Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe
-
Size
2.1MB
-
MD5
ba4b5d7a56eda44ff80dc5da595940d6
-
SHA1
8cbe5994c8b716d4675c3781f4d385fcceda29f9
-
SHA256
e54bbea2c08f2133acd91c5d05d5b581f227253366dc975ac4229154a81fb45e
-
SHA512
139f653aa64cc6636d69ec5344f6007b276c85ee52d20ab3feae590f8e563fb86c6d4ea9b2c34dc72247065ec1cb71cc240b792778cca423b5df3756bfd3b9bb
-
SSDEEP
49152:/jFX33t4INlfTqkUMLu/52bulcI1wXZTBz53ctXdujQzfkrh6do:/7fTqmeX1QjoW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 244 alg.exe 900 elevation_service.exe 3000 elevation_service.exe 2904 maintenanceservice.exe 1884 OSE.EXE 412 DiagnosticsHub.StandardCollector.Service.exe 2864 fxssvc.exe 704 msdtc.exe 1496 PerceptionSimulationService.exe 2632 perfhost.exe 4128 locator.exe 4972 SensorDataService.exe 4444 snmptrap.exe 1632 spectrum.exe 4612 ssh-agent.exe 1992 TieringEngineService.exe 4264 AgentService.exe 232 vds.exe 932 vssvc.exe 3144 wbengine.exe 4400 WmiApSrv.exe 560 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\16cff5dd12d07ad8.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c91fce58df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d499758df87da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079c26e58df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d20f5e58df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9612e58df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020113f58df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065229058df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032ff2b58df87da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9612e58df87da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005b11d58df87da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 900 elevation_service.exe 900 elevation_service.exe 900 elevation_service.exe 900 elevation_service.exe 900 elevation_service.exe 900 elevation_service.exe 900 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4808 2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe Token: SeDebugPrivilege 244 alg.exe Token: SeDebugPrivilege 244 alg.exe Token: SeDebugPrivilege 244 alg.exe Token: SeTakeOwnershipPrivilege 900 elevation_service.exe Token: SeAuditPrivilege 2864 fxssvc.exe Token: SeRestorePrivilege 1992 TieringEngineService.exe Token: SeManageVolumePrivilege 1992 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4264 AgentService.exe Token: SeBackupPrivilege 932 vssvc.exe Token: SeRestorePrivilege 932 vssvc.exe Token: SeAuditPrivilege 932 vssvc.exe Token: SeBackupPrivilege 3144 wbengine.exe Token: SeRestorePrivilege 3144 wbengine.exe Token: SeSecurityPrivilege 3144 wbengine.exe Token: 33 560 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 560 SearchIndexer.exe Token: SeDebugPrivilege 900 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 560 wrote to memory of 2144 560 SearchIndexer.exe 121 PID 560 wrote to memory of 2144 560 SearchIndexer.exe 121 PID 560 wrote to memory of 2652 560 SearchIndexer.exe 122 PID 560 wrote to memory of 2652 560 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:244
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3000
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2904
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1884
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3252
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:704
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1496
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4128
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4444
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2560
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4400
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2144
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d270b39651b3e93c5e5ed3d64f28bee2
SHA1f0f14a9f255977c1cc12adf37caa29110ac6f6e5
SHA256dba29b4440a2668f85ce79f33706e0c4a9a38bf2293ee704301ca0f2c7cf7985
SHA512c3b519d37776cb59b20b6837125d949108b5a9e1b82c2bfa00a37f64d16fec1b79dbd89b230b503c7b70118fa760ee882bffd5738ae479bab4615fd11e721e46
-
Filesize
1.4MB
MD5313353616d3ab60ecbfe7d9e5ed00324
SHA191c7be18a32f6311eaa8f182600f6cc7b16587f2
SHA256928be7936f37aa9456a2958987f5cd8870173993dabb2df9cd5867c12308593b
SHA5128422ab08935abd7d944ccc502422c7a2f7d513041b7af2fdc9682b4c9b6a6539b1da127536e2aa63c700e144d22338322003d5767f06ed397ccb58a0811887b9
-
Filesize
1.8MB
MD50cb2fceef05d3e1f4f049546ea75858f
SHA1303e78ae0a6fa29bfaaf5b57d369d634b2637882
SHA25618dda8d401d1fed2890b0934fc7d4ce5b31293a5ed5c611aee1e6a420ba1c927
SHA5121ea69a7d2aaa424a73d2e97698fc777889794ef0082c2fd6c0dd034b16371525b2c53c78046f7e16302f84ea18623f92a6881f04ee8ddb87baa227748c77d95f
-
Filesize
1.5MB
MD59727e2a5b12964f93fcc70ebd0b34adb
SHA12dc517f230964f6a4de7a2bfac95285756799af2
SHA256c50c597b6b1c61d0880b4af35ce0d697cd74c0a889da576ff0a169646651199d
SHA512809331d8d97ade5654e195e7f0fddec4d8306ee611abbaa07bff12e0a7cb483a4ddb4c8f0f673e812b7a4ca51301952c666e1a0ced67689d3adccf3597b702b2
-
Filesize
1.2MB
MD5f9842deb7a07bf022051d72c3e3c1c45
SHA1507740b55c86c15556103cf81b9c074577883308
SHA2569d6564586b8637532ef33dc348c2e0ffdd5a2c171171f8531dc6a4cea45e6493
SHA51205a2ea137ac2a0ffc2b50bfac94eadc58aff59b90e296cf256237bd694fd99b1e7e609397956d35a067a0d8053bca0fc2a2512b0968f81b9306471d94851549d
-
Filesize
1.2MB
MD543ead139e0aed112736932c1f440cd8d
SHA1bf0384729f8af00930ae4a74d7aa09e10ff4b48e
SHA256c6bd547b12e287e65909236e0ca8396fdae6c8e48de9cbbf684c0f7ae382756e
SHA5124a0e2f05d5187c05f2d580dd7c50b0ef0d77d4a8c6adf241f4e7efa70a2eb45399336f8d6dd5e1807a8a2f5e6735f82bfdfb91853f7806e5a4fe3c4777879f66
-
Filesize
1.5MB
MD502173facc2f80080ad336b48ed1cf810
SHA1c18486e60ab58d549f1123fdb5443459e3e777e1
SHA256a2fbd7a2e4df76dc36d477e14dcdfe4b408ba525d9f197eccc6df95e7ab1da6d
SHA512bab6da5a4ecd73ed48f256106a28ac1a2514acf7128e0d16769f697f95b57f851948d9ea1a1a6042201a5f329d0a906f6e058648b54a51a39341c9cfe1d11f8f
-
Filesize
4.6MB
MD5312386dd81a6842c989098bfbcbaa98c
SHA1df2ee3d8e438f156a7a93732be7e094408873e48
SHA2567d40e87dfd8f92c649e0075c8074b88b5b8387485e015b7ffa24f28ef57ff8ad
SHA512b611ea7dad26246412891ba6a5b3ad6d1d15d965ec4ad792a84e032a1d93767cdf210968b117b238a3ed4e1e45e1d7a6a60f64f244260488c44cf78051f80a21
-
Filesize
1.6MB
MD53c7e466438c1d893259c1ae39d596ab0
SHA1e5e742bac628e65b4ab9f23e68b816979577464a
SHA25673d99808fa58177d1aa89cc3eec1ba0090c3a85549c05b0bb4770deb266bc090
SHA512da54fb3778ebf3ce418a0a6873d44cfb6ad5ef06da56f9aeae93806f29c4dcf3f15a3c727e216925dfb26578210e996642ec0df35f5ef096b1435dbee0376d4d
-
Filesize
24.0MB
MD5a52bb948755b97d07bce45736862de73
SHA14c4ef04fa1d6ea2d34f0b500c5c67eba2b0e4d41
SHA25640ce43ebc4720d70d38e0b24d16d294cd834823653d05838dd93e6c6a269ec14
SHA5128e1633c465efde5c9350eaa91b65cd3263dfcb5ec18233b748bee4a326edbfae7ea31a9624cd33e07652dd2c62ea1ff79497d4386b1c64dbae2e0d3403e3526d
-
Filesize
2.7MB
MD5a9dc7b4e4ff65abbe3b2ccf5d24c492d
SHA1d0901eadceb6f8d79fbb8d2bdc03b3744419fb60
SHA256e772946e820028a1be83eee9e993b0900565c852174150ff30a72e9e5e41e5aa
SHA51249565f108328d2ed0c36ea0b7fc1c5bf0aa8f5780253f6a25bb387c49c4402b3eea8611b562b2db13db1a261730639d7bcbfbabc871046c42cb7f01dd30142bf
-
Filesize
1.1MB
MD592ac256ac06a716a66130153c91d5fdd
SHA17c18e2bc30c5f04bc8901486c1ca1a93355e1505
SHA2563879db7d3738e4b5a0e1291bd61fbcbd2d56ae1f6df3fe8c534bbf25251916ff
SHA51227313d5aa55c5604c1880c3c026b5350bf0b80c81f0c407db4f27e789b2404665e059571e2183ca393377b342665db5248265c61bdaf316a091f421b38c2aa0a
-
Filesize
1.5MB
MD53f28b4a75f947a2d08cf7200f1c4f91e
SHA1a805eb58ed91d9418af52bc4a8e46a904a632403
SHA256d51b8744c2918f23775061ea0e7ddba18488be7c667a9e1778cc77553cc7fe58
SHA512c790d246688fccda455171e94ad7431481c2f8f73a9a3948de4e3b520e813d90cf019ab34b7688c76b2eca185b34ec615df08f5d0481db3856ffb75bedce3a9f
-
Filesize
1.3MB
MD5bf2b17937a6662711c411821a3df722a
SHA141dc4bee98ab9b10f218cd41874fe490a9a56ea6
SHA256ab6b36d95fc658eadb6ab26a0cecfae33b39cd994e38cff0c5f5e9f5e00c6faf
SHA512dfd50459447db36a02174edd83e484100c10deb3f48351cb3460ed5779a2a5537b9e225c62f16039e193e3aea6974bdf9eed4a51d7938ad688e77ab589b791b4
-
Filesize
4.8MB
MD55c7daa18c0ec8dd7b63f740313cc406c
SHA115342e6e5cce46e66d7423adf61b79269f96acdc
SHA25696ea8f023474ccbdcacdf68c57676cb7eb24a8c562a6ec8a4a49c8e69018cc5e
SHA512752d3ca163d9e8c5e424398acbd3a0962841b48248fd65dc97efe9eedeca089e58b400fbdf858ebd6ed1821cbe4a2b923c236754e129cc69cf11df5615fdf2f7
-
Filesize
4.8MB
MD516183c11c2a894ad57c9d78cbd798242
SHA1d446ff013f9022aca626f334fdd721580b3c284e
SHA256cef2193038c6638e7a8ea681bb2dabb748c065ea125eecffad5fc68d8efb256d
SHA512c437400b219301c0209620cf530d769b678c227d888db0ee852eb39fb75c8492b8c54099f0f61b1645b03b977cba117dcb19ac4255db166a4dc989cbf35a76fd
-
Filesize
2.2MB
MD52a4a80384aef01ec6b4d3f25a0db0532
SHA196d92a94bd6c51300c014d24d31e604be4813f73
SHA256fe58ad47cb04405938c4ed5d4165e36a522e7a9f9cb8a3986b89d3389651e14e
SHA512741893217b4ab86b7b6cacb8e5429d34a80218487c0227c3ed71e1bebc76cf130d5f7f22ae2df68281a1a0fd5ae791b3ac63102012f71dd191ffb539de2168c7
-
Filesize
2.1MB
MD5766071de9ecfc4a7fea5c935894a6762
SHA19e6f2c4206078f80b35df59832e3e45ca47691ba
SHA2563a9948bed201d30467d15920f8b1313a0d812fe1f2f62ecb76c1be0bc32a6500
SHA51285e53610a30f6e8081a8f895781072b7998c0d6ac41e5f47952e0349dbe47c4d9ba196253a99acef9da23b952f2e37caefd2b8f3c83f1ac5ff905bb7fbd7e684
-
Filesize
1.8MB
MD543a4ae5ff5f1b7953524ae29818c8fc2
SHA100aea8e90f81c74e6ce6858fdaed103c5e9cda86
SHA2566aff242fee98b98ddb3290c74cb4f43cd68c8ce02b750cefee7afd1c5c6843c5
SHA51242277020ecf928837a397cd93961de45f64f6e86efb01eca2add0531aaac6efad6eb93801b45911c18452d4576f7f7efb39f4b46cd73095394f8386ba1c3b868
-
Filesize
1.5MB
MD5c77b51320eb49d04236a8c1ea6eb2b8e
SHA194b3a90377dbdc2079f9ea7325aaf658ecab7552
SHA2566d1e3128c7c0423a8775e4e8b851d0c592532315e0598fb7bab8bf0019f3339b
SHA512817e20bc49b95b877d3d647d74b097a8fda8a7a3d40623fb18c1e54bdd1f6faff13a2ca68c36ef7d764b468d90d9cd3f21a9fc2b0493222708a40b0f96e7a627
-
Filesize
1.2MB
MD5d2185f4768898f28501b3b43246df196
SHA1bb1537f26b483e4b1f4314ba551c6bfb25174922
SHA256744369462919e15d0c92a98781bfe9fc92fbe88cc063aa6c8750574c428e4956
SHA512f85a8f8d216868eda236877c515c2cd705ebc00fb3466a972a6f90bd9de9508ef00fbb5bc0ce7ddf5b4c1b746811bfc64a5a33a456dcf3ed31ac75197b9e8e2e
-
Filesize
1.2MB
MD51309e0be0ee0b1df061cd2fbb767a818
SHA156d4eba8b5a6047ab9987fc9ed7179287ca05867
SHA2569f86cd3f4de9b7975eebd229e210826b8e5f16d1f1a986885c5d0b15d1b4f796
SHA51262b26974200ffd36dac2bd43705b2b21412e03090196e21b9f2727071902b09d3a081765b7f21da752b9e28382581b7906f5b0ac363da55feb27e9aa2e93eea3
-
Filesize
1.2MB
MD5b77677fe0a3399b094a847d99b6e6dd0
SHA19c25fea986142891b425e1181e8ca2f5dfec199f
SHA2567a3a35a7da867bb4fd84dc12cabf706972908e1e106ffb56287f851706385572
SHA5121b687bf7e227c2788fcd5d82ac073ca74e263a1078afab8ae79dc2c4e1dec9101fe5fce1252a5e8f46d887d3dab152175bc72f15584667c87721a7081899e56d
-
Filesize
1.3MB
MD5d79448899593e1750091bdbd75acd29f
SHA1df496a1c8d5596e1124115c201973a933219ee39
SHA25626c545906647c5af9260d2b882ea55b93808d8ccfb10c193ab59441ae281f373
SHA512964b71a04094acbf9b6c6005956bc67a5f82001a88f3f9964d5ce606c1e7ee6115313bb699ff9dce1246aa605436a01f345c7db25d90af13869620237ae11c42
-
Filesize
1.2MB
MD5caf822e588a6fb1b8b64d57e99e0e426
SHA1c45dc866d4f7121853f0ea0abe48021ee0dec6f2
SHA25669ca899f40bba99ed973a196bb60aa41157826b7f9ec8caba26e11df61c47996
SHA512ed345cf4160e6e5ea8f78ccf019fc932945a983924c11f16395800b429a6117aad48e0994585e1adaae5b9056488a0f68988069e3fdf74f8ba9fd021367c7416
-
Filesize
1.2MB
MD55ea1bf96a9a40693340dae255689be36
SHA131126b9f09e54765fc8c4ddee38a8f6124c5f7b4
SHA256124ba373b16b9b4b11cbccb14902f6daff897fa14e2cfa7fb517f0a2dfe74fb1
SHA5122f08345cb2828bc8405e5b15b5c5fb068c42a4526ef8b9d205d00ca5f29c16a69a391235fc78a86ed004312cba7dba8fabe70e83e52dbf45e4bdeeffd21e9363
-
Filesize
1.2MB
MD54a2f1ab7ec7ffc481a5796a25ac42d1b
SHA1c0c2f4598ac8b68fe6ab47f907b77ca2536a648b
SHA25643dda646bb1b12f1f721569cbfe979ca7f45457fe0ac7beaf389ca9196e497e8
SHA5123bcc9c6838e61224b53374d3337bdda02647c477d29f162d8d77acc1fdd0d97ff63768f8e8947e76b00969e9d61033f2994b249748fce101fbc2753a14488cf5
-
Filesize
1.5MB
MD58b9f7b9e4ea8ac78d3f4f6a9da470e4a
SHA1aab49f58ed9f0798163d8f6fcf549550e42a3bbd
SHA2563c8b0f5809a5be7a34349135010abd87d460427a7e63a3c68b71bd5c1a117b22
SHA512f57ffd0f5e56a4990ede0b5a87901b4bd395bf04fcb1c9f83c343fc00ca71baabf5d6f8986a68e0a5739981d2a8bdd408e8b2cd5d4175c9a8786d318d8f53de5
-
Filesize
1.2MB
MD50c8d20e88607de2364611dfd044e780c
SHA122731ae1d10675b2139930b4339d4993df25e28d
SHA2564ee6fecfd1a218efa82270d24d729036d0195ec5f9200350c3965b4c12ed1150
SHA512c91194915ac1de3265c0306d56b7141823660ce4a64170a6971aa030e5b4b05477db4af1ee8b383383fec5dce97d101bbb9b9395da880d0a7b2cdbd3669b79f5
-
Filesize
1.2MB
MD5afac608b04bf20166e5ee6162f4cba0b
SHA1d17e393044fe38ed1db3545cd4162069b11e6eca
SHA256b9ad4fa39ff9cd6c0a2aa06beb312b6b150daef89bee8bcb6b63ebc727b4fa34
SHA51238895710a30c24b0e902345301ed9e2658870bfae8876abed0c1048322441d453c9e65d8f153fbbd62e223779282c9d09cd9d0e77ee5d1dcb59301abd563f801
-
Filesize
1.4MB
MD59d94f56a818b2881ba3d47432afe7028
SHA1e05b0b368e20480c8b4fff2e47939655fa8fe475
SHA2562d760441744bbda4522079516e8e22312d16af85c2025ab96b9286c5fef5069f
SHA512646e920ed160de67fe19be92f0da0c309e32f2f92922d7f738d47bc0e363122f2f7fe1ad87123627e2244ada536f305de0c4dec75bfb3ab1a2732b9bd98744d1
-
Filesize
1.2MB
MD58b5719d6b76f168a1a94f00aaac670e0
SHA1541f62673670154f85bd5e547e9ec3e0bf8ee33b
SHA2566e27fdfd14f8d6ecdb3a220fa5c6a045667531cb9a22d1805bc784ef8ccf3aac
SHA512b3a85c66c5aa80fd8383b0645e0a40950f043590416a54090c9efe2eac249e9de66cb068923a6daf89e08c737b3646dc8b1312d20c54f3e9d5460bbf2b67c9c9
-
Filesize
1.2MB
MD59bf20d09abdf9bbba1f5dc69a3ce2dc2
SHA14bcfcd94a82926147e35376cd43ce82a7fea9650
SHA256099251223a047b919e5035337e8ba4a10d8687b6a51e71333e928da1ad41c7bf
SHA51269dd1345e418c7db080ecafbe1a8da45311e4f5d2115d4935a7ca1766881254c05edc8b43b947676617a210a0569e2dfcf1acc6d218c9f544febb479ffac7eb7
-
Filesize
1.4MB
MD55270f91eb97c4f7b7b3f3ff0ce1abf27
SHA14dd7d3e8ea233607dedf2a7dc8a84da742764b13
SHA25617957d001684b55b555ce8bb776465f0da341c9efc2d66e3f1c9e33cf70b2c8a
SHA5129fb03e50f19bcf80fbae038cc87514305c3b917c281c8f9cd2eb22f82f4433e4b319740a9d7e2ab2d5b715d436d806959205bfcbe3d885fdb062b4498a556951
-
Filesize
1.5MB
MD5c2eb0653da725d380872c794420622ee
SHA185a7ef388e83b5df0d1b9fb752ff35bd6c90384c
SHA256e9b45a8b3b4e80285aa48fcd4132219c37b313c21a0d2408fc496aafbb1bf02e
SHA51204b29ac24bde32a8b4f9a5c8ba0e412aacfd03cd0a60afd02d6b32ac08363e01f8079d14759a2c5127734ab2d704c136b61e316abfbefaf81be0f0094b2752f1
-
Filesize
1.7MB
MD52700ae1e3f67f49de55f81ded49a4ffe
SHA151279922093bae2e5a5545966c2f44fa5d93624a
SHA256b3ffdd5b96a09cad0c2f4dfac0e04700c094b567c5a156eee4362c9812780e1b
SHA512daa6e5176ac73838163050e626d06aa9fdc02e58e7ad162b19e4abec924d9e99025ee7f4b8c355edd29148b7e468a7dd5f12b247b05c5025bef068cca03e7e75
-
Filesize
1.2MB
MD582271a975c7db2427e5bbc5e7971a121
SHA1dc3182db71759b7613330788b4e8c9ebc073dc65
SHA2562d994ccd943ac33a32668ea5eefe7e2cb917a040f9f06a37f07fd5a7d63000cb
SHA512cb55b7b84aa5f62e254039fa25958c4e97851a7757ce5fb31fac0bad9bdd695b06e3393965503c2ffbd56b7f64ac838289442dc419639dae3144a2a14ce0f447
-
Filesize
1.2MB
MD5df1023faade79e1c7aeb519a91583f53
SHA10e1eea49047865cab12aaf41fd64db36351fc383
SHA256d8898a516559b754b59af74a24498af3b5819d01c6a5fcd778d6319e5288dc8a
SHA51255657b99c6df928dd0aea0a559dfe9fb4105b1808f782632b9788e29e4142cded76d1d8ebcf2ea04c8006ee0e2347a8e1c72b17db73bf8c8791aaf80eb1cd505
-
Filesize
1.2MB
MD546f11e2cf02bb9c1c2ada7c954843aa4
SHA1533d3462599c8f5000eb08f006cc1daa8b25c5f3
SHA256d4761d620f61fd61633367a1283a190d921201c14eb614b3860ab275a43ad67c
SHA51244e0a03b5f3ad49ee89c0967f051b6943d77b554cc292958194dd5f78933bfb018e475da3f537912d10c5d1223a81776692baf15e038d6722bcc4a99f5719d09
-
Filesize
1.2MB
MD5141c06fc5941f7d0d17bdf8c4b48826c
SHA140e13a860b2e50bdc6ce7d62869fbb41fad7c336
SHA2564ba1f7b09e6a2e5181e908cb94772680d1b68b2941cb0e60ad031b35ffdfd2e4
SHA512b658bd05913baa41cadff68b5e40e98d685cfc6f299ff2135bbd4862e99fdcd44506d2982adb8efc9e6f53c5a122580ab9a077c50750692f04ef6d7bc7ceafd0
-
Filesize
1.2MB
MD54dbfbc260e29ffceef366527827a74b9
SHA18f14014a78e31c22067b97c9b8318e7cb937dd74
SHA256bcbbcdf52021f3275e00eafe56b82ea6e2f776df5c35c8f08b2072b82f7788c6
SHA512a765d0949c7b4f430cf6a258cc2b498e3374056279c1dd83d541e9c11d4af02556c2db8723bf211d7ae697ed2694125c91ec651eac71d41165c3fafb7cafdbf9
-
Filesize
1.2MB
MD5043d375b2b68399a55d05a29bfb838c6
SHA1f6defc49a98db99fd3bd464653e77de233024907
SHA256a95af5eb57f7a16655fcd6490a5a19edfee763d9296b0cb3f06bd5cfdf7193a8
SHA51218ca0303cd576bab21d729cedeb2c892219dd79b1f62ef0376ef7234c15432663be25645b08816e193a9da00588cee9d06e5fa123227e52c065fb8e6472c08aa
-
Filesize
1.4MB
MD5a257f557d85d38add58ee55d04843563
SHA10fee55e5891400c5290457cb3ce57bf57a35685d
SHA256651e821eb1ce6da261dde5647eb84a28afbe2f3f60e442c62e6e1710fe558546
SHA512c3a21ba5304b28af997695f7302cc89cf7381b5ca6ee5d57d20ba8749e8df8baae3f0de7092515be22de7039da630fe89c6ce3f3494242bd8ef625a5b543555e
-
Filesize
1.2MB
MD55070d82f4d32de43ca85c06613abc902
SHA11422652b89a7793ddee711755baf2f8cbadc97a8
SHA256495dfc9e5ab40f7804952573534b6d5f72069d903e34b374819cfa46300ddb48
SHA512baf0c6378dbe21a45e302d5d989d1b9631014e26d187df131822b32dd3c4ad7c39308fc806bc61b71a6c3c10baf4ca8110eb14c6bf7d254f5972210d94150ffd
-
Filesize
1.7MB
MD5b9c27e40489e8398eaf72198aa27e612
SHA1b74aea32cb9cd9064ba2027b34959f3eeb6e11f2
SHA2564624d37dce2c4c1dfb25e42226ce1c10fddba2c02f61f64ff2036ed498f96391
SHA5124d4ad303589fa3216c19ddfc27638444ffe7b8e9ec42c4ac80aec6dbbd00b6bf7f45583e3242d03397c2344c07c75800fc8b2a6f28d5f4b584de15c8c934bd7b
-
Filesize
1.3MB
MD5f8e5733e53c9313fcd6985a9220fecf8
SHA1707fa784ffb24676627d1654e8e0e1b11dd594fc
SHA2560ecf4849a85660a85b7bd62da74eb98cbc44d24f38dc3c9aca06c9be70d87765
SHA512269438d0c64cf1ae8ec95cc70a110c188ce43facb16277ff5cd066a924571520aafe17610b09e61ce4b3f28c8551c114d8e36077164041cc6964bd45624f99b8
-
Filesize
1.2MB
MD5200c281bfa444237c049badd66427e2d
SHA15f960f96e9315f03289fbb7398636b517a9d8fa6
SHA256c63705646eea72ab9932925b77cc7f391f196a6a828cfd0360789ac2bc7743ca
SHA51278bdf13e7ab94f4f8882848182fbc5af4459eeb5ebd6be0110f2d462d7ac3fa15e41ad4d95a92723ab251e43acbb9d1a5efeb27228b656a126105612ca9f9929
-
Filesize
1.2MB
MD51ab0a3c0ee994dec6204dcec0f4d7b6e
SHA18f38f52745d99e6c0fdec629201b0f62042fcc0a
SHA25616d88df07d40fd0fb2fa73fac79826e5ca43b1b578253e9dfcf836e3e088506f
SHA5122d2631a9a7341417d4ba80ba6fbe9e213b17d7970e631709f0fab1467c67f1b979efcbd449fc367afb9f31b36594ee40494e6cd3242c30d2a71c1a3fff62a806
-
Filesize
1.6MB
MD554e13e5e251c90acff039976355729db
SHA166774b3aeb31c992bae332ee58441eb5de39f3f1
SHA2567594df493f14f3a9de62ab2229496d071922e2f28e9995d28d044b874ae99439
SHA512cf8c7a323ca075122a90d0953be8a6ad80519e75e8f3bd5d124b9c42c4a39a47fad8b45c24a20b761c8c7732c29e963dcbb5fde9c455dc082d2a2f2e27f604e0
-
Filesize
1.3MB
MD5a1af965e10a6c0654118c0dfc1a18f00
SHA14fd40262b864afd1aec080095446473748324726
SHA256456f0c7a9613182bd9458c1c464626f0a973fd91f038d2543cda2e88a8fa76a7
SHA512594bb42ce1f1dbdedeb0abac3fc4c7ea2122ae5eb9846a8a0100537d1303de12e4ed7a5bc87c3d5164f7983787e49b94bdb9e828a19bf6cc38a2e80f4a0fd7f4
-
Filesize
1.4MB
MD5b58fb1c7c175e0233da6dfbcc5832363
SHA1ca48ba5d1ce759dc834eebc48cb63b4141d38d07
SHA256e7717cc2e4b66527f039a78456ed799ed6b344e078289c13c48f7b1716931c22
SHA512a9535ca6620989348778c7a3eccf565bef2c0c890b6f0f4be64fdc71524cda0a38f061eb0a0f28a9f42d4eed024da77511aa9c53a1b8f784f25358af328f6f89
-
Filesize
1.8MB
MD5beb9e1b89c516d49ae695b89dcac3d80
SHA1872284e3a6d075b8c062c347ccd7987a03ca4150
SHA2569fbf41bc5064414e9203a618588f2017f956f0a996c2989930cf55d0a3cf339f
SHA5123dfc9cfbefb4b602cde2601f46d1740ab93d45023a826705b56e84044d79acd6a18fb6aa4e1c8da4166a5c2eb194d6b2a338743fa7952664febd057f25516902
-
Filesize
1.4MB
MD5a832d1b686049a1bfc5c066710caa4da
SHA1b0a1136b6a0b22004280d2159ebfe28e9cfa2414
SHA2568864dbba4bf6a7031abfb6a1c46a41698b29384a199fa0e316bab16d2555dbc7
SHA5121c3693b409c86199b164549ea74dcb8c3242818429a54309973249c354fa0387e7a6a399336683a490f675bfc6dca1456a894c3cee2f9861f40698b0081426b7
-
Filesize
1.5MB
MD5c1a2868c5d97765058d1ba32861c6eff
SHA1862a7ae289a1eb60d217c52cb69089b593eced98
SHA256d2910bdc8178994c0e92a208950299f7590be88786466b0d181533a24e3018d4
SHA51284f394b0d0358d9dbc9e9c2d6e3176a718aa93e723e22f38c47649b339e05eacbed973913e29fbb246d925d38aafa25d5c4b33510db33650107aeaaff6d3d3de
-
Filesize
2.0MB
MD524f1dc561bfd74ccba2a7e580d03109c
SHA19602f7198525fb1641967f599d08a367c620272e
SHA2564c518d59c6adacd72b5c9f53d2a15e3fd5c1b44f268025436bdce244b6d336bb
SHA51247de7389315b0a25542a5fef0aadd05d77dd2fcb7bfb5219450ccf61f9acaa5b19c1b84295707c5683adc5410404b75fab6f7873d9178f6b94fb3da96aa52186
-
Filesize
1.3MB
MD56f9a15cf6f77e3387fa56003d7439e98
SHA1e48ea9e865f564f870efeb24d6818898e90a2851
SHA256dce69a881b7cd00aa7bb65f490180a192140b2ffcb3da880cced9d501d6c1434
SHA512aa481c7a86ae717a4a8ee59877baa8ec189be5f28ba04e2955854f5b2c4c2310753507ff2c7ef4983f34b4918a2e4f328ddc483137634a471490f9337e2be03e
-
Filesize
1.4MB
MD5d72d37646788daa62318f7d05c202c1c
SHA1e4bcc9fbaa68f182bfd82ecf96eaa1a0ec09a0c1
SHA256b44434164d807115c2b2dd518f15012593726ffc3323a2b625be7b39e98e0b93
SHA51250f5da535bcb7a4f77d2eca57c99c62b2005de44e04075b07b4b984e97e7bb8ab033610ff07065444d211543a97ca88f2382e1c180b2f57eed8799e6f379bb06
-
Filesize
1.2MB
MD5cefba1d18ad8b5368d79f7b6fcb520a9
SHA14993ead83f5da77e3fcec8a9723d7dbf289bd532
SHA256f99b6783c88712250e59a1f73b79beecb53362f82b285858acaf09c102b731c0
SHA512cbcabc7eb4d887a68c4e22a11bfa092a145aa186bf804c7663dd86c40f335ce682ee343a9ca78d126a8521975e4f62c5690048f58fe0e2d3242a4c476c51e9b6
-
Filesize
1.3MB
MD5247ea78e4e06747ac38729a8c4ea45e7
SHA1b29be028081db38559f9704758eca58d34ddbc91
SHA2568772328091a1ee4a3dd111b4b499e0de590218399b236b5b2be9806f8e81ffcf
SHA512b3f2fb78b14b1cb257f3136a77a5cbb9ff57cffe289114e3be599452491a2edd1bbaac8285c295206f5f82d6e54afc69c467434d66111f6438fc4b4242dbe872
-
Filesize
1.4MB
MD5ed715d6096d8b593da3772b7bca730c6
SHA1b06b444923535de7f0f757901a23338516d628ac
SHA256bfb65f719e0c25a04dfa3071f76dfe7f1fc1453535334ed576eabdea188fc450
SHA512b8fd2b6e473374ced948c0bdca100b4a28d11cc57758f04bcf4a952e559dbb0204639bc9399832b06a841cc0c1af8b8cabe4db56f79bd1901b1efa361d4c1c92
-
Filesize
2.1MB
MD565f3fb091f7e479773088aba5d46493e
SHA1fd98eb4ec0cae16d3275b9966038bb0947962396
SHA2563f9ffad90de83c5af3e726b3836972e6db830c6256d3d157df5cafd2e5d1545f
SHA512deace694cf6b4df3384730506949202e21bdaebe570912bed82df2fe7abfd1c66cb5b110604868ab5dbe75266c4ffedcfecef83d97d5df14f957eb15585ee3a5
-
Filesize
5.6MB
MD57bad9f624eb72c0e5915c50c03eef086
SHA177db64c925a3dd2dd9f2cf199416fd9c70928a8d
SHA256d22fab7caccf88ca60432802c641696636f5ebc3b471f677af0032229fd0b604
SHA512af343ec3090f2f79d50c9cebdfa6f33680392f558b018b7ce79415ee55afe765a6e46e53bab8a9049bfd3a540bf4f7e1e21fd2e10e31b1fb1ed2a72a380cded6