3150e022ac4b502eef0ea38
SHA512d32dd047b11cdb2c90de4f0e00f68310570fe3659c378b5f508ee0400edc7e44742508e979a99175b2a090924c742ac8d9f1c949b2e7673f3c98d52f1172cd3c
-
Filesize
717KB
MD5b749af8aa8050596b758792251efdc54
SHA1addea46f4fe64349c8ca857712f70adecdce8170
SHA2567cbf2360696a46f62757cc59d2cbec4548f5ae44b55fb91e5ba6d5011c300750
SHA512494a549accc4c4ec554a37409d8a5faca5f3ef9729082ef87cea49e8e1fe4faf68470480f0375e478718fc6c360065a9143b02fc092d93809360227461ccd9da
-
Filesize
841KB
MD576cc08b2579a24a10b5915f3e8d305d9
SHA1e9ed7b8d16e9083790137b87a09e534c9a57df39
SHA256a3bb4a8c544b55bc7249e968b55e71ec757067b9afd748ac48c13a330f1e7050
SHA512ee07cac2adf7bdf2cefc8d3ae97eee0e40c7dd4fb220fdd712c1da6cae7c52b62670cc5a1f55e0ada986fbd6d37d0a4c6e1add4920bd173580099bc3021d7a0e
-
Filesize
1020KB
MD56eb8478e802f64090d11d44d19359bb0
SHA1720c812307f43074f5f0de4507a1c7b8c5097c24
SHA2561c3d4c999dc9c6af2d1576c01b02dc93b668875f4eda39318c48ea2eec9e40bf
SHA512e902784f36c337faa082bb7f23bca4f1aaddcc069dcf2da61f2a55606b4c2b1156c598f102de7064c037000ad999312ac59b3e56ef98431550b5d05f4f7ff37f
-
Filesize
581KB
MD5d3dba19947ba5ba7762251ac5d584977
SHA13c8320483e07886ada4064219c97c4579e281b44
SHA256ed9df97a060a18c81fe569bb838143897bd2caf90ea89b26f6d929310b860a41
SHA5122ee331df491d7c1976e345b278c902e10a0186e2d9044408b20d0603b225646d322a05d69268b155059050459c12bc6db356a8f4d1e62df7d0bd2bd7ed0cfcaa
-
Filesize
581KB
MD5d29be44f9186a82d3498fec9385cb2c9
SHA17604afe66271f2f6422bedb45e4e766d3df85c7b
SHA2561775723ea57017962cd6edfb2b4d37dce694dfee05a00088ab97c43b371e0588
SHA512d1c871b194dbc3dbbb15f4184de48a25e71ae3cf0abb758d94ba167e5be2abc25996a77b5cd2f4ab60013a388558e1dd76c0cf6fedc0536606e5a07c845c57b8
-
Filesize
581KB
MD557de4ec2ca837fe26b811a886cf5e892
SHA179272fc35f856fb9442d752c287c1d6ac16cf12f
SHA256c86df81edf8820d30c38d0fa867ec3b6222e46853bca3e72b1bf09e9578e4637
SHA51270a7782b39056ea8e3c7c373579485080016d62d73269c708daf4b9c039c7e6bbd3c17fe7f27101e38fdeeb1a24cd807920fd1f3e59322b4d78f3b2c93154134
-
Filesize
581KB
MD53ec6ddc45713fb4c603994d83ea1f7ca
SHA1e9fd352084177c5c47f78bbdea96a15a36be9b4a
SHA256fc3d44bb77850c8e912606b0df089fc4cfd40f669e71eda676bfd7ad696e434b
SHA512939c820bc1bc6183f5591ec3b1bb04b9c4864c58dd13d6b0c3866f2770ff5e84842dfd1ff676983d8e985728cfc3a4a65e23e15c42f990822e20c0c5a5b97fdd
-
Filesize
581KB
MD508566ca4e29172f0195b41ffa78aab1b
SHA159e6a48b76f0c95d25d0ec7d582c85743d234f28
SHA2561672074246ea10521a08b7ffb1f4fabf32649fb2a19b50ed308c66376960b44a
SHA5126ddeaea61a73163e22690901387c4237256dd7b6e61e1886ea83cd1a751367af8bdd20fbae2ab768a314c07f5b4f160e773cfaac87cd73dfe2e01d713d8f3e3e
-
Filesize
581KB
MD5cdfc4a3a17addffc12246e21dfd861f4
SHA1746eceb8602906bbac71d355fc05e904f0ce50b5
SHA2561c4a97c9fa219de6d1bfce6524a78fef3d5af9bc11cadc6d8dd25947c6552f36
SHA5126efca93e3122cf192cfb54bccec8291ce3b740d95cfbe3e0579a9e8a6a7e091c715522833ca42177a2a343763f8322582d933112f36a9063f3cce10295d139e8
-
Filesize
696KB
MD5beb209facda1fdf6c972b6f6ae5c77e4
SHA183e64bf83528fbbf75a99ef47eec0a78a88305f3
SHA256a16e9f440a9c34b67d204b1a6a388fe44270c23b6529e12af4c34df4e195d48c
SHA51279ed94f0377562415b65ff04e112d954b8a4d05eb76c4db9638d507bbf3191a81ef11f428f68c693e14ba1dc6fd613dc78988755ec6f389451eb41820262955b
-
Filesize
588KB
MD5d732604b42449995a61800c114ebe565
SHA1f7e0e5be8e959148242c99c8a7c811da5db3ec29
SHA2567f8c2a388971cb41b0a6dcd1c9ac8d48f529bc2074d1eef262b6c43c9f9df77d
SHA512b758dfc56f62099758701ba76bf5595a498e017a5bffd65e84d5f26e55e58aab2cc38b32088abf404a4516fe685e833838a265e7f6e2ee3d2a69d16023e1030b
-
Filesize
1.7MB
MD5c8e8a5c10c1338120648f3898c8f5edf
SHA15f11c89505d292b39f0db6c98da7e27caada1af1
SHA25611d55015d865dc3bccacbf1b59127866e06b9926132ad099be50073e22861934
SHA512e7d0a58083aa8432340681882e20c9da4684c43b610b1573f4c3d19f207f3a65655ef28c493c289389d509f1158615b731fea9ef2292c57b736f946a4535e4d0
-
Filesize
659KB
MD5565708b9b1f29bc32e5ed7754df627ea
SHA12722b2f1e2c88fe9db28ebea3e4481c14a18297c
SHA2568ce5a13fc85b05d7321d7e20413a4fc0adbccbf2836f96dca16d062c85d6b85b
SHA51289578c88cf2376b1b654de08d14ea4093500c163d1239da1a4d04eb7e4e3d8b8bc1155806b88007c12f2f42cfcbf2b2d543be9c77d2c5dd3aed418f533fa0c2f
-
Filesize
1.2MB
MD5a7ae6f1ddbdb84d01bf850bfd0d54d8d
SHA12fa0776db27f75befed9dbc4890d2e9d18eecfca
SHA256db6b993b8e4de4d13ffc8c7eea03912ae2fc18aca25f61b08e35ef6eab44766e
SHA5123a5e3e6819d893d35df1129c992480e3ef03b261ba36a3bdd33a47c7779ba2bb6173d53579451a92a4b580d71d696a0b0de768987b58723fb277b60cb7fb4858
-
Filesize
578KB
MD598c37cdb308db7bc8a94888b07d5238b
SHA14010455d71fb10639e758061e5bad4f2f2054330
SHA256777b01addd42e36cfc31976c8ae941128c8605a4fbc635967e8ae1472fc22fc7
SHA512d6f418d593a12d820ca17366a6677aefd684182e68dad6b84ea2c83c28fac35394f261d763e71c52190800f29b50e85b4f1465cc2f4f6c22ba6a5e8ee2789357
-
Filesize
940KB
MD586380ab077da7c236862eb5a496c576f
SHA1e1770db2dc5a31eb9c92a4af214531d0299cb264
SHA256078b79dc352ca4a4d39c3528bfbfdd84f73f3a010cd84702f8778eccd9a86881
SHA5124b761c655dd90529cda792561f678b12faeadb93c48fd016ea2407b516684baf0abe5eb530c227ed131ea525934d4ac4de480ca4fbb1461e6f90287dbb0ebb0b
-
Filesize
671KB
MD57c86d548f26ff0b1f091bfddbaf6a9bb
SHA198e8161b47da35d5a78f2e570d527dabf0894d1f
SHA25681c1723c31d264d685f1cecd4c594fe49f1972c0aa1f1a7f7a4e9f1daeda90c1
SHA5123197cc0c3f689708debc0444a0ca9ba686b86acd9d9e59fb071678f337e2643eedc515877d539ef0f5e6436d3119949ad6d3ec05cbc21da72857673b410fa23f
-
Filesize
1.4MB
MD570e52afccbf6e293c22c1256a0783ecb
SHA175cc19430f52aea91247168e48ccd153143dc2db
SHA2561a0143fded25709682a7667dbab485c796fc604d71a6f794780b2ccb7c330349
SHA512eea3a9d56f393d235afb803f4125acec6c8ee26c027e784802064a24cdfe39bc247b5ab2af2a7322485205c5a4427d23282eadac3510816548c2913c3bcb40fa
-
Filesize
1.8MB
MD5c2f90d2043540b48e8670e11c0e589ec
SHA1e1829485d47f9410b263b70b9cad6378594c252e
SHA256f2ab5467077b891eba21b350243653dbeac183e1085fefe4a1da9269b2a95068
SHA512ba6a4d70159be3fdfe11977fa81b27b7c46621d1c80efe73b7b58d19099e89639d556027cc67414c97ea455242c65afb7aa1010399d655dc27408586c2dd2a7f
-
Filesize
1.4MB
MD5e25e7624c319f0b7b7cbd516b8b51e0c
SHA1a0cd2b90c0942ab087fef2657f85ac17a5c6aacf
SHA2566092227e654b8a391e5c58c2361e990009878867be27d64ce818d18722d0f015
SHA51272a7d4a5f8c5f76371a1dcc589769b37f90dc80036d72209becd9b1e63724a4de1a821807eb655c9843832cb7260fb40cae5d26812387b690dba8850fd1cd10a
-
Filesize
885KB
MD54a3da4c60da8ad73894db5d3750d94f9
SHA172b9b9707f41c37d384644d0becfbfc7aedc1344
SHA2566edbec1d32c7a74b05af2d5684f540963f7f2f8efb4e084cbc7d87dbee069fa9
SHA5120171ac8d0aef9d3f73554bd9b6450f8c31c26325b1f9b576f98a729594d7f5671c476b58708941e9e304125f5782993b17d5dbc1a9e602a288a56d095d714a0c
-
Filesize
2.0MB
MD5f4b8c24a3c525e0ec289516ffe469bd1
SHA14e783044813be448a3095cabf26c1a9ce27ba69b
SHA256507857a8e197cbc3f86abadb5e0b3ad73195da7ab235e7bdcafd270e88c06c39
SHA51235f65211edd2468c0bc96f04b1325c8451ff2dbd75c5ed82dbacc079277bda416fc87272e48a3edaa2d22ea5119efe15e4a67f8d2ccda448f7d2ba2c9d4173da
-
Filesize
661KB
MD525915ec84d8391f2d78379925c52dc44
SHA1bf361c3c7eac8128065f02acef3d3268c56c0141
SHA25629ae30fdadac203505d3481a35628219881d13029e1ac75793da27f6de94ce3a
SHA5121144cf53e36eb5ac015f277805ac108e847386103c3efb902bb874b86f138941f0af8d8c313265dd43b0e95e0c0eb826d8c73004dea818ddc8110eb3b5afa36d
-
Filesize
712KB
MD556492b4afc387103129c20cb1f538dad
SHA17e6213ffccada2d9b3da37d53142217a80a7f7a6
SHA256a031ebe427b3f9b11e44288ddf7184b80628b20849e78b95e93422b2c4986b44
SHA512fe586fb042705b381def68a2dca1c2a24cba126cd5b47b1594bb5e72496ba1d85c2b0168b00873e05a2a2b8010d5b6a31439ce97f4a66a86315bacfe705c1730
-
Filesize
584KB
MD57e22dc356e223651565a2a7e47c1d29a
SHA114a4a81743a28eaaa23cb7f96b4fe7dfa4a160f3
SHA2569080eb8dfa3aaa23dcbeeff98a14028e57ed1f8ddb4e791bfbf7dc7f6dd21159
SHA512d65888e5de096f4ebd482b8a92559ec18154c5311b59d254bf33641e9786324a4915b85dba90bc7a137c766f37d1608a7263d25f49c74bec5c039220ed613d29
-
Filesize
1.3MB
MD59b4f19e1c2c60013a8399f3703c761b5
SHA16751ea1f3fe09bfd09fac18b294c8ac58361df6d
SHA2564ea4ab83e83aa12ac0fe22eebbfe605d957cc0b9cdc4f400d37fefc373432d19
SHA512bce914807cbf6a7004ed1584c7a5dce08d3a10a34f8b3f727fef52da9c68e6c72d0275a42a2e55c8035484024e2513624e98d599973ed77db72e925066b0bf06
-
Filesize
772KB
MD5b0413889c021475503a5a477411965e9
SHA1393e61802091ef1230c1f577a11a2122f7eb4cfd
SHA256d8c6c4d0262f25be64e105235fb9d069634a45366d846ee6cd2047e90b6c7e2a
SHA512f58920540d5c5b2e81d213c98b544bba594a52f30529c850dfc4bfe76babc07917d905fda74e67420541fb48040a2547a7bf8e0f7ac3bfeded9d69a256ac834a
-
Filesize
2.1MB
MD5d0f94027c35501ecc07e8935a8a170f4
SHA13bd5f2de1ad185bd355e101408bcaf6b216f5a5d
SHA256383c017fee97ce5088a1a24c327f732e84e50c6cd8366fe078418e6984712b08
SHA512a2cc1ef0762f2ab7bf69defeb53432857fbe132bd6c97afa90a20c24d434c7a576d4b3eeb762e77e3e492f14dc2b356bffb8c31e5c2df677df887521e4fb0b35
-
Filesize
5.6MB
MD5edcf17bf40993f47fa9b792af5e8121c
SHA14ef4e4427a55d7f04cd6ef3a1a3aa256f42bad6f
SHA25641e1cf4585a8439e063123713922fe83a67bdfdf5930f623e3eadaa4b84715f9
SHA51237cc063acbaab9f86a2778929ade490d9c0db232db812afa9d774810f9bfd8d69cde0d23020513d24391e14f9491780f844c6a5b7e5aaf30847c4fefc44afbce