Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe
-
Size
1.0MB
-
MD5
fc1438bd474cf8dc307563f487339761
-
SHA1
7477fd7f38897b745f58b726452d4e975155744e
-
SHA256
7971b69fb31cca661e2c7ba0309974383377c8229f3737a76d32751ab11abc84
-
SHA512
c2b700d1eb4d02307523c689427f86730b92921517771f0b2500a526e1531b9021d00565644e7cd1f9e6d8f6c3902d3c770d5ad1048c1cca3b6ac2120a40ae15
-
SSDEEP
24576:ov46agTjA09bGeEp6J17W8CX32+KJNA80T:z6/T5SexcW+S8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3804 alg.exe 744 elevation_service.exe 1808 elevation_service.exe 3580 maintenanceservice.exe 3204 OSE.EXE 400 DiagnosticsHub.StandardCollector.Service.exe 1488 fxssvc.exe 3160 msdtc.exe 3624 PerceptionSimulationService.exe 2832 perfhost.exe 2808 locator.exe 3816 SensorDataService.exe 3520 snmptrap.exe 4536 spectrum.exe 1560 ssh-agent.exe 2140 TieringEngineService.exe 1596 AgentService.exe 3892 vds.exe 1196 vssvc.exe 4428 wbengine.exe 1144 WmiApSrv.exe 3700 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\64f83844990ca9c2.bin alg.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b2c246bb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000650fea6bb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9c37e6bb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9b966bb385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8762468b385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009762d669b385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 744 elevation_service.exe 744 elevation_service.exe 744 elevation_service.exe 744 elevation_service.exe 744 elevation_service.exe 744 elevation_service.exe 744 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 640 Process not Found 640 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4432 2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe Token: SeDebugPrivilege 3804 alg.exe Token: SeDebugPrivilege 3804 alg.exe Token: SeDebugPrivilege 3804 alg.exe Token: SeTakeOwnershipPrivilege 744 elevation_service.exe Token: SeAuditPrivilege 1488 fxssvc.exe Token: SeRestorePrivilege 2140 TieringEngineService.exe Token: SeManageVolumePrivilege 2140 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1596 AgentService.exe Token: SeBackupPrivilege 1196 vssvc.exe Token: SeRestorePrivilege 1196 vssvc.exe Token: SeAuditPrivilege 1196 vssvc.exe Token: SeBackupPrivilege 4428 wbengine.exe Token: SeRestorePrivilege 4428 wbengine.exe Token: SeSecurityPrivilege 4428 wbengine.exe Token: 33 3700 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3700 SearchIndexer.exe Token: SeDebugPrivilege 744 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3700 wrote to memory of 5032 3700 SearchIndexer.exe 121 PID 3700 wrote to memory of 5032 3700 SearchIndexer.exe 121 PID 3700 wrote to memory of 3156 3700 SearchIndexer.exe 122 PID 3700 wrote to memory of 3156 3700 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1808
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3580
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3204
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2576
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3624
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2832
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2808
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3816
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3520
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:444
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3892
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1144
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5032
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f73960998e26b6157195bb0782912843
SHA198b88a869ec7354b9b68c0c47b2d588be50c03a1
SHA2560c6382156b40f85dbc07d530b1d7e1eec396a8ed07ee60b794eba00d0b1fec8f
SHA5129cf55ce8615c476e07bef0f4bf0ef0c6f26f8d945bdacf779dc233cd980df4fdc28879ac5158d320d560c8ef0a705f3e7cb1f0f7e7ba5d90bbac8a8b1031fdf2
-
Filesize
781KB
MD5a5cb722e2d3df12187fe4961396d5453
SHA15e6c07b534aa70554af5d7819fa6c7b8969e66b8
SHA25647b571af0cc619f7b3b9cb1647c0073dc8b49b71d572285d6d981a939df617b8
SHA512858bb704f4de6da87a72d8b1f695ee8264f749398548cb407dc31e5854a4a4a3d3f15bdd9282cd971cccab913e3d495331afe92badf997ca1c93120164d10413
-
Filesize
1.1MB
MD5d689c158331ce3f5007e706b4cda83df
SHA169adb09f939e2cff01d0ede4ee8d9316f498c840
SHA256e606a7a2c9117c4be379ddf74aa2e879b8fe82ec3370a02b75dee7630527d51f
SHA512a9fa2f3c844bdd2512f0af7c20b974239a457a4e4f07dd0e889244c2bb7caf3010159070c81194e0422e30ec263f23673ee2dbaf8c04954b84113382a367433f
-
Filesize
1.5MB
MD5fbb4f756f7cd055c81c408eedd4c0570
SHA1d75bce5a514644cd43b0067039bb5498649c7bb1
SHA256fd91ba8d2fc01f899726376e301c5f7095019216a38552219dbc79269283b651
SHA5120157fa6031c12331f36289cfe48b767d6a69a4b0ebfdfc67fe05d31d59666fde1ca3306f73772d4db6343bc0775f0b95eb17d8a1f5b8d4592a4befbd97471f77
-
Filesize
1.2MB
MD58ba1f4410b9fd707d8e5dc94b324ea32
SHA13c1c588cd3732ecd9c54f625302ed44d773a4907
SHA256d7992b5491267c102dbf883ee4b34778050b19cbd5199f46a9ba78841da6d2b6
SHA5124b61965dcce9d15e895d10eff05816a52bfc856a638e597be32683f210e587941c15d4cd06b14ea1f8edd8c45ee67a362583678a9548e2dcffc3a5e17b30e518
-
Filesize
582KB
MD57d4cccf89e8bd8b274acf7a39d799e1d
SHA1816e6e2a80a807aca9cb13cb3ffb6ab3bf7bd239
SHA2561bba68b5c594a091fe4460238e764e91636919b6f4dc9d5e4ef23e71bf0b01da
SHA512a7a4a138193daf94fab9e228a81fff4cf1ebf3a7fed507b47acce7051df9ec1195eeb983c0f81c34da93dc173a9542575454c17befe9722668927ba389cbea7b
-
Filesize
840KB
MD587229a06ce77b826d1244b6e6efa3e89
SHA10eda1f361a5162474882f45ed2edc482fd7e167b
SHA2562a76f53bdda257b2efe53d3a7ef6c24015bd02aaa250648106ef3fd2271e13e9
SHA51209966f890a26cfa5c97f14c089c30f6328a410edb38746b95c7b0aac723af366e63b5d3b5f527375c4a6b384acf43ce461b98ca731c18c7a1bd97c53019e7262
-
Filesize
4.6MB
MD553bf37843599886318588fbf8feb5017
SHA1ef033815a2c15f3355f61175469f30d289903678
SHA25676cc27bbf79f46eabc6071bcac419ddba64d74dcf341a3365b26be8b017e0a10
SHA512c4b5c8c600f7146143d0b33a4909ce53c4e37be077e920ad6623272f8b77ada4d16baa849c5ac64fbd345b2f0539c53ce17bbfc3385edb9c45e737c989f92d5e
-
Filesize
910KB
MD5ef46320cfbc9554bb7a86fe1fdb3e33e
SHA16d6d1e287a02a2cb9064c6d068ae8019eb5e0e5e
SHA2567a08c3a2d33ad2a0f7955c6dbd8c2c1a26ef90f3dbf4e24792c1c248a5dbe29b
SHA5129ad05622eeedd0ebfa84c15211b4026aefb0316599e6039990106b535f97d855d3cb3064fdaf90221efd312ef3eb13a12015ec72d1ac6f00000933c873444152
-
Filesize
24.0MB
MD56d5bf9c4de03bb65d8876de18385b264
SHA18fe48873025692215d7b3ec2f3a1e1c1e48d6889
SHA256cd9361429180c2368ea58ea403cec019da09c0995e184aa88c155787963ddb2d
SHA512ee0dda4927bb23648211389bb57501157e1204409970b6c3b8ae7b8f582c1c1fceb7c896d08c0ab9a1f798e1adfaae2ffd998fc050a322d1ab880d201d4b432b
-
Filesize
2.7MB
MD5e38e52a84e956da87d032a16db4cccfc
SHA1d57c79f82ed0a6384d58f6703a24230062a616ec
SHA2567f274f0221f3019a018b2f358924820c97a86a4625f6a6819753ea3df5957eeb
SHA512db7c33541ecfdc7eeb02c6e7795c062b9f93ee0ddd560ce757873b58cb3ed7042f1a77e623e06ab7d555effcd0ca2af2ac4a90a0b568bda212a88720c0837a54
-
Filesize
1.1MB
MD50de84992ec21bcde4e035e1345c1a986
SHA19f95dc04fb26caa721484be7e152ded3279595a7
SHA256d170eed2d614c4d4d238eb53d680f4b2002c0abeb635d43f6bbf9d4391711821
SHA512a6320063cabbd730544e2823a3953134c8bdc999ada15e2c4e21ad8698cf547dc7762232a1cc4d1c6973dd648ade6ef978a0122b578107e8395ca0cdd5670b9a
-
Filesize
805KB
MD594c752d04a92d2f2669c10922f8b4951
SHA16351ba994bb3e56d043e47020f550a4debcae702
SHA2566137c81b9368d15b473c78e2fc7532e36b3e35e98a6773849640557a822c6f08
SHA512ca05e0ee714312b8adc03de53be381976a5bf20d502c9e8c1afaa9906d0562c6d59aa421f379f1418460316fdc743468a5af9eb389894d52dbe1409f7a86b136
-
Filesize
656KB
MD5872bfeb29d95ab29a59db30286efbda2
SHA141f5d06ab61e66d56b813d1f2d7c499b2770282c
SHA256ad8219c456e041fcde88484bb2b5241e49078fbfb3ed9f456a26235798bbe704
SHA512cfe7df8fbd6ff251afa3d22e78e59377be2a98bd2cd2168197fc821a0ee4930ac77f29c5f7e6ebc084c25dffbb9b45085d90aee6adfd80cd2467bc811fb49f2e
-
Filesize
4.8MB
MD5f0c258ecab03763c90e20485138a646e
SHA16a3db1e3f879e200efb88f4c24591a4b960e27b2
SHA2566e8421bb7b933778569ac29eb2d7a94291745e9a2161107bebb40216a57c5c5e
SHA512baf7398466b3fbf3b15b8b51b12b6c0b3de36a49a4369bff5b0d669d0ee07f3ab9ced2ee39946daf001bddc6131c6b7f559f6cb6969fadd9483a1a28b563b651
-
Filesize
4.8MB
MD5bcbe4e072ffb10edb8b7409672d6d644
SHA19d1e049dfb1aea6e44ee7e2052314496478da517
SHA2563788d91193ee4075ac5ed0521833aa4da79eb14d2f69216aa7052dbb88f21557
SHA5123f30967a94c27498984b097c38b1336a79edf881118fcb038fff6dff84e049c441bf440472137ead26b8aa1da0e46eafb6d6abb19985a45e8850d440798209bb
-
Filesize
2.2MB
MD5de62db4ac920326e69124cbfcdc337fa
SHA13697b85c2bf66931c021c214f3a53c8f76d49bb7
SHA2560a34f1f7ca8a2e541c71defa02edfc1fef49fccbadcf1c12715afa81247f4fe6
SHA512d29278369d55879a26e5ae93160f2dfd47671b0e6ac626fe9c7cfaa1784f2c2ca2d9021afcedb348e75bd22b679dbad8da9d5008d6fd54fcc17b2cb990e72de6
-
Filesize
2.1MB
MD53ecd4db6b692c66f11c41322d20c2738
SHA1e5a82397fb75c0f955cd97ecf66be8c707741b81
SHA256a6259a2f4dddc5bf5aaa3c97ec1a6e029922a5e5c9f9731be93d385f15deb313
SHA51284bed82faf7b28151a223743c310ef9fe9e9e35a2882c98ab640a114db861a9e0a6acd1179c66a23d43ac76b4d0e02a739d9ac339f156d45c276d8469b8368dd
-
Filesize
1.8MB
MD50a0a505f17442b52401dd89785adb7e8
SHA18be17d24d26852798317681dd0c9319fdf1a5421
SHA256dc9be1a86b56640ef93f71b8922fd8a41f53642647896eaea484080940915da7
SHA512eb7ac30e58bbc276ee392ab97e9d8c4e36ca0c723d3aa703154c6194907c0d22776ed7c89e2247d0651f3dde725f5135d65d0305178c64ff389f811e42ced3c0
-
Filesize
1.5MB
MD597d92a49acfba48c624a37c2cc48a35e
SHA10c19d4c8657a4cad07e2e1b4eebfa6ae31987337
SHA256809718a847fe075027bb7fd7adcefe174d031b8f8df8dd6aa1ca433c91b01028
SHA512b061e6992f135be6b4e53d5da63199b837167f8306f3bd564d60a430944d14aa0f01c7b8f5bf69219549f7097b8462d5059dcac6fed63ec4a6c0702573afc289
-
Filesize
581KB
MD5054c5b9d777fc7cab79a1a24dd5559de
SHA195f1936ffc9c026f68b92bc5e7d9ed48704b5d8d
SHA2568e3827d8cb6863f7125436e4d5d60692e3287c2a70310e8d47070e8517b22563
SHA5120174676fee6f80d19715c162ecc2bc485a78cde805f08640f4b45f544b0aee5e8b3cafe2c7b50bef698b336cd7480215bd33e1368e6ee1bea37d8589f7eedd79
-
Filesize
581KB
MD54e93d88830ea236fbdc4a060df875ca2
SHA1b1bb59706b5f20edaf7639f62c3cd91d51d7681d
SHA256a3efbd0f42dcf11f626cc0422ba3987f8a3a6132b8c53216ed5a8fb260297c19
SHA5123223692c7900585eefe7666b1d96bd96fdddae6d9e7d31db6ef9d45a21ecc2fa685d460bc9d8ba4ad6ede4ca9afb6f7aac02a55c455513d2df2eeafc98f5d4fd
-
Filesize
581KB
MD5fb334bfcbcef084ebc31795ab713edf4
SHA17ca7044ca6dfd59b8b2032b5a600cd37fd7ab3c8
SHA256877b5906b19a15f21cc573986c2cbc79cc59281649e6dc78409bbf1254954ac9
SHA512a496540cbed7253b275143f85070955483357fe3ce9852593205685d3cbb48082a31d1a838bd6b24c84d9bfdd2855efe112036f6ffa1c0da7fd5c9f5f94d3d96
-
Filesize
601KB
MD53accd025db14e92655e0754adc608eb3
SHA18e0a8f2d7b04f68dbaa67867e21ba293b42c7cee
SHA2565c435f09a5ad602e30790552f2634fe325c57c95a843dfb709563f8e86ecce7d
SHA512e4b5bc0612f25d1908b08cc4d56e5f1f97f4c79bf92102e7d1430114f8b0b2e93f798706c3efbdf889db8d7bb3141d3bd3f2da3671d045b6cd9da33c55e70e65
-
Filesize
581KB
MD5d219a42be83ca33d0fb0b31890e60e1c
SHA150acd08d3041fc75f447c92b06f3f12efc3749f6
SHA256cbc1955a39fe265d5dd8a7f8cb8f86599465351db344fee14274860740f81610
SHA512eb30dee9231723c1ac29b98db5be4a359ba55144eaca5d0ae2e8f080944fc028452577989a400fe1147a868e9dc3a7677db8297bdb697a52a2e540ef4cdaed3e
-
Filesize
581KB
MD55c5d7d8ce9219a4e2f0e89c6a8b19ed8
SHA1a4b424ae0424e620eb97dcb2a0021588de97f42b
SHA256e55c4fe9270b9202a1527214794b1223f9f355e7052fb1732dbaea8a6614296f
SHA512e6bfe8991deb2899a8e2cca55e5d22eb6ee2493ecdec80958ed1b358db1ccfaeb2da84983468fa20a84c4dbc9f4d94a9805f181cc5819478b8b412d8234b07d6
-
Filesize
581KB
MD5a2db43709f32650f95aad283674c30f8
SHA1bed0c382e9789b8761136c1368cd58ea92b0e0f3
SHA256994cac653bb5037c3b2420b066ddc1b1fdcd0eabb89db2520e5fd1814fe20758
SHA5126582cc7f9148576d6ecf1e05995e90b012875fd8dffc1763ed739d7c8fc19ed8f0a640b9265aef47e88990c815ec4bf9552dc6bc01382cd7110db5320b34e95e
-
Filesize
841KB
MD58cc2846d31bac3ac9d0d7c3d70dd845d
SHA11c64775953343bf55e5cb95786361daa9d7a1d98
SHA256c591e3ad0139daa09c5b38ee68cc5e0b03abec28b896f066ddacdce0d6d9f2a7
SHA512fcc45fe4e5712a9177d86ac633fa361242fec2bb8048fa51b8424490030ee609f8412285d2d8b3880d236727915aeaae753a6b43fc0491ed61ed507e36575287
-
Filesize
581KB
MD5e7606c193aed838c7062b44f94dc34eb
SHA1b26bdc92a55333195a913cc6222ad2d9c15dcb71
SHA2564657ebed75be3360918b97a2f80e00170ff84ac88a196fdf312e7b4658119bba
SHA5128f6ea39ae798869ed248966313c00d242ecf11e346714975d6188186a0297e816341d0872302132355f851f68755e4c57f811248ce5a27d5384bd1b0df9c994e
-
Filesize
581KB
MD5146dfa33f901a845b3598a7e7a16e49d
SHA1932c4bb8905c959f8477c8c1ac3d9296d5c0fe6d
SHA256a1d6a5d85638d3f8cf720629373fe85e7b5adfa7208a0cddebe256d7abc5adf5
SHA512c21cbd10ced018e9a4e1d33837535e3974034d9e641ac6f9e8f6c0ae7fac68327e65bddbc4cadb6e209ce00180459f5995f7bff15a9718a6b02092dec22646fa
-
Filesize
717KB
MD57b4419fccbf720f62dfcad6999678a40
SHA1ca8bf92f9e473c4f7a586a4c132f11264252302c
SHA2567f5126cf590f6f2abd91213fcda11fbad83cf1049b6bb8a7b76d4a9b54a1be68
SHA512647693b61ab6bd6f58f579b853d2847dd5036b5948b1c06fe47acb3f36740aa2a9d83c4f978be7e19a13553af33189598e9b8b34913dcb70da9a6bed3327898a
-
Filesize
581KB
MD59c5ca39a26c8876cd2ac8f879893602b
SHA1ee12f01b4cee345aede40dd5a49159af9705adcf
SHA256988abbc93ac89db7ae682736501acb842eef4422fd0a50811726c9a36dd2c525
SHA5126e9294973d628949f73b42c4c71deeeb6c7b8db55d6b17786840d87bae91e13af527bea9e8f419e0f74a608780ec7c7097f2b8c73b3fe9095998bedb965a5d0c
-
Filesize
581KB
MD59070add8ed5c462f5a960bd1e455f934
SHA1cc595e19a6daaf65d0703f9e6f6cc0033b59078a
SHA2561702c10908f6c31278ebf52f61eca115e75e5ed13e687d0aacb62815ebca731a
SHA5125259dee24ae0c33cfd05459760986955a719492b686fb547a84c50c634ceb2c58c8930bfcb7e961c656342faa50571874edb28982197881c957dc2f0da057a67
-
Filesize
717KB
MD57cc5ef6957be0cf830392917bebe22e6
SHA1523fc030074e52ea51f4920a3b812db656aa9361
SHA2560ffc71d82a9e4af8bf0d3496008640bd14fc04d34a42257b768e0b8b8edf11d1
SHA512ff12aa2bcec08fe821b78ac64815488e3be2884cc392306d97950ac438dbcfaca1c5f61b0a3714959f475de2cb00aee2a761043021f29f7d6d4559c9f76a50cc
-
Filesize
841KB
MD54b73bb8c0b8c310abfa6405281349b33
SHA190799d25f8749d2e85147d3dee4feb182e1267c1
SHA25683f47bf6c25b024b12a1853992a931268b6bbff006c2ecbdb9ebf4b23c57a690
SHA512d80641e100219c69ec7783f8ba0ad79155ef0317771aa7e3e8e600600163e9089f36e7c3e5dc859becd08b44f15f8b1bdd30e8a6be939beec05259c3b8334589
-
Filesize
1020KB
MD5b9d376f2ff483456e3ad63b291f3df5f
SHA17b2ffd02208391194577a9caa0e51ea5874e9a4a
SHA2560aab19ab8b56e1f3c0824d82722d682940f7d5a99239e717f9f26b0e43c8cf6a
SHA512568ddf5313a8557366d9344314004cb4a7c2cb45847242adde803f6b3f8c79952e351ac868c4ec3bb8d7ba3696c82d7c909b0b0a53eb2b23f770ee3147bc8a19
-
Filesize
581KB
MD55e13ad88991e6c6f868a4873b4984ca5
SHA1da55d3ec3f6aeb87caa0dfde33c390490f172136
SHA25695b6cf46259a1249aecac4fe48b5292fa65dc9807d00fe457805a2d8725f7e2b
SHA512a0b9da2bf438c73fe3fb8ffc8004ccfeea42974e35c1160026872fd578b9fed5cefb9a27e29158d05cc27ab7f747969c299326ad6ed6c4d08f6025bfc21ac6c5
-
Filesize
581KB
MD5bf8f8f8884f9cb0986b2fe03941d9343
SHA11b902cc74d719dc1ad9325ebf4c6b5362d76355a
SHA25643747a730043cd2e36687ce780bb202cc02914adfda5e324e6e62ee141c81a0b
SHA5129a470f59cec6318647046f6a29e7c6a8dfcc73d6baf798ca4ce9b73f8e83975ec39bb6368d37f50634214992651dbdf4688d6d0318b0cef65c9abe236d1c3811
-
Filesize
581KB
MD58a452a0a4f4e410967c6213516489fc6
SHA1503b6d273994dc6963dee9abfd2328a331ea3067
SHA256c87f30a2d9bca2420c544e3bd3f88631bd8ae125c92c243735d7f52b28938bbc
SHA51286fa5ae7b69d76c4f58bdbc631a91fb158a4e1ce76cbe33be1f5d385ff78d0425cd2e982132e70ab02571b5004d9efa776c1dbaeb972bfaf00d7fef4848dcde9
-
Filesize
581KB
MD56f53e494c041a96fc27ebe034d9fb7f2
SHA1da55074f1a8550fd897f67e1f698ab82194003b5
SHA256a42d55d9542cba76d751a70ef9989dae67e95303853d83d8311e36759e54eacf
SHA512f50ac58c07beda6e4f4ae78ae269dc71d3e900ee6d382a720bde006503265d0c1deb056d0f39ea6e03f8fadbcb0cdb361075d1cb66a335e8f8f38289fccd8fd6
-
Filesize
581KB
MD528e229894f1b83f0530f501f8ec54146
SHA15b6592bf870820777cba1309ba22d0628dc00f46
SHA256c628ad4208ba692fa98507f227c819dff324a3be5fb032cf49785f67f8b91bdd
SHA5128eb370ff4b35841c9379c78040c93ff0f209a89c45fd1f3e62f6f1cbb74682bb533cc44095c464cd9430b08c8a4da0727899a042d656f66e317e0598131debbe
-
Filesize
581KB
MD5b6d01f83a19284ec588db85df10a791a
SHA1b4e03875e0a2e38f2ec22bc5e8ee338501298a29
SHA2560b41db66f6506959ad58f680a819e152a4f92f5b7667997fde5204c854a29348
SHA512c1c651aaccb1b21a2f0da2f2eef2397ca6a2fda1170a55d1b3b9d0de209b8a4ffec96d5f50ff0b4853e35f3918e09d07a03e063561f908759c7cbe3e2c520fce
-
Filesize
696KB
MD5338639b9e1954203428e4cda6386788e
SHA1d210768f06896a860e6ff2fa3c5fccadac57e7e3
SHA25609143a5b9f2e19108e0120d4563ec7b1cc295e07e0ef3e43a757031c8bad50eb
SHA51278bfbaa0888c1a51b8fd579bb9a561816f105a949a6ca2ed7eb703b16251d12d72717c47a94429fb42cc8615a1345787e675db225e59203bf7ef0b1eb3482eb7
-
Filesize
588KB
MD5797be6fc4857a298abc28450a4ae842f
SHA1c91c450e87cc3b1f9ee060749d84e4882e924e27
SHA256cd4100a0245448a8fef80a3dc649044f4850bec55b74a63f72b5e6c1ad47d557
SHA5122d921176d19835baea77ee8721c3ce92177d597c87a66d8c21e9cdd6d8da8783651692e1e2a8b49a7eb84ee83fb2985665361f49b15a3e9dea9cfa123af1a7f2
-
Filesize
1.7MB
MD5a8156bc94d7a0b85cece333c3e96a718
SHA15897c82584f483c927bc2bd09005e6d198329db8
SHA256a18032674f63cd45588df4aae989f249b97ae2c15949f1365dec45d63c3869c4
SHA51216ae890bdd874fb72a9ae654fb62707e0f586308de61b1786f3efdf810aae2ab15c35ca87ba7f561480f12b59be119c29277185c2d31764cab28d0851aed95d2
-
Filesize
659KB
MD5fd1995bc193d8a23798b963e9e613b3b
SHA12bcc908731c94f403cf6309a6e0ba42225e3f206
SHA256f6364ff679e1bf6549cd486018c6d5c32be8cdc2e8f23f7e40eb6b2039fc3cfc
SHA5124fff3107853df146a715dc0a2beab0ef85bc798d2799d1bc266dff004fbab1d7a1255b63ca6cc1e09bb257e6bc8339021322df3cd3380f5da08b90716bc2b686
-
Filesize
1.2MB
MD5c15ed17223fedb417f4438c3ec1c7f6f
SHA1a9c0dccca642fc5e3c8218ae7c4f6aab40274902
SHA256f15150a37113f04c7e10449e62e83ba5ae4971511b4eba87f690fd4d26edcbd7
SHA512c43c584ce9091bf31e717f8e72b89e677c6d80b62a672e0912a496683110fc1d9c4418403bf3c8c8f0bed32cf5216dc80ab5715a90df72e76a00b5e28a441202
-
Filesize
578KB
MD5081a21d634efefa6fa497b16a11858e4
SHA165aac2f85ef046575e0149d0f72bbece340f3e53
SHA256dbe5977f32650a053b63c566ca790df69caa47b352edad4c93034407471fbb70
SHA5129d0633444c5972af1bd5a1a178b9be1130b3268f321a0dbaf12938afb5ec03165e7fa7dbf2f286cbd51433bf2f2f8f1fe1d68a17a105044a2fdbb390f3e05492
-
Filesize
940KB
MD5b1b7cd228c7d6b14a5ce109eac9d8474
SHA1958270cea0ba2c44286a2eee1488fa3410de922c
SHA25665adabffb2faf5dfe3971d25bf1af36138071ceee95ff736cca8515c3f4a63ee
SHA5128df94be8ba35a6d80469590dd25c0f041583b6b597d582f0640ca3811905f7226792aa18f5e2df4edfcdfbee8aae0114b8a1fa36b15cf9a4a559d9417004bdc2
-
Filesize
671KB
MD5456bf7341f770ed1383ec6d15a6d88a3
SHA1451099eddf9f747740e382e7331ddaf97bf4f86d
SHA256d5f6514373fd7716a51c26aecdf7ba70c295a2cdc7591ab567cb7be1fbffa852
SHA512df20a01653692449a3ae05d30a68b89493a488260a89e27f91561b775c5474c52eb51e80a8f09a279979da36c125ccb8bbd2952abcb4cd09e98b80e32269cd1d
-
Filesize
1.4MB
MD572f1b6934fe14e3ebc66771d2644d479
SHA13ffd6deeb5074a6ecaedf2c2646907e7d61c2ff2
SHA256ce12b02c0b294e9b349a1236ef5116c8f1e889bdeac52e9ef4a764a8a3b6f805
SHA512f020146300728705ee74faee7a21bc1d0251551e91e224f1b2108395c811870db60a6a39c77c1d60f4889a7304d47990a8d3e140d6bff788a1f1f76e6d2d45a2
-
Filesize
1.8MB
MD54f08aeadefe6c4451be39c0880598fe6
SHA1a8d7a093d954af362d116203b6484b06836284da
SHA25615e2ea1d0a33e30086d5355de0763cb9ba6f77f32a42c4a2eee0f89f0dc1c95a
SHA512ba5231bfce7b43e5fa4e006d9f652dd11880efc865021e2e1a54527e57e9f12d69ec5e2ab485cbc0eb407789014394c63b56adda12689d5d42a02745b8a8b28a
-
Filesize
1.4MB
MD548a724ca5b2cd7fd4adb388125f0ccfd
SHA1f2ccc8f2527016c00040c122e93ab1964b7c5e8f
SHA25627c5b0877a9e75f4e84b24007a7d0674418e3f9990398ac2744b76c95f383c72
SHA512424770be173399f2d47a7d6915e685c231174ecc5960f76d30554d499c5af6fa7f1bf1ba08a3093dcffbf56afa88227a31cb30f7081ad7aeb4ec5d7cf8f174f1
-
Filesize
885KB
MD5c15a46137b0efa569d4c9ec84291d632
SHA1272ab57c4495596cc06516ff6e4466769987e5bd
SHA256528bbb9c326ca989a786b53f3a2c15b2e369ee14e8d8e0a63f98849adfefe448
SHA512db3eff0bf72f3116d543d2cf14e032bf020b0db104f0fd9426d3ca3e20825b572d017be8209d7acccfddd525f0b929f2c5bcdc61f4358f5c5671900ac0c7e152
-
Filesize
2.0MB
MD5d8dc6e0147e01b6ea630ed732dd75f1b
SHA1b07bb668c5416ae4fad488cfca9bb109779d12e3
SHA25649fe4aee743366f2de07a551b6ef27d36f06cbe601af73ea43f5e42923bf1f10
SHA51293299cd6e348395c8100e6fc49294ab84bbd38f6aa230004d64f5e38ba0014cd8e6a3f8395c1181a9906952563099a0d9da74bba98054a58e975a14dd4a7ec27
-
Filesize
661KB
MD5c8b6c6eae04eef132b6dd305cbb2cf87
SHA110ab3d3f58151124c3073fbdfa4ecf5c8138a801
SHA25666e778761a20177a2f56e6403c34d290281ad6f677c986466cd0168be72b7dbf
SHA51213eb16faedfb97802aeeddc2be29b0843f9839e384ff7fa11ceaf1e286ae3f66039dded233bab55db307dc269546ebd651e7c88ba8b29c417df3979c193c3c07
-
Filesize
712KB
MD511ffe2ffaf472bb61f5de2d6e2821d97
SHA17629858b911b2335eaa4a8871e3420bc41706a3a
SHA256a3a2ec16e56899a5cf76b2003c99221707b7f239c958af762a43282604615403
SHA51226fb7a27618a75e68f7be6b0337d323dc2ecccb754f4ebcda9aff674dc76e495aeec6692c3f9bc5c2e51dc91ffbab62da76f93e16c3ac78a20f6546ce68d74d0
-
Filesize
584KB
MD5091a455da4ae52ed45895cf4222b59be
SHA124c87929b4a0ad82a97aa11d74bea8c4f13ad1a3
SHA256173753480b2ccdaf95c3d9a50360cf76a9bf5571d529d336c6efb7ceca8743d4
SHA512e88dae04f1049ddecca17ca009e9181cff7cbf9d999d86c0fec6d3e272d22b3665033755788527ee27ef18509aeb0d964df1a38377dace3145ef43ed4468fa70
-
Filesize
1.3MB
MD583e36fabab7e92b6ef193fca9931e8cb
SHA15b714785e8aa955b8c42e23d01c714643465cfb1
SHA256747af89602fd63cfc0664ef536c3a71377b33cdd78e5e6c826f9d8fabe7e0a3c
SHA5126d821568d3c019acf384627eb93e0ba5fe605a79acef928f9c2e6ceb30324928127a9dee57b169c02993c5a016695c65aa793f1a562af02737fc0a0dad6e8a1b
-
Filesize
772KB
MD59ec9106055065ce92dbe740200ec4afb
SHA1fa5f6c0ce6196509877e2edef2589c746d40c749
SHA256446df6f51a7e52f519b1de701f65028e2db0b6dc6390d850f3bd851223ecbf29
SHA512edccf257c96915f3233b5ed9cb2a8f4de11872394279eb64f6fb22013412472ba0d9b59a79d1c050aa7408cbe8e7a304a01c47e636daa41ff6dde207011de833
-
Filesize
2.1MB
MD5caa512b1fcf31a45e560270c0f941b70
SHA1d7a1663ff76ac62d1f4a69c4c780dde5d9ee6764
SHA25666e423c827f0ca172003d18aac08efb38db18a69868c6aadef462514788947d6
SHA512426a5e8ebd7fc1793a07bb23a6601e346edf58ebf2bbc6242d0fddea58adf2a06793c67b8c4bed77e0b1c28b8827cfcb9c7a127875946781049e6810aa330421
-
Filesize
5.6MB
MD590efec1780bbcb3e19da39120524a5e1
SHA1fc0a1117d0053a92bb427b30c1d5494cce3cdcfa
SHA256cd923582cdb0120a5ba99764fa0bcfb3a81621b09064261d148dc9700ddd9a17
SHA51263dcc693d1e4cd5dcbd8f8d127e957282bfa6a7ad6d9a2b4cb1f21ef0ed886c42f745c09b7183e1c368425e94eb891eeb1dd2138536ad3fe3c52f6335a6c0be4