Analysis
-
max time kernel
11s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:23
Static task
static1
General
-
Target
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe
-
Size
4.6MB
-
MD5
03102757d2f8903e63a61bbe6c775f63
-
SHA1
dd965ec66eea0636e755de81d0c90dae168d1775
-
SHA256
3419f2f009e839898188ec66d87d67bffcd3343d045271cda3bf2e5bba8e7f41
-
SHA512
12212e1fb533e82559e5c4d2b36c023c231d6075bb7c884d118cc3caa7cf9a2e27c0b0752cab05d3ba12c04395f1dc6ac660953ce3bb8866e701875df5ceaa7c
-
SSDEEP
49152:wyEKQ5E3ieGR0PEtBFUow1b89eX611+2xmepn/TRijbqYW3qkCbDypSfe6qwiXpL:iq9ceqz+2xl/SSb0XD527BWG
Malware Config
Signatures
-
Executes dropped EXE 15 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exepid process 3368 alg.exe 4256 DiagnosticsHub.StandardCollector.Service.exe 368 fxssvc.exe 3576 elevation_service.exe 4596 elevation_service.exe 2640 maintenanceservice.exe 1504 msdtc.exe 4392 OSE.EXE 740 PerceptionSimulationService.exe 3176 perfhost.exe 3468 locator.exe 4376 SensorDataService.exe 3080 snmptrap.exe 1500 spectrum.exe 4132 ssh-agent.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 18 IoCs
Processes:
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c73be0452a644d7f.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe -
Drops file in Program Files directory 5 IoCs
Processes:
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 7 IoCs
Processes:
fxssvc.exechrome.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569914338831157" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 3796 chrome.exe 3796 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exefxssvc.exechrome.exedescription pid process Token: SeTakeOwnershipPrivilege 5084 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe Token: SeAuditPrivilege 368 fxssvc.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe Token: SeShutdownPrivilege 3796 chrome.exe Token: SeCreatePagefilePrivilege 3796 chrome.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid process 3796 chrome.exe 3796 chrome.exe 3796 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exechrome.exedescription pid process target process PID 5084 wrote to memory of 2308 5084 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe PID 5084 wrote to memory of 2308 5084 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe PID 5084 wrote to memory of 3796 5084 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe chrome.exe PID 5084 wrote to memory of 3796 5084 2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe chrome.exe PID 3796 wrote to memory of 2776 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2776 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 1976 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 3472 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 3472 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe PID 3796 wrote to memory of 2644 3796 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_03102757d2f8903e63a61bbe6c775f63_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x140384698,0x1403846a4,0x1403846b02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c879758,0x7ffe3c879768,0x7ffe3c8797783⤵PID:2776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:23⤵PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:3472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:2644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:13⤵PID:2744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:13⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:13⤵PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:808
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:2888
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff61e9d7688,0x7ff61e9d7698,0x7ff61e9d76a84⤵PID:4360
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:1560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff61e9d7688,0x7ff61e9d7698,0x7ff61e9d76a85⤵PID:4648
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1884,i,16245033296292712420,12730558959682969156,131072 /prefetch:83⤵PID:1184
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3368
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4964
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:368
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3576
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4596
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2640
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1504
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4392
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:740
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3176
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3468
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4376
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1500
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:556
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵PID:5196
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵PID:5308
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:5480
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:5744
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5844
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:5952
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵PID:3808
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵PID:5868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d18110d87683895ae6977ed7611e5193
SHA1915bb0f48caee0f2d8dfb20e570a6fbaa3569e47
SHA25692b9a9b1d216fd436d5f32b5e80a94ac92d56a7e07f3b02f6e5c9df141ab6fff
SHA5129f3406768e83ac70330c4710cf0d3b4237505e3cff294ee564f2adfcff0bd6f6c6352939920defcd139defa3a99193f7b534ea4b716a8b0732e62d855bb16ec7
-
Filesize
1.4MB
MD552d38c6be757f1818fded06297666148
SHA17ddfa02d55f3f67229f5fc288e19f4a6316606ec
SHA25646cab7d794a7977706e274518d1a12f635695a927fc21c9dd8695d68b9a48c11
SHA5121701edf664dd87f229320537fecf2de23d7aa9a7714ab4ab8af047b35d8924b4c87e0b25c524f001f4113979f541a4bd67ea29b02c58f10aec1b999b93194268
-
Filesize
1.4MB
MD5cb7e4e3a904fccaaf9691815eda92a16
SHA1fc8f1f8604aa13a456daa28682e641efbec64be9
SHA256f946bc0ae750ae136da236a552cb90008d2997a2779230968bce61e432399f28
SHA51219c8aba0f4d173f3b2529d10ca3d992108ebd06b5f116e880ec644ab2dc985935065d5bfe2ce5cfbc0e1693c7b04b167453af7bae9a42710969aa25d8f57b314
-
Filesize
2.1MB
MD5170a118ae6316a0cc2919dbeae621def
SHA136ed87577e1f6551f264f2b648e2c8c4c412fe92
SHA25636e41293cc98523db262bae9fb3e557acb6d89bb7fb3bf49acbbd99bc47c5371
SHA51289dff52f2364571fb8d52c47cd6faed07067ef8b51015e408d2ae22d2a5c0f9da4eb5bb6f930082ef69cc365c9b8a208f5bb03b63074ad6a0cb2a5da83c4d6c9
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD5b605879e08d2c37a89e0a7cf9cebb008
SHA1547075286a6e5e6a304912cef29adf2a5379458d
SHA2562a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
371B
MD5375b8bfacb7b570ff30ca1b37669bd2f
SHA1dc9d938f44d3ff6fc28f6b7ffc20cab7498ef18b
SHA256ac5da248a4aa9f0668141ee4858e0cba0864e1699c043fd23646e4cb8f89f740
SHA51235286f27fe524d22c055d044357827f4a28887a28fda5972c4ef23bb92765be184dfe16d7e0309b65a805f1f4e40dee5538d743e230c5bda5b2036befca0046f
-
Filesize
4KB
MD5bf744d51ae02912c95a1b26b1fbb87ae
SHA1ddf2a0605d7ea5d85046f1366b2a5c4f17addd90
SHA256a591f49a0c1e5ea505cf1d577455cd66cc378b3dd8f60b04373ca022b72412f6
SHA51234eac1ae7e4e4ce03bc13d2728b5008226835d92aa6a16c2fc5e777319790b26a97b7f93a6858aa32b875b13e82080a2fede59ca369d7b03c1bc8f7b9e578e37
-
Filesize
2KB
MD5ef3aac392c0d75f931c89cbb67985e0f
SHA1ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA51222f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703
-
Filesize
15KB
MD514ae30d131b539988d902b0baf1efccc
SHA154a1d8c02df16d6e800e9189b6aa0af32452997e
SHA256c5fea288657b9c04625afb70d73911c6c23a069648ba044352fc07cceb332412
SHA5122ca61fa04f93f1bd3000ca687f3f13bfc22ca9dafe6f44c9147a3a35dd9b386c9eaae157343521df6fd7e88a55fc7a82208cf36c61b92be4b5b5eb3216d22831
-
Filesize
260KB
MD53f219d2159fa6784fee4e3604f388f1d
SHA184501309b03b7bb2106754ae974b07d8b2652392
SHA256056433e483905ad1de5d859a148c0137d7f5245d0a0c899d39153befa3c6d57d
SHA51207d2a859b523861867b00bfddd2b78f244d39db41839e6c09ba729cb4b50c37f4db10b8181ed1351c904f7255ca5d864f256640da8726786d56dc7aaa98505ca
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
7KB
MD5bc3c5eed3e81ae557dc74531543f2284
SHA137d9be490f58022f85de46de17e234458f77016a
SHA256b92d4c749e32547ca96bb6d80916a017528ebc563a43b7f07c2a15137cc35e03
SHA51238e0ef9215899869a4c4cf3bfe6ed3df2c8c10a9f2dab0a269daaf7cf7b4148a0f7d1b82252207744d8264c996958c61d60fe66e6b1acfb1a0cb6749f2777b77
-
Filesize
8KB
MD599af0847cf39c734fc11fb2a35ee4cd2
SHA16e9744c7c1fe2e91b15f783940045920f851f396
SHA2562ff0d165e13976b15ac92f5dc00c6afcbaa17e93a7587e4e9b558ad7ce9aa018
SHA512ac4b76bf2f194e379604b3a57561b7a9ecb0b943c34ad5c2ab6a3df08c5b239ce374ee986bf9c4fa7e1d3badc42bbff1a0b48eefe7f79f5c83194f2c5e28d234
-
Filesize
12KB
MD5802be0f2b4b64d3f8939b9db1388b6ea
SHA1384a2fce61b382f76fac8057ab2cf00c6f61ec31
SHA25691c488ef267a64703a4fc421a4d3cfb1dafe700c6ad0e326159a7d17e5a24591
SHA512a87a8da8d3df3da5332a3b22ec05aa21c184b8e3b504960cdfc826d617aabb7230a7925511c88149791911a3255af709538dcd1b83ecf28625a0c27833281ccb
-
Filesize
1.2MB
MD51558fefe529e2e17bb8f29fa76640f1f
SHA194dd6e07c92aba79baca850267b41540cfd71c4a
SHA2564413d33cf30aa6555d1f3b6d339e30e03825d39c031533a31998b8b2051a9056
SHA512264ba1ef537038f27a1285a09df1f791ac1f9e868175bf93de32b49d24fd3f297380caff833956a3f697c6fbaa5dca51dfcda865159c7d7957f1caa556198d6f
-
Filesize
1.7MB
MD5b1b4817c76daf156afa1b739d385deee
SHA123cbbf88ae0a96cf99b1b41ef5b10bdcab53843f
SHA2562f8c1609be2f8c0830a00bf316d05e45c56208042528b1e32d2687d6d556700c
SHA512d67e70c50207ffce64ab0e3214b301164de5388a4f515c61490af0d173efe98dc6f0c87ff6e09065abbd34446c40b4397914d12ecefd8305f7548476364c9d67
-
Filesize
1.3MB
MD53474b022f4d0ac413aebc6ca2e6f15fd
SHA1c4dfdaef3aacfb45138d7beebea720d12db6bd68
SHA2561bee3a9b22b5cb8a95f547c581e8e394d5f9f842bedc7f280fc8cb497d2dae6b
SHA5127275be1803fccb790465f21064804f3f1d6a214197681dcaaf259d80e2d177788e5c4452cd1b3c5177973741e83b722f6ad584d40b776e2386d0820a596f4e91
-
Filesize
1.2MB
MD5d7b2b2acb988a109177f48e41509dba3
SHA1780de11f2270b7e62ec8ba162d6e2e753863cad6
SHA256e3e13e16742e11f9f163e3524fdadaff93935b60c89b88710031fa5a718c630a
SHA51225202274b3b0419a294942d7b2a0b17ee5df0ef32eeeba642bd1b1c687b2529812e28e5a9a965e2564eb5270556a39a76641d4b8dfa3c719dc8aa2641c122472
-
Filesize
1.2MB
MD52887851850d9e9e724a399688b1ed3fd
SHA12a3f1135b9dbd1bd573c36d7931bc7bc611a3d91
SHA2562eff4744ed7f80c35a0beb19112c6318939bbc4ab83607ac77416e0b5bb5187c
SHA51235b276212ac5a91c5d2a8139dacfbe3eda8754935cbfb1c8ccdc405bb860f502fd1c7c46041847883fb5a249636d4bdf71b6a96f67f9951785e225261bec7612
-
Filesize
1.5MB
MD5885dd0f68fbb99ed17ec046b96a8526a
SHA1dd26d2c2152a9e4d2228c39192167d448baf5e01
SHA25633dbb9b21cfed7a69bb2523619a162a311c09ca93ab1719a7872d8dc27d428d2
SHA51224bec50a12c5fbd1497c93c1ec9564eea4c73265d2e0c3024a544ee7f5ccff2db032b1ff4c44fe159db7aa14a98b7db82ca51da6bd4d829eebf80712748201b2
-
Filesize
1.3MB
MD55463f7c9f2c89dd48da5aea7686233b6
SHA1e9a1430e758f5587e74b207e52ee9cb6685808c7
SHA256c8aa46bfa7eb62a8e248f328fee9454c31abeecd931e0f1b0b58a7525d2a5f0c
SHA512f494ea48e9e3ee2587cd50a00d32ef0dadfd172417a28d264139143d2cb1762c6bc710e276508e8c255d4adb659d4743feee9b4fe70d55001621b80303068c5b
-
Filesize
1.4MB
MD5c0dd5f423b8e2259a4e582cd8c67fe2c
SHA12800e3ed754730e2a3e935301a9372281cad31b5
SHA2560aef80054cf4d6da717fa146b89164ea80ab1114c95e7a8dae38c082d8feff61
SHA512f3ed5ace5afd0830445f4513a7552e19344df38b679c41db4024516d0b55284762a3176e40373ed90ff8cdb88d5daddd0b2066fc7969d24e881f01c743bdde6b
-
Filesize
1.8MB
MD59181ee491b671624bf487f657268f22a
SHA196aca02a272b830418a6b5c80ef1226fc0cdfd3d
SHA256867cf454fabf91e0db9d865d1adf1624fc2c2f05955cf5ec4918a9576259ddf2
SHA512abfd1381b9284e23968aa5de18d061d129476a7b408f3c0b54d7bfebc3986674a6510a08dace51084d24982f8d9b889a373a4a06c5e528c0a4b4d2d84da731c3
-
Filesize
1.4MB
MD5c4a339b918a1efefa9749f55d4eb3eaa
SHA108e44f266bc89c0713cc0fabef5f1b3bdb6668ae
SHA25604c75a2ac562b84c0f9f7ed1d622671487cee0521749be52620c33815d7e64f9
SHA512f6df7fb35c297d219baf3208a139596b8e94b91ef1e2cdcbd8a7cead5bc27b025d3f46db3c837a0bb4e112775c351b2e04c9831b4647e31e1254a966863a1541
-
Filesize
1.5MB
MD5dc5b0b2662cac6fb4b402055ab32d014
SHA1b6ab3f691d985504d98f635ffa473ed2a3ac0de4
SHA256f44f5c7454b65c57c4c6d6b5828a66329c7af8c12c1abdb4282d34fb49d495af
SHA5120be48cd1c33612a10e5925b327be78f8f8f964686514d6ebb8958f7e0e7ddd844e25702767d2ad7fb8a23426e1b0d1cb58fed306f69d0e07d4af7da81556b4d1
-
Filesize
2.0MB
MD5d04695b60bfb7a7ab0138ec6d691cf97
SHA170d5fd7741b0a517daa97a734e8d8a44a1bc7712
SHA256158f08c0e12c040c19d2ded1112798dc7339358aed815002887f1d1859184f57
SHA5124bc7daf25d370dd363db636dac0dcb43d7af6d169628a4340c7f182fc80bff6b96762b406a64e98db55753ea105c8d1a56a4f8742d4342d8f41cde66f94c27d7
-
Filesize
1.3MB
MD5cf6074df7e63f5b0700f1e3e3c6ddcce
SHA11892bc796e95491e3c7821dd0aec161444c16940
SHA256347f9a28ea48faa143ae9cba1cdfd17f81864b68843f0b897853fc86c5b8b1fc
SHA5125c1a0e085745fd8c498b421a84c84a0c03aba1845a2dc1302c225c753256f5e9130d10fabfc1082c247652e8d02f041e480c62cba7a36fc94f3bc0b3878b4a37
-
Filesize
1.3MB
MD505709651044ceb8bb5c479af052f6b41
SHA16b5d3a4cd1240891b0d23152daf69b7456242b80
SHA2564f7680f85eeca2210559c5c70b293fe7963451a112bde13820c22a14aa4b6a1b
SHA5121e9edb1e0cc8314a119007252c8f186e1346f8a9c1fae0d0442ccb96244ff5d60538088c39c2489204ad858fd2e0f55d856c8973af0652644d092e35c21b775b
-
Filesize
1.2MB
MD5d25d21e01136b572bfea81ebc0615b0e
SHA11416596c02454191356814a13b9d9555d875126a
SHA25645f38ab84cb60d95918b6caaec04ec0aa9bfe351a7eff56981d4674b473c35ba
SHA512f9e42086e647605ae4b0d6e3024d7d73c5ed8ada9102d9772b596e299ee20fab58232a2cd2efb2f5cdabba3e77b495424f342a340023fb6368aa15c5a97d33d3
-
Filesize
1.3MB
MD5c00336b41adc108ecb37b79a87647c8e
SHA1445127d608f134608ed8a667173c7c33a71fdad9
SHA25657beb7992ff2942fc1c35ccb8b1bd08c72ddaf32c8168e7a82a979fbeb885408
SHA512b894625d68238e4076b2302d6d5b38505447a0cb68378094f5b1edcd3e94200c8cfa4c8a3f5ea369d90a1a2d674567a8fbe214b89fb31cab7e4734169fbbde95
-
Filesize
1.4MB
MD5f75e6cc9c02313a31c530e9ac5a52f46
SHA1a7c130e8f652d2a7ad3d81873bf90d3cd502ee52
SHA25656d70fed210a116b53ba61395591dd674a083581a39a5c4522d9005ec8583a86
SHA512b34777a63124c3d6b36942ce6d2e10d094ca7c807d02c4b110ec9796f9342ef40cc4400555d48d5bc7e4bf5aed2d1b33b85d7939b42d2a229d94f9423aed9bb8
-
Filesize
2.1MB
MD56ecb25a69e9cbf609c37db926da5e6f9
SHA1a805d72077df72606f1147d0079ab49c445f041b
SHA256fe21a3b8c2b750e069047c5563a75aa4b718be12ff31a2c09f8267cd63a3b1fc
SHA512e9fd9b61c9b52ff5d34aeb614cc189c27ebbab08329101ca9b0755986c55befe9cec5a307f78d003d8410cb90384c00707ce4fd08776ebb8efab29d3178d01bc
-
Filesize
40B
MD57806f070ee1bf48d945790a0c2a61355
SHA1cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA2566520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e