Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe
-
Size
2.1MB
-
MD5
f645ddf8932198a06bc15f1e426b739f
-
SHA1
cadf5fdda0cf7f9febb1c66eecf15d9bf2508343
-
SHA256
fe863bcd7f37e6249fa5c496c6a9533df70f26f0f8e59c5100cc51dab31d8857
-
SHA512
e4b47532ed46bc33cdbb3d22a115e2f328868cb41c2f004d7531bc5a2e560f971a9dca9a00a6c2328cd3c92ddacad20eb64119b16842e1e3a7ab717f8e60a0e1
-
SSDEEP
49152:8jFX33t4INlfTqkUMLu/52bulcI1wXZTBz5ggDUYmvFur31yAipQCtXxc0H:87fTqmeX14U7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4324 alg.exe 2604 elevation_service.exe 2988 elevation_service.exe 5028 maintenanceservice.exe 2516 OSE.EXE 1324 DiagnosticsHub.StandardCollector.Service.exe 2632 fxssvc.exe 1088 msdtc.exe 3312 PerceptionSimulationService.exe 2884 perfhost.exe 3272 locator.exe 1312 SensorDataService.exe 2496 snmptrap.exe 3668 spectrum.exe 2908 ssh-agent.exe 4876 TieringEngineService.exe 3576 AgentService.exe 1700 vds.exe 1656 vssvc.exe 3036 wbengine.exe 1960 WmiApSrv.exe 760 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8dedc597822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{69188FC9-DE03-4F31-9660-69825F846706}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000907e5dc2b285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf67a7c2b285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078fc5ec3b285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053e07ec2b285da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efc8c8c2b285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf67a7c2b285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efc8c8c2b285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c06a5c2b285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2604 elevation_service.exe 2604 elevation_service.exe 2604 elevation_service.exe 2604 elevation_service.exe 2604 elevation_service.exe 2604 elevation_service.exe 2604 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3680 2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe Token: SeDebugPrivilege 4324 alg.exe Token: SeDebugPrivilege 4324 alg.exe Token: SeDebugPrivilege 4324 alg.exe Token: SeTakeOwnershipPrivilege 2604 elevation_service.exe Token: SeAuditPrivilege 2632 fxssvc.exe Token: SeRestorePrivilege 4876 TieringEngineService.exe Token: SeManageVolumePrivilege 4876 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3576 AgentService.exe Token: SeBackupPrivilege 1656 vssvc.exe Token: SeRestorePrivilege 1656 vssvc.exe Token: SeAuditPrivilege 1656 vssvc.exe Token: SeBackupPrivilege 3036 wbengine.exe Token: SeRestorePrivilege 3036 wbengine.exe Token: SeSecurityPrivilege 3036 wbengine.exe Token: 33 760 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 760 SearchIndexer.exe Token: SeDebugPrivilege 2604 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 760 wrote to memory of 4248 760 SearchIndexer.exe 120 PID 760 wrote to memory of 4248 760 SearchIndexer.exe 120 PID 760 wrote to memory of 2316 760 SearchIndexer.exe 121 PID 760 wrote to memory of 2316 760 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f645ddf8932198a06bc15f1e426b739f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2988
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5028
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2516
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1060
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1088
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3312
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2884
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3272
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1312
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3668
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3860
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1700
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1960
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4248
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56a34a67db774dce0ea9e453d0c4fd8db
SHA13c2e70dd7c70c6e41e75e6539cadcdd1ae3215f7
SHA2564e7baeab6f2e2c261bddd460f38522dde68ce811c8ec41e4d74b7e33a3dafe1e
SHA512c51d55a3e3e6bd4246e9a766968b926160e5b710b4061e0134e11c2e4b7d1925edd6c547f7f1891d15045991c8c3c4978e3b6e50f273e0d87e4ef05f7e23d19f
-
Filesize
781KB
MD55d766d2035d18a97c62b7e91b09d3227
SHA1c7dbb0c2668c6b53ea5c46a6fc5e6d3baf5068e8
SHA256ee04b002059068ca9ca3552d8f46ef6565ecc13ef970c1f3ebeb48ffeaa2c503
SHA512b36c116cfc4b40b1b3143368c137c0347559da748e772819564b9000e21e542e766b91447e62e15af582e262a4f69fe3a2109bcf6dfc4eaff66174d1d0f16932
-
Filesize
1.1MB
MD5ed1d8a12365de08ed0287e7e364da124
SHA114b1ba68e06028d8570d5933518ad9830d0561f2
SHA256bed4b61165a6d0f5e441f7fc06fc3e92d9b89f6c96899d04ece98bef6824bf1f
SHA512c8e9323ed67794fbc1a12f7ee586db54d5744fdee21102ecdfb1361ff14628ec11208708703e52642823e51f9fac9d83ba05dbb1ca466dd9ef7747e02824a2b0
-
Filesize
1.5MB
MD590b3f78a7842c838cbc3ff264807c085
SHA10ae11b2d976b7dcad699b81a98164a23d0fb0a38
SHA256d72417d5c065fa3b314962f4ba93aa80fba61dcc48b469fd2c5cd4f17f53e4c2
SHA512b330bcd663724ea7024a0a4b15170d90e2976974c6126b5a72faa6f3290bb3437ae908032d17a60d9ab63a4eb397b8fd6d72c84dac560477395c8e4c7cef6540
-
Filesize
1.2MB
MD5ddeaac27c91934fe2bdf0dd86b1891e6
SHA15e5979423ed91b39372f4d1ba44f602f1dda970a
SHA256b33ba2aa01590b8fe84f163d4962c59b7316ba8fdfa3f6c0c8f6888692a52b2a
SHA512d9a2d95d1f25eaedfc92bb067b555e6f3a6a10ee924239387f9dd1e68e49c6934b2fc6ece4c111f719172f22a578555deb782db57b9cbe0a612b6864a0ca1055
-
Filesize
582KB
MD5947ce44f1c78832fb51f07c8ee3f5f8d
SHA124883e9d4602f87ea5a6f312c3155d0fa576178f
SHA256a560516491959e4dc10f4f4c4d072e12de8e6b4e5ab59811c7f4dccc7c2f4901
SHA512ef0151152ae19b3efb23857bff704d63d0031319508045c5c379c8102eb998bdcbaf71c9953dcf868b44794c14ce67855ab2c8d411aa8366282c28d3a6804bcd
-
Filesize
840KB
MD5433e82ab1004172b94a2c2315a69f980
SHA180342b02d476fd1734842b2cc76d728cbf470801
SHA25652a5a656ca62b2d6fed2f38723c18111f109b3570fa9f110073c4b13db545f6c
SHA512f8ab5f031550b5ff7b16a2a3415349491b33568358176d4e3dc775fdcfb19643cec369c60039d99220e391a667f38a96d68ece7d916fe2fcb57e450efc9482f8
-
Filesize
4.6MB
MD526dc583cfaaf9d27755233caad308f21
SHA173ea3ee48d00459359e37aa90c44f052f241bc6a
SHA2566176e6f0f193be148cc92aaf733d293b498decf28b6f5b2a85186aaa230ce123
SHA5128477561a9dff71d2baac2de8c08419429dc738e31efa1caa86763a71147a983c8c2c4d155fba04afc9a603b4c879e5f7c44a598252d9a967a3c8c8ab8ecc5222
-
Filesize
910KB
MD5a9b013fbbb9e000d33b869474a55fd98
SHA17f8a59f18ff573197e81d74a6b02eddda7b63073
SHA25600de716354f41a10e30505209f67f308b51ee428d20e4f1961a7091abe8c020c
SHA5123f2c9c9ab7e3985cf469dbd81ff1ec96d6ea8d70e6b765735276d8d0cb063e3f344b688e23decb4c3133eb7e42aee61fb1ef566222415693dffe7d81a5e8265b
-
Filesize
24.0MB
MD597a04281cb57b87b26702104175da404
SHA1e7cac51ad51d14d2f42e89c5ae8611ecfb1a01e4
SHA256a7ac9dd1e0eacb1d6e6e7a08a58f67ea0e3d4ec61f8612c3891cc49270ed4f54
SHA5128f09ade7d10fa9de414b3af056f88d7611a784ff48b5af33acf4597231824015477e30d4166420a07b0241b289c236062bd13828b4d9931634f048e2db6bea21
-
Filesize
2.7MB
MD5ef20307bf799361523ad2b49560129e6
SHA18671cb9ab543099dd55ba9912a71152e5bc5b3a6
SHA256c855541f326f60b5baae4f6bb688945964e932ed613f1733abce04528f2d924b
SHA512f61873c430c3da424f53516c1604fa3342eec2bdd1694f10816165925a42d10298520b3404fc48020dc9b28613fdbd51df1a4c0e933fec55faedf259ca190c4a
-
Filesize
1.1MB
MD5166a8c454fff038597455e0dc20e2042
SHA11afc251d303f589a6aeddafde5c825e4f44a2ae8
SHA256878e1c768d7f51098405d114f2d083201033e2bf760fe8ecd53ab87391fe424a
SHA512a0c75736b59be413411302f1e1df317df003e051d643bf995cb0f096f0b5d9c23eac8a43712d84057ce87aeb2e7b62bee5dc2e76274dbf163403ea8311b2ab5e
-
Filesize
805KB
MD552a37d2885bddab19d892919d93eaae2
SHA188edc88a346ef3aa2e0b0345d684cbb1605d22f2
SHA256cdb7e228ab86a68aa94051217b5b393886097ff0e46d96db861b657da7584b2d
SHA51213b137bf3d2bc0fb7699c0f9255b04be3e4811e6e73f3fae9e040fbbcb2e4895dc3f1897f93dec5cce54cd51a16312b6db36875d4c43f29b5501d729b8b12758
-
Filesize
656KB
MD5a20a9b124801e435a608e9e58ec2affe
SHA11d0d06bfe2f4ee42cf23965a2fc642d786df6f4e
SHA256ef636a97300c0f43fe22166f12a92c8a842789bbff77d5797b42c3d8523c219d
SHA512f6becf503804ed5a2ee8f20c5a812a8acb5da6ee1ffc77ed539f5b7e27c499f8626be6c6af3c1672445f768aecc87cbc961c2459d917e0013ed5e994ad8935b4
-
Filesize
4.8MB
MD567e0518a2e59f0aecf194b76fa1895fb
SHA17cee296e5b75bc62f389b8b3663df103f4a32890
SHA25623e328bfe351678489b194f1968bb2dbc81e7c91df79cb71600b56e04752dfcf
SHA512028f2cf70784817409afe455ec1b4c3dd61935198c3cd67842e62af969636a994148ee6d64ae3aad5802d99c677643a1aa68aba80648caca92ee15f53d11dfec
-
Filesize
4.8MB
MD5a18dbf4f8c8d8b338ef44a0a9b6b9f9a
SHA1df5142e3e1a8212b8081d6c705e19decb014b154
SHA25637801221290fddbb6a40d175f16f6aa06cb14aa6a17e38aac0261cb065579555
SHA51261cc59ec84ffadfeff3630b45d29dd697eeb44a30b95e6898d01dfd7c4fe82faf568684227362637606eae019da464f8033b18a4f460bed7dd90a460af6a9e04
-
Filesize
2.2MB
MD544304cdb597fe7bbbdec086aa522e95e
SHA19d4c3383df5e308cbec6a479a01df4fa98e69787
SHA256291ed3eff64e0b48c1144cf82db9a5b9f2e699f13b0928210dc8589d2e61a80d
SHA51241f4739d253a9ac1711756fcc26b6a2a8e1d7f8e9fe00848626493a7f8b9e75f5cf738fdb6c5f5c105a95a18d844d8e13b5bde415f60e84ab13632b43f77ce03
-
Filesize
2.1MB
MD5d10800f518a6a99599bf3bab788577d4
SHA1e80388dae70d5124a09a7a31bb7491756ed16dae
SHA2565f12e820998f9deb41691e67584e1a389efbff2f5b821b896a3e73132f4fa434
SHA512ee37ad08c7904e9767e24c04ee31a6085fef34aedc3e84dd7e78409e9da55b8b92bbfec8deb89ff0c583be8e81777095fd02dfa66cbfc3aa07ef18c7099e008e
-
Filesize
1.8MB
MD579ae355d93654f0170071634ac633ad6
SHA1b72c8b8cc00f56a5dc83cd2b8f38f85955beb36b
SHA2568f88e0500b3cd19fa96a3bdd135f357a8ae6d4a3c7d79a13f67c6dbb24527167
SHA5123ee56704f540b2ab0c0d3a1a531ebb43edd97bf115eb29855b557bcb1cc35a8f8efec3aac84d0689893c7bee0e9c7678a82ff19db988d66c14fc3dd15b56c3ef
-
Filesize
1.5MB
MD5e68402cbb69621b4653805d036eabb8f
SHA1345a69b35accd5fa5b30eedd73a41114331690e8
SHA256313bb478a19e1fb0bd41395dccdc7a05a9053b3ebd1e05f84f075b1f2e065487
SHA512ba7fbd69111d47601936047179cef0a7abcdfdaf07bf358efa8c631d3734c052c70b9852651b2d466b1b1fe5388f8d2a1f3428719415a36ab7545a75c39bbb94
-
Filesize
581KB
MD506d2172bf924808b126bd212cedf19ea
SHA1475f106c87e56c6528f62f8d17ecb2cdba3a930c
SHA256d2025810067c9265b6f4cbe8d2fd44a88a442bd113c0bf43f0c544674c80853b
SHA51286293b35c4f9cdb0cccfdd82320411092740f987c5b508fde356b13e6dd0881ee9e9b7e51f8f37fabfc79ffa8d6bedc874c6b9dde9f26d09699afc9a0a057d6b
-
Filesize
581KB
MD5f10d52e7c659aea7afcb9b666f498605
SHA139e42948c6863e8d37c273cd0e49b8647cba13d0
SHA256d8ed9916c13660ab5228a3bbeec5068c020d427db711ed839bac192e1b103772
SHA512f00675622a36448d70fb04d6bd57b91d43e01799576925a7f4ee24b4cf1d3d234154225713eaff61adee2f8b41779bf248af186a6892c6a540f6e6c385b1b1eb
-
Filesize
581KB
MD5dab0307ecc2dde7e8b52d38f08328ecb
SHA162cbeee12f7dc375fd0891fa010bba61eb72a91c
SHA2560f42dd1ef2b730d0a16bb995d77aaa58a4f1aded2da4bdc38ed0e8e92bf2e43e
SHA51253f5dda5d3d5013a986cca7dd80d2f927bff4c6733959c8fff35f96a74c02e9c93ae724a6ec5881bd5430424fceb8f7b7534218e4ce7899f09ef51b1ed05d266
-
Filesize
601KB
MD53e96a394af67c7affb8b8e0c28f21c07
SHA1a38dd0c6e7c28dacb9d1e8ec6e99d2e743cd8647
SHA2560a85c8ea51ade96ef050fecd55842ec83c27840e11a088d6f5aaa888089c6e42
SHA512abd08dcedd5264bf92147fa825442769f0b08c8ae98920327539e584cf747b623b4c6fa21d2a337642268a6ce5861d689fa51cc45376ed27a73305fa40d4fa79
-
Filesize
581KB
MD5d14e5d62ba49c2d75291c95fc8b53ca0
SHA10d36e203d07b49aa977f882338a6a45f11791072
SHA256a1fc061b14ba647b1d21fc75e2a390bf6f5cfb87d0b5309196ffae2263cb6477
SHA5123575266603c151b93a572f734b447f224e77938d69cc0251b727201ec15e52cf33270cbb74e95d931e5550b739defb261bcdb2cc4555520cc795a88725bbc0a6
-
Filesize
581KB
MD55ad44e1fa757a0c26d030d25bae43b93
SHA1ac039893a49d339a27f6f3d6de6f7dd0a847e69f
SHA256bc1b1e7b7ca523efd9ab077cc95cb02a85f1c93b4a55795e5f2d0ff2c4d4ab63
SHA5125f91a95c1b62aa6cf58a5adc42459f3520aeefb4092c80c90261d0a387a2375636c57b95af0a0c5c06ee39254512a25cece8cda3533aacf2e66630c0c814070f
-
Filesize
581KB
MD54b88fe7e1bb05eaccfe95b2c21266dc6
SHA15b6c562e556ceb6da9c7c0b493e22907b83c6202
SHA256314807be2019d526795c2202c81d0a88490e1c3adf60ce9194ba75a50022f8e7
SHA51295e31790002c671f5c0a3707febe02969e56dcaa161890a92e2e5449938d8e673fd076a8beba83bcab0ed8eb001a481cb5aa0a446bc7cb7f9eebf6a31a8cca11
-
Filesize
841KB
MD5137ce9b2a71dd9dff7a6e3ce9faae1ac
SHA16c21698f5388a509e35cb1926e38dbafa205a565
SHA2569e984830fabf8d08c736cbce7c74a311a2801325ed562a4141618b2a611219b1
SHA512f9c292d09769b295238be4f3904b00ceeb4ae10354b8a3ee77904a5303c5ea059813cc3ca5fba4803b794ba89236c460b0e8809bc2e689475dd36c8de021fa61
-
Filesize
581KB
MD55e47029353caf48ebd04d33bbbe52029
SHA13dba9bb4094e9b185d96bfbd7fd184d9e0e993e2
SHA256097bb5f72f90333177bba9616e204bf99cc87f8fb3aee6fff74ae6163b4a7167
SHA512fcb40c7c191000e345f5762d5053b99e1a13be6019b677f415ce52db7ade28af24e0c2629057b4c7d6e55aa20008d95015b7ddabf78e39cbea079d0c1f3e94bb
-
Filesize
581KB
MD5a304e58e62c08daa3bb0146cdc9624ae
SHA195e8bbc2507c961c53f255920413fc2806ed0fe1
SHA256865c9c6b58dc7da4ddccfc9e3779bbd1e0da5ce83b659df84b985986ae939fb2
SHA512b59e25540afa92acaa9306ae04822fe6649c9d5fcb211fb26b661d5aef144b3abcd6e523863c6e9e5ecb17cf79e6ef33ba96c7f9b553321cedd54c219816fc30
-
Filesize
581KB
MD51a544004c3810dc5e97d28192cd47954
SHA14eac8cb5aba422fba060eb6c7500f2eb4df7783b
SHA256034b8e92e22f83ebc4ff7b662b0d537cc3843b8c425f56e091a4cabfa8462595
SHA5125ea1070f3e31032beb0c0cd5e4be4cc126b42d5df1dc0c33dd6984c9d68a708e4b2257c7161f89ad85ea95d818d67282f149e5f739bf5f8ddac4e5ddc12f1e46
-
Filesize
581KB
MD5ee490e7936ab57f24c08697a6b7e000c
SHA13601f2ffb7dffb2d7809933dc080cf330672645a
SHA25624a5d1a97bc0bccfad9a18961c2bf650f84ad8c73594e844c3df3ac3de241591
SHA5123c57968b072a22a85bd45f835c1d08264bdf2ba5ea04fe7137b3594f88f434a1bdc1a5f48d4a5a91b51ef8403ec9e3060dc3cd03f837ff532c2c84fdcf05f47f
-
Filesize
717KB
MD5c3d5fe9c9d7afb34d1c63f0915fc3c74
SHA129bd2ca9f1532d94cb234f7b50e64204e9882c02
SHA256f6fc0819ee4d6530b4a408f25efe6e730a23297ef2c7bba11b8946e45bff5cda
SHA5122b642e7f4bdaaf095b7dbaa8de84caef88beb872a8e6b18e6c3e10c4354fecc7e94d5e8a2d5163db129c0d92c8ccf08a5f66104737e62dcb76c32e291442b1ab
-
Filesize
841KB
MD512fed45b738a13abea68d9dde9754a73
SHA10462dab6afb44fe44f1c1ff61e675581a540c284
SHA256c3383299bad7fdab47525a07f8c223ab0a2d585356322b49e54c7ef88399cad5
SHA512946457bfdf81a2954c87e213ff65588354f498da67b39922c7c1c7cfaf61ea2068edb880f523c028676795fb994e092b01cfc3221e5dccefff8eb12475cf49dd
-
Filesize
1020KB
MD525904c88d4d368d12ab7a7a7764420d5
SHA12eaca7acb5d99750fe2c5dd18cd414374e2aa98e
SHA2567ced285fe538848713679d339650cbdd649ffc833ba17bf28beffc772b5c8379
SHA512da7f566e5cf4c4ee886b709b8d17136b990f4d2d34c2c93e1a78acb2b52f687a38a5fad8ec791a8c83f1c3b050b126ebc2918fbd9ed070443719fd7e3ccc2dd4
-
Filesize
581KB
MD555393aa7769e1a05033b74cf379dbfc6
SHA1e3514e8baebc5e9d50a43dca14355e01ab9f46a0
SHA25656357f513db3b166dc2ae38b229a2b34ea15928e8357d7933fcad8d7b297c0b5
SHA512f85a29c2ca23fd91613639ad5cae715e0762616dab3251c76d0365350816fee088e4654141687af7f83fba6148b419a7223a9ae75c561de484e7d9e66443e9e9
-
Filesize
581KB
MD5de59382955b41422bc740b8383d8e4e5
SHA1339b1de421fc6291b6149ebb6764f421fd92538c
SHA2569b1fb2d3a72eb2b3fba4f80ba05b533ae0326773b22624520530c05fa286bb0b
SHA51257413f07f9e39da9a393ef915498cbdae53b7dbc4dcb95aad1ba47e12f43aee43b39f4569df8a751c9d5a24bc46deb57cc3a832a228dbf195a7b7482d1d9d7a2
-
Filesize
581KB
MD5dd45b2a5d2fd8987d06478ca1e8e92c2
SHA10c772e4371f88649e31643d75501a388635c757a
SHA256765cfac5f9149e0a8b2761f4111de0fae043c394cff36f86cd9a8fbf6b723bd8
SHA512ddbbcd221d718fafd58ec69da792357a4ea62d7f6a9d154ba16dbf12d6b43790d1fd9efe45a531a687bd9ce4d117e94a6448e88fd9e49164fc0f0fe9cb5741c7
-
Filesize
581KB
MD5006ec775191ac1b0266809376bd74968
SHA174e8c198c405f9b1a27cd1d3a1917dde2f742461
SHA256d2e4f17537d8c2e6f87bc8520ed7d6ad26d3ebbd7688723d77bbfafd8fa8a5cc
SHA51250eadb58463d4a3839f307605584946198448c7ce2e1b1fa718a6681e9a5c95e25a25e7fa594e91d4bed15c1b73b41aba0c4a4cbdcd814616997a116847396d3
-
Filesize
581KB
MD5385a7dac8c2181a69d40eb10b958a3e7
SHA1472a71c089f8a7347be104bf0f5b0821c9363cc0
SHA256f8e7701603d3c42ea3a979aa1e412a7d162e73dc50668f75a755577655051feb
SHA51292087c38ad10430b47085fa208fffb498f867bf9257fff3af76fbc96c18d3cfb43dc80048d1f8c5f73783bbbbd7bce3962ba84e02393f71be677cff2cb095924
-
Filesize
581KB
MD5ac476ca1be457c3570ddbb719bd851cc
SHA1bd940e97c56034f15de33b568a97361ff0f874d0
SHA25609dfbe9745e356b62aed81bceed8570f43d2f12a1c9aca3928c64719ea15e0af
SHA512df6375178ae88ecfbf59d51cbd337d2095e734fdf8a72d2b67c5dc370e74250e64f19a96a6a30dd3aff458f2b1daf456dc65683c5cb7b107226be51f6572f56a
-
Filesize
696KB
MD5df795199bef40adede4c7700c43a02e3
SHA10a001e6b1ebf6135d48049f6b682d474ab16a6e0
SHA256ef13c8cf5c1744a5caa734cd0f0b5e46a6c685a7f466ba1f45285192d04a3a43
SHA51280dca76edbf9a061576c5b165e1a9a7ea582e1668982857a1cce41a0c8fba059b5c89cd64d0a99b781c43bc18203b2b9c5d6f00f26cc44f3a72c3b3f6c46a626
-
Filesize
588KB
MD5c1122f7cb06b5082d94afed4746bde33
SHA16ea9febae0a2cee0b4421fcea4798c3ed1824e7e
SHA256ea299ace7b1a4f6a6465efe14d5ecf7713d135ddfe30ccfbfd76aeff93cca50c
SHA5121b8c9334f674b2f5a6eaf52b054cc8ce8c2c4cc8caedb097903a7bd1ed18ee619cb974aaf6c3d36c5b5d468f0ea41d40d8cb5e537daed11f5d571410e4f37497
-
Filesize
1.7MB
MD52a04f1a1959a21ef445ecaf9fe6af5ed
SHA1b5a11eea14fd7a4d62966a078ef2d0f35591dad2
SHA256135b75c37f36227027be612a261d844e4204a737689b56a816a0efb9821fb1b9
SHA5126c1e4564d8a48691332171118c95f5f0f24566770d72746bb7593156fab2d48b2bc288692f11cee2185ed448cc021c5dcec028e49a5dfd10401a1d1ead343369
-
Filesize
659KB
MD5ae7e416a95ed80e31bf38f0d88c3b99e
SHA177c95a5b604e211a58cd028cb1b495e2a483348a
SHA25609d7a2ada21bf8c607df1e84644eb22e6f8c4b40e7e579b4a76db64962eda256
SHA512e8d5acb985f41f539a34ad375162a3e5947693a07403c0c74942f808350945fcf99c93f6752aae53d7dbca14d4cd06db1ded289aa8f4298a982e89898d8bfd99
-
Filesize
1.2MB
MD5518ef44578d70f88d4e22f57363305cf
SHA1913dc124a7f231fade51121bf12f1ed0d974cfda
SHA256b4834dc9392e7db5386edbff9c95600d3715a0049f0c583550b1b2868f1a6341
SHA512af7b02248ec0b3d65152dad1b6928ce133508af067250542ad8fc06165aa59476a64280d1fd6f89773e4ed61405793a544d0a47c42755b2d6d474bdf3f618aa3
-
Filesize
578KB
MD5921c6e5f6a954b4af4026fa1fa9aaacc
SHA12b49cd05a5920896cf230cc238cddad1ecb0f7f2
SHA256d8eb0143a9a489c51e39b6269829f5ee0920d8b3f76cd05003146400ec956f46
SHA51276c0cb33b6ae22a7acfdb3bedb07a97a54efab8c5429aa99091a25aa42e08dfe7cf01c84259e0cc8ac7bd2eeb46b61d0cb5982db1a4a77199901f9b1a5dfab70
-
Filesize
940KB
MD5f6a3e89f7ab627a44b9f7fddb55e8156
SHA138cb0ae3d6335d7c38ead7d7f950a65fdbd2741d
SHA2567fc2a2231f3b64559a6c3ec74a518f7ff1c65cdbbcfc79f9b961f1fce651ee8d
SHA51251e0462e89861fb8e10b1aa834236d47b763749eeeffc3ef55bfb3489230f8f63523445826a8a61774efaa4f34af3358416d051aa40480fb34581e631c94af0b
-
Filesize
671KB
MD5099a86e9727276f271cd183f7139e122
SHA13c8c6eaf089487fbd6c0ddeaa21bcee74a6e430f
SHA2565dc037091883356a6b625b6efc1192e740d4d14bdd0286c8d948d6380efb5c51
SHA5129bf847e5e7579a3bd1b1900ee7bda0639e7901a23f42bd4a77aaecb4eb719c8b1d585879fa87f33254afca9fdf17f64d7f0c16a1c216448890acb420168bc834
-
Filesize
1.4MB
MD59a99a824694a1701957084f8cf9c662f
SHA13aabbdef199686765c83856f3f8ebfc182939506
SHA256ab5dfb96f2e568b9eb1524472b3789ed2ab1e108cd384b0fd8cb61519f75fca0
SHA512265cb36fb2b39b6b3a6983c758741a5c0c7f597d8b2ca0af539a4ff4bd28cb1bfd07d5f2842d8f72be171768eb38f168330d2b1a36e40b82099a2d4ac3ad195d
-
Filesize
1.8MB
MD51e99e69c149bb6808484514cc57b05e8
SHA1cb3534bf903a6632f43dde7012000b02b49d8ebb
SHA256e796e117ffc87176152ce7843cc8a7b2e33618cbaee3411fb278e6711a16896d
SHA512f7a8fbde75ed6e4bd9cf5f903cd2dfde7f42c54e93d24b4b6c950cb32d7851aa73e993f20365b7c07c1907040d18fc3da635c46b16eae0601401c3f72cad6b12
-
Filesize
1.4MB
MD5caf2226f14bd76b3a581480fc2bc1969
SHA10ca9583bea7573b607c447407cf9b40b98252805
SHA256480b668fc1f70d3735d67a8a40b445eca61a9653602b21370a66530dd9aa97fa
SHA512ecb53f5ad4fe3b2e6d7709adfd706e7b7edcf261464421f2676522ccbf818c8171d655c73b202c2930d79d1c00ce6d9642e9a72ccab3d50eecb56e7c08b01a3c
-
Filesize
885KB
MD5b4180588607b710ccb31ce3e87cd8153
SHA1057146f86d4c7deb98b89731d87b0c63bac66f06
SHA2566691198010c8c30302105ea58715345b8bfe0ed5eccfa647bdc1a183a9fef25d
SHA512edeaff9009d0326dcf491d15f442366e23fcf73feb70184d65c5e527421d372c1c35bb931d72539a8833e54ea706ad1343841f6882c78b01de2c78629043f236
-
Filesize
2.0MB
MD59cddcaa186f4266989e39a3c4dd84826
SHA1cbd47349f265dbf4cf0e72237d508874d2f2a529
SHA2561989d83deda1ac4f416484a9f58d4f1e3dcb19fcce0eb8686f364b37007b008c
SHA51210c726189f8b3e8970d0974fbc10f537e3a0412b09598931d2e9fca86b6691152379def0fd3ba297d1e971bf684ab5080c248443750694273510277d72def4fc
-
Filesize
661KB
MD5df9fe68fe92358fdcaad5eb608c68942
SHA15b964b9d8b37e28f6b623b2ffef83537f0f37af7
SHA2561f7a632b7eff019c8337d171f9190b5c8156c832c47d3e3fdc15fb48f352c2a7
SHA5125a4d21cd2e81fc9b5e7f88766b04e19e2a7cc5f4e7304d454c0135bf256ba4ba2f3eb478443d231c7d04dbd59b964c7068a265ed539faf7a9371a6576a793eb9
-
Filesize
712KB
MD5697026670dd9cecc3c25146308936832
SHA1aa35db042ac495ec6423ecdc3fdaf772414296a7
SHA256293f6f5ca9965b4d2483b71107a121feb652bc5ca8a4d0e9b2a0f70d851e4550
SHA5120aeb6a6c5d8eb2599b061359a6505ecfeaf39628fa419e8caa44323088b1cc0916145d04005cf061ea84e82972544eb99e5d7756b50c005cb8cadb24d67e3573
-
Filesize
584KB
MD596bd3d7bba39fe581dbef6197faa49fa
SHA13fcef92b1514b5a0b9a9595e1248ef1128063f5b
SHA25621127b2e8c5f286ff2faedc4785394df204cac0fa4b018c99b8a1aab0d730368
SHA51236441a59ed435bd99dd27d1d3d4dc8585fc8502a5c0d991af36588f4ca52706d12a79d3f5fe44e64e6b058c78546f1e2c2c399c51fc16b8a403687b9ecfeb956
-
Filesize
1.3MB
MD5d9dd25fd746b745764d3bbbaec0b3d05
SHA13e67edd2b6fd7dce8a83d521cb748d26682ac065
SHA25601398f1650496ac125c37cf2e53a98e472414296eb0f5b158b9124994a38fc1c
SHA51228e194d17181a153c87804a44a6289b372b5f85422e0ab2bd5fc346a8b820885d00d0055eae20269212f82649282b37eeebcb58650364dc698d8612673526af1
-
Filesize
772KB
MD5c941953347aa274971a3aa359b8b81b5
SHA1babf8770576a3eddccac99ac2508df6a6af780bc
SHA256378b5e46d94420d934736aaa9e02afc36ba6b5c44161fb816227525388259d5e
SHA512610c1b87aa5254ddee2340e36ef5309b24f105874ad6145fdc028501fc7ec77cd44b2c3dad7a40753186fafb40368a739a950403ee4f6e5f9f54fc6dcbceced9
-
Filesize
2.1MB
MD5bc848fc1b6dbc0c393f553cafa5e2d3c
SHA1997205074e5882aa8898a5db4fd690f98fae50d4
SHA256dfc6d79cc3fcbc36a97fda1b9542fda5113f8e652192afb53200e3b9bb9294d6
SHA5121b3684f582be51c45922663d9fc963ab534f0b4f161696a75674416abee83b10bf836c0b1716ebb813ca14de250776d6da8cc53ab66477f2722b4d8e7c64f746
-
Filesize
5.6MB
MD5000a2e36d350534a4cf6493ccfc77370
SHA1cd677257f8a83073d98e09af3b2f1a76affae3dc
SHA2564e59fa433250bbccd7eb1f818b499b7c9a65ca1e6e7364a3aeceebfcb33fa1dd
SHA5124f091bb41675882ebe3e5ba301233c3f9f40ab3e6f239b89a502edbe415cc8e8b3eea2dbc3446f06c06e17ee7788fc3b06acbdd08fc88828bbf8835aae00e38a