Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe
-
Size
1.1MB
-
MD5
e5874500038ebae29fe765f303978138
-
SHA1
8b872331cf56b25cadad12443a73f174fc234d1e
-
SHA256
522aad1b718682cf0d454ee79306918ad69ec05cfc31ecbd5a4d7eb427e45e34
-
SHA512
d4142c42855853c61ac39cd2ab6c412563e2168f8a832780e80782b4f595ba44391673dfb2e5921e4fc9b3a6759ecfce9f2747e6bf91379ce139b60c283f6910
-
SSDEEP
24576:/Si1SoCU5qJSr1eWPSCsP0MugC6eTm8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:3S7PLjeTmgDUYmvFur31yAipQCtXxc0H
Malware Config
Signatures
-
Executes dropped EXE 43 IoCs
pid Process 480 Process not Found 2512 alg.exe 2576 aspnet_state.exe 2620 mscorsvw.exe 2596 mscorsvw.exe 3020 mscorsvw.exe 1780 mscorsvw.exe 2404 ehRecvr.exe 2836 ehsched.exe 672 elevation_service.exe 1988 IEEtwCollector.exe 2820 mscorsvw.exe 1712 mscorsvw.exe 2708 mscorsvw.exe 2928 mscorsvw.exe 2868 mscorsvw.exe 2468 dllhost.exe 1516 GROOVE.EXE 2224 maintenanceservice.exe 776 OSE.EXE 1048 OSPPSVC.EXE 1456 mscorsvw.exe 2620 mscorsvw.exe 2016 mscorsvw.exe 968 mscorsvw.exe 2736 mscorsvw.exe 2060 mscorsvw.exe 1448 mscorsvw.exe 2268 mscorsvw.exe 1740 msdtc.exe 320 msiexec.exe 948 perfhost.exe 2884 locator.exe 1984 snmptrap.exe 2036 vds.exe 1676 vssvc.exe 1700 wbengine.exe 2984 WmiApSrv.exe 2212 wmpnetwk.exe 2020 SearchIndexer.exe 2748 mscorsvw.exe 2688 mscorsvw.exe 2896 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 320 msiexec.exe 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\83ab578956fe8faa.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe aspnet_state.exe File opened for modification C:\Windows\System32\snmptrap.exe aspnet_state.exe File opened for modification C:\Windows\system32\locator.exe aspnet_state.exe File opened for modification C:\Windows\system32\vssvc.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbengine.exe aspnet_state.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\vds.exe aspnet_state.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe aspnet_state.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe aspnet_state.exe File opened for modification C:\Windows\system32\msiexec.exe aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe aspnet_state.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe aspnet_state.exe File opened for modification C:\Windows\SysWow64\perfhost.exe aspnet_state.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe aspnet_state.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe alg.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe aspnet_state.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe aspnet_state.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe aspnet_state.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe aspnet_state.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe aspnet_state.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe aspnet_state.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe aspnet_state.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe aspnet_state.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe aspnet_state.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe aspnet_state.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe aspnet_state.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 40 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} wmpnetwk.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1692 ehRec.exe 2576 aspnet_state.exe 2576 aspnet_state.exe 2576 aspnet_state.exe 2576 aspnet_state.exe 2576 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1848 2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe Token: SeShutdownPrivilege 3020 mscorsvw.exe Token: SeShutdownPrivilege 1780 mscorsvw.exe Token: 33 536 EhTray.exe Token: SeIncBasePriorityPrivilege 536 EhTray.exe Token: SeDebugPrivilege 1692 ehRec.exe Token: 33 536 EhTray.exe Token: SeIncBasePriorityPrivilege 536 EhTray.exe Token: SeShutdownPrivilege 3020 mscorsvw.exe Token: SeShutdownPrivilege 1780 mscorsvw.exe Token: SeShutdownPrivilege 3020 mscorsvw.exe Token: SeShutdownPrivilege 3020 mscorsvw.exe Token: SeShutdownPrivilege 1780 mscorsvw.exe Token: SeShutdownPrivilege 1780 mscorsvw.exe Token: SeDebugPrivilege 2512 alg.exe Token: SeTakeOwnershipPrivilege 2576 aspnet_state.exe Token: SeRestorePrivilege 320 msiexec.exe Token: SeTakeOwnershipPrivilege 320 msiexec.exe Token: SeSecurityPrivilege 320 msiexec.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeBackupPrivilege 1700 wbengine.exe Token: SeRestorePrivilege 1700 wbengine.exe Token: SeSecurityPrivilege 1700 wbengine.exe Token: SeDebugPrivilege 2576 aspnet_state.exe Token: SeManageVolumePrivilege 2020 SearchIndexer.exe Token: 33 2020 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2020 SearchIndexer.exe Token: 33 2212 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2212 wmpnetwk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 536 EhTray.exe 536 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 536 EhTray.exe 536 EhTray.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 876 SearchProtocolHost.exe 876 SearchProtocolHost.exe 876 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2820 3020 mscorsvw.exe 40 PID 3020 wrote to memory of 2820 3020 mscorsvw.exe 40 PID 3020 wrote to memory of 2820 3020 mscorsvw.exe 40 PID 3020 wrote to memory of 2820 3020 mscorsvw.exe 40 PID 3020 wrote to memory of 1712 3020 mscorsvw.exe 41 PID 3020 wrote to memory of 1712 3020 mscorsvw.exe 41 PID 3020 wrote to memory of 1712 3020 mscorsvw.exe 41 PID 3020 wrote to memory of 1712 3020 mscorsvw.exe 41 PID 3020 wrote to memory of 2708 3020 mscorsvw.exe 42 PID 3020 wrote to memory of 2708 3020 mscorsvw.exe 42 PID 3020 wrote to memory of 2708 3020 mscorsvw.exe 42 PID 3020 wrote to memory of 2708 3020 mscorsvw.exe 42 PID 3020 wrote to memory of 2928 3020 mscorsvw.exe 43 PID 3020 wrote to memory of 2928 3020 mscorsvw.exe 43 PID 3020 wrote to memory of 2928 3020 mscorsvw.exe 43 PID 3020 wrote to memory of 2928 3020 mscorsvw.exe 43 PID 3020 wrote to memory of 2868 3020 mscorsvw.exe 44 PID 3020 wrote to memory of 2868 3020 mscorsvw.exe 44 PID 3020 wrote to memory of 2868 3020 mscorsvw.exe 44 PID 3020 wrote to memory of 2868 3020 mscorsvw.exe 44 PID 3020 wrote to memory of 1456 3020 mscorsvw.exe 50 PID 3020 wrote to memory of 1456 3020 mscorsvw.exe 50 PID 3020 wrote to memory of 1456 3020 mscorsvw.exe 50 PID 3020 wrote to memory of 1456 3020 mscorsvw.exe 50 PID 3020 wrote to memory of 2620 3020 mscorsvw.exe 51 PID 3020 wrote to memory of 2620 3020 mscorsvw.exe 51 PID 3020 wrote to memory of 2620 3020 mscorsvw.exe 51 PID 3020 wrote to memory of 2620 3020 mscorsvw.exe 51 PID 3020 wrote to memory of 2016 3020 mscorsvw.exe 52 PID 3020 wrote to memory of 2016 3020 mscorsvw.exe 52 PID 3020 wrote to memory of 2016 3020 mscorsvw.exe 52 PID 3020 wrote to memory of 2016 3020 mscorsvw.exe 52 PID 3020 wrote to memory of 968 3020 mscorsvw.exe 55 PID 3020 wrote to memory of 968 3020 mscorsvw.exe 55 PID 3020 wrote to memory of 968 3020 mscorsvw.exe 55 PID 3020 wrote to memory of 968 3020 mscorsvw.exe 55 PID 3020 wrote to memory of 2736 3020 mscorsvw.exe 56 PID 3020 wrote to memory of 2736 3020 mscorsvw.exe 56 PID 3020 wrote to memory of 2736 3020 mscorsvw.exe 56 PID 3020 wrote to memory of 2736 3020 mscorsvw.exe 56 PID 3020 wrote to memory of 2060 3020 mscorsvw.exe 57 PID 3020 wrote to memory of 2060 3020 mscorsvw.exe 57 PID 3020 wrote to memory of 2060 3020 mscorsvw.exe 57 PID 3020 wrote to memory of 2060 3020 mscorsvw.exe 57 PID 3020 wrote to memory of 1448 3020 mscorsvw.exe 58 PID 3020 wrote to memory of 1448 3020 mscorsvw.exe 58 PID 3020 wrote to memory of 1448 3020 mscorsvw.exe 58 PID 3020 wrote to memory of 1448 3020 mscorsvw.exe 58 PID 3020 wrote to memory of 2268 3020 mscorsvw.exe 59 PID 3020 wrote to memory of 2268 3020 mscorsvw.exe 59 PID 3020 wrote to memory of 2268 3020 mscorsvw.exe 59 PID 3020 wrote to memory of 2268 3020 mscorsvw.exe 59 PID 2020 wrote to memory of 876 2020 SearchIndexer.exe 71 PID 2020 wrote to memory of 876 2020 SearchIndexer.exe 71 PID 2020 wrote to memory of 876 2020 SearchIndexer.exe 71 PID 2020 wrote to memory of 908 2020 SearchIndexer.exe 72 PID 2020 wrote to memory of 908 2020 SearchIndexer.exe 72 PID 2020 wrote to memory of 908 2020 SearchIndexer.exe 72 PID 3020 wrote to memory of 2748 3020 mscorsvw.exe 73 PID 3020 wrote to memory of 2748 3020 mscorsvw.exe 73 PID 3020 wrote to memory of 2748 3020 mscorsvw.exe 73 PID 3020 wrote to memory of 2748 3020 mscorsvw.exe 73 PID 3020 wrote to memory of 2688 3020 mscorsvw.exe 74 PID 3020 wrote to memory of 2688 3020 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2016
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 120 -Pipe 1ac -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 248 -NGENProcess 270 -Pipe 120 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2404
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:672
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2224
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:776
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1048
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1740
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:320
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:948
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2884
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1984
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2036
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2984
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54a1d8aefa4a995c26d5216895f605f6a
SHA17609e8382c63d683080f439adf2a1f4d910a4041
SHA256aa1df2e7ff12b1d9d383244995d6bec37f6223a9daedddbd58e95a47e580ca78
SHA5122dd9e22fb3a6044e1c73204e5d519c9267fada66a821a01839a221cae5ed1272fb9e970afe359aceba53fc00767a2af3e93d61d0c8a82e35b9b02a3f0183efc4
-
Filesize
30.1MB
MD5e65f9170af042b8b178b15db2a46cbe7
SHA10fe1af369d1f339ca9af5db28f8f5792e6fa12fa
SHA2561c68524462a18330372a0026c4f2ed06b7a4cb10f904c2c54e4fcb6fbdb94547
SHA512e155bc8255480c45551370722a71c4f45073eec7421b610ea8a51ef83cee2b555ac642cf1c38e23d542e2dfbdb67adbb10f79926dfb896edd4cb8e4cdf8fc6d2
-
Filesize
1.6MB
MD5089d3616ee857000607267b0dc3decb2
SHA10dca5177ad4ed266643cf22862c188e1901b7c6d
SHA256a3dc29818408ae6a02404f6a6f0fb228e383f895c0701007beea2e967029940c
SHA5125306921fdfdd6c5c2e5d92f21d08dc6e832f46d4d45bb04fbacd51ae9a990ea16362429ab5c7b63dc01713b8243f95256847fa29f49a041827a0bddfec3008a5
-
Filesize
5.2MB
MD5e9793675c341c67bd43948ee63982932
SHA15d9efb132fd3c853384da979032ceddfaaf6afd5
SHA2568f9b2c00ccfd24cea04f97c931d43b5dfbddba71452c67d218e1e61fdf1e0ba5
SHA5129bc203117c8353b91386f6e872599b81b474f2886bb6b7bbcafa8a4d77bbcef8fe9cf45ae2f8e98a4521239d60f3bbb61176528bc6dd09adb963e6553079f9cf
-
Filesize
2.1MB
MD53c7144213924ea0aa16b9b55e6016258
SHA11d024d2de6dbec4b1ad22a127f2738c59f011968
SHA256a1758430cf095f52dbd80218a38b0cdab5455fc682ba0dce11dcfa6340584240
SHA5125d05fb1d7caf7cc2e44128c49a872d9c18444d7510823a984f48a415eee4e8a9ad62d62596fb8c511422bc5244e3cedab9f20709b01a149bd3e294c625aa2881
-
Filesize
1024KB
MD5797286f6bd275073e20ba1d6dfc4ff1d
SHA11f889d4ed1188976f33ea15dd44f652dfe1225c0
SHA256b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459
SHA5126dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD54d2b9b0a39d1742f2449a9921ab0b03b
SHA167832be69a2afdf832a3d4f34032c75546e0d1e3
SHA2565542f6b4104b26223fb4f838600fca9b2048a7557678300263909adc0ce40300
SHA5123ce947a7c37f257fba2999c3a117e1419dd690738ffc100416320d33e44469d256b61cb421dd24644ef5fe97ed51dcb32c01ffd32f39bacac72560c35557bb6c
-
Filesize
1.5MB
MD5f174e17474b2ab1a74c08ebac4aa8b85
SHA1f3122070cc2f917accd26e193b3a1d9f5e1d2382
SHA25608af66dffdca283511a94075cd4861e8b40e62e323ca9f86f01d224b0f32492b
SHA512ac56133725f7a89329e6e0f8cd9538861c0bde9043e35ecc171c5d854471dbb107a70682eed5f527442ac350fa3e82a3c847dd0611a3b842f3cfaf03cf5a6eef
-
Filesize
1.5MB
MD584552bea8c1d30203c5475d92aff14bc
SHA11bae1ae53f312409e73042d8fae8aa5ff25df19c
SHA2562df9aad4a402f55853bd1745112c32043cf8f32a278c136c82f65e84bdb9fd5d
SHA512b329c1b6d8ad524fd0f8f65f1582531853a60983fe1530d65f47e6cf1a2e8caf48c3391aa5d83689bb9584d4994d21509c6948a3993d210c4a50dd94ec347938
-
Filesize
1003KB
MD544928b28f5e445b59c0dec34e3b1615f
SHA1aa1915212af606c3a1fbe20aef810f5e3c64851f
SHA2567b36ac684bcbf1d040ff72b002a96efe9838d88e7a1c9a41b1229c00894eb807
SHA5126382b50ef0f92303e3d90f8975772b721a0792ae7d6d7dce3a611ebfc649b5b3679617af7c357fab861d5e8c278413857aa7ff407cc5ef6c626fa3572dd87a2c
-
Filesize
1.5MB
MD525f6640547db18f69dd5fa01a9c44034
SHA1de69005078cdaf705a8152edbba0c1a8d5593a89
SHA2561e3167a611dac5673195b8d6e110d2da6d123a6e968a2091043c0c5eae35f0d9
SHA512fdd56748145dc081ce4118deb7ef12aa554ceff6e0ad38fd3f14bfed3f1c0e82d19e292da9bb0f7ef5979473f794e48080a67216177f8b02975dce7f923a540e
-
Filesize
1.4MB
MD54c45fb776e29dd355e3d95467bf4e31e
SHA1e3559465de2e260554f7783af63bc6a98c50ed23
SHA256c167ea4bcbeb03aa0d07ca011ebd73b66c2ff67c9c34e18c2f20fd1d900b85ff
SHA512dc11e433a97866f9b8a480fd25df58a979fe7db5e9dcedd7572f96826610eb641b69d6227cfe98ccd1e8422a74e66f574448504d513d896d66628d56618a426e
-
Filesize
1.1MB
MD53b2de82864def7481a29a485f1f15dfe
SHA13cdcec3cae3a559ac401389697c3ef69123039b7
SHA256e0320c25a4164bd60573d3b5ff78ff88edf338e05b4fd117892aac17dc397081
SHA5126df0cb45862c22f0624f7ffa0539b771fd4ea55b8c10966a3972f5a46e4b9e63e601bf8998a9fb3d3157599d637e6944f6953c65eadee013d58f084c52837016
-
Filesize
2.1MB
MD5601e9d9c533f37bba9e2db3ff15bcfaf
SHA1ad2a0f205911b75cf86eeadd2bd0f8b88e8300ea
SHA256cf3fcb01c17162fc342ec57a922c862cc95172905082d74274e1b7a190d50ddc
SHA5129549707ba61ba0579e00c8fb0909d91382babc5fe48316705316b2f1bb7632941216e4c1386c78cb778ab7f01003eb60f0810ff0da8e18740c0d6b219865e346
-
Filesize
1.4MB
MD5c398b45820b94b127297fe385e787141
SHA113673c0b88880dd5ed9a76076478a665be88edd7
SHA256fb26f201cafed2b61411b9a6abe16cdde56e0bbde53a3ce6a8d3784f5a5a44c5
SHA512d19ca92f25affe51f928a4b91b6bae4024c604eb1b792cbca9b95f15189bcd59a908d77e254ee8439cf4b2a993d3db1566ffee13293f7420aa3b86f4a2447701
-
Filesize
1.9MB
MD5a4013d69b8e30de722d7ed4d906f505a
SHA162ad00d4509cb0146a96a48b3e8420f07c768cdc
SHA2560bb1e7730c5981640127c73117d1b4fa9762ffa19e033ec6a040fbab0015dcde
SHA512ec9880986525eedf2dbc552758e3c8bea27bd1f50470d07673aa9b0d49097427ac33f2fe5bfd524ef6f62bfff4a78226a6f5c3c367b90ea46b95cf9848884155
-
Filesize
1.2MB
MD5921be4bd5e0d157d8532d4ed9704282b
SHA1909e9055ea3fb7b9020c53a1d3dc6377b09bc991
SHA256d5eec5dbe3be44666b57768f327c2b5751928bd71e18ee3299a360598e1dabeb
SHA512bb044471233c784bb2efbaaebef86a0f4289c45501c408022813f96c9feb8440bfb3b8f1367d96fc136857e5d9f71db2b50efdc4ca04749afd48f0560b7caef7
-
Filesize
2.0MB
MD52c14d49a377451ef232f4b24da5f3d2c
SHA150784a66d954a1e40843efa46d9f77a7d7bcba2f
SHA2561273c11c48dac2bea3190b8734de38dac444bf3efab08c4c87d55b939bf984f6
SHA512b8db19b904db9b70b5a88a7cb7c8a553d15f563042cb1372e8857dc27168140213936e32f3ccf307a6d7d32156fa231829462a13a60e2e995f26965bf515e0d9
-
Filesize
1.5MB
MD5d059075990ebd23fbc182fb4ddc9f4d1
SHA15eaaecb024b3abcb5a599e8abf6169ab0a4c3dbd
SHA256646da5a3fabf76b2dba19b1f38a22d2bbe0b33725d7787e4ae6440c4adff44ca
SHA512c78356ca41569feac4677c7a1ac78e6668d1c3b5fa04d36c01cc36c00d7e74ef5de4d7224df677b3654d36ea25b5ee2b796c5f15460510b3be83d7a114dfb815
-
Filesize
1.5MB
MD5a3e0b47290f7b3bba4b5c5e6fecf597b
SHA1bc61342ed5573c982213063cb094defc05e71c39
SHA256fb691a9824a903f4a736d876acba7e92f4424aa70e70d08640ff648f700f55b9
SHA51256958911730ff504fff42af51da13cda7c82ea9c50c4d331010521bdf0db298626ea2d87d903fa45737c91c9740ba23879808fd004ea35cb74e27a916992c5e2
-
Filesize
1.4MB
MD569f449cc8d2cc53d7841a15a012ee2c9
SHA13d04d0a89a2f291cf2ab0217316d6741784b1817
SHA256162cdada4f5b00f1426b7239a9bc844619ee1db9f540eca96448eeb6c93dac21
SHA51244f62861cc0335f450515fa13a52d068ec7ce9b06819f2bfb2b9ce581f93acc6f358d7f6e05dee4311b83e6465b1036101f590afc95cabd739d522d305f8cfb4
-
Filesize
1.5MB
MD5860f006505d429f00ec518bbf676d43c
SHA13479fba6ee8110c2f793fdc8c9ddaf01e117e851
SHA2562767a3a97e5cb84e28cf78959088079ed18b899b3ac47a5072a76e3a9a86a907
SHA51258bc185c0419b06c88f67ed710dd7987651b6fce6c146ad8f0f2177b1c41b5d80a03040ffdf0c822918e34b8ea04eebea65868ecee0c3ea8ff531c5f70125f6d
-
Filesize
1.5MB
MD57aab63941629ed787b0a7e3153735546
SHA11f54892714441e010a6b46246055a774bc6ebc3d
SHA256b7cbd3832a6a0e4e93d29e9f6e9567620c09b7f8f616af326576b3020328dc6b
SHA51277e64dfb912ed532aa4efa310549a6d914c2d83b5e044dd80de8734a26611f64fc395283d2122c7f0509e678d7c15726ce15e11e4d1d9bb1526cd3ffca323c05
-
Filesize
1.6MB
MD5199ba9673f5565635458799cacb391fd
SHA1006838844c31a116808d8e187197104f3b21ef64
SHA2569f7508d1b8287ac6bf92f5842fc7d8f277fd2abcadcc2fe76283a2734c27c018
SHA512267a90b99284deb706f4268d330ffc5559c9825516de1dfd87dbe149a965b5fda0e113e3f7d20e5f5cf586cb48d02d44d0a57480f97967004da03be6c3a8eaaa
-
Filesize
1.5MB
MD50169220bd3cec0dfc23f46e5fb76e235
SHA1f4fbcd9867c6e64397debc2aaacf1c1904968415
SHA2567bd60d79163db9adc40bf29abdddaded26c340dc757eace7acafc27cc33adf83
SHA512e9dc8c629c79357f57a99c4938c5091dd1e76794d50b70546ed881fdd4000705478f6d5784f0b9ff006c1202584c2cf5fccf5487db316d58da625ab98e93d61f
-
Filesize
1.4MB
MD5fe3b327fb72ffdb268ea3e33255bdedd
SHA1ce01678a47fa1aa2b1a21810383e519428a0785c
SHA256dd304be0cb77aa0a53d09ffc35725ab4a9e3bf74ff1b1e9126f448d4b95e6bcb
SHA5128a37115718d69bd4ba79066c3ca2cd73e5a3cc4350fe2fc6bd74a90aeebf220d32d7ef62ccc3361fcf52204f3abba62539225b3306a63900d94137142b8d8a5c
-
Filesize
1.6MB
MD58c6b82fc863eb6ec14225c152a083fc7
SHA128deb8bbfeb7b34c2acafb83c36668005a71bf53
SHA2561229e8cf3f7c302bb2c864dceb09b2809f8cb25e08493db2960d92d3cc05280b
SHA51287d25e191de531069850cf9fb55b8a0998556a45b488d9f285511e30223272f899ea8a2d558b47404299819419aa4cdc7998fcc5634aff391b5e4434371bc906
-
Filesize
2.0MB
MD5b17f2b2deef3b27ee2f17ca1f2220ebb
SHA1b1399ddb68502d2c025cfaea3b4384c41b00b2fa
SHA256cef17641cd67a6bec90261c3c327e1879d9629e01421f07ec58b35c7b7a9b42a
SHA512141fd996167ed0c9c9112d80b5fb792aa32412e9c2a5b4b49dfaaed5789b7c1f3456a9c884a8edf399ac32b152567f9ada3dfa0d3dfdf0201a1eb7e08d5f25b9
-
Filesize
1.2MB
MD5545f44f9525e5d685f1cca30c6d427af
SHA150b4b36e477302ae646707072d4d1d83e0225541
SHA256bd82e04dfbc37a66eec6399fc98058ee70a0f9b153440cc2867ef31260a2b557
SHA512054900fc11e6b3e188a9b8b53a54414e1b8d49c98ddde8b37adebef5350268fc96d5e69755543fa18a1f65190dd97076158b2007c05dc49a9039d54facb229cf
-
Filesize
1.6MB
MD5767c9f0bba5fc1f930e5ebc34b886668
SHA100266dd5f33af3a39d1f1fe12b1c8a790e45b376
SHA256424f1b19fd82f4e41ef0b82199dba0ec6fa102e94aeb447f53e8eb576516179b
SHA5128ac89cafc92ae44123776f1a8ed4396a8ec21728c4870b0492c51fb5ffa49dc5edb37faae55df7dce7f041a13f22fbc3dee3acff3066618a00f85a3a31c8329c