Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 12:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
Resource
win7-20240215-en
General
-
Target
2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe
-
Size
1.0MB
-
MD5
dea2e79dabd9d6654ca7b41fe5a1fa7d
-
SHA1
27399422854483bc341298b276839841481fa1bb
-
SHA256
ddf4b95cd16de10ac6b48d65c42d290323f1febc85f2eec8250feedacfa320fa
-
SHA512
52468a6002d2d547e49af98b46a7f90059d038d209ae020816341244c05791a653769ec225616c9ecd4450ccf7cf92c46c6c74249dcc5718f2c78b5a2694eedf
-
SSDEEP
24576:Y6V6VC/AyqGizWCaFby1/i328ab4F+rM/aXq6bJfBUam6:Y6cbGizWCaFbe/i3da1YS6ozB
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2964 alg.exe 4056 elevation_service.exe 2272 elevation_service.exe 1748 maintenanceservice.exe 3916 OSE.EXE 4552 DiagnosticsHub.StandardCollector.Service.exe 2404 fxssvc.exe 936 msdtc.exe 5072 PerceptionSimulationService.exe 4252 perfhost.exe 3912 locator.exe 4692 SensorDataService.exe 1104 snmptrap.exe 4948 spectrum.exe 1084 ssh-agent.exe 3260 TieringEngineService.exe 2100 AgentService.exe 1168 vds.exe 2356 vssvc.exe 4444 wbengine.exe 1728 WmiApSrv.exe 1876 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f7e0e282990ca9c2.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaw.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000258e1a9e7b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4acfa9e7b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003256a69f7b8ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b65519e7b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080c9539e7b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ed3ea07b8ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c3c889e7b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073398ba07b8ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4056 elevation_service.exe 4056 elevation_service.exe 4056 elevation_service.exe 4056 elevation_service.exe 4056 elevation_service.exe 4056 elevation_service.exe 4056 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4252 2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe Token: SeDebugPrivilege 2964 alg.exe Token: SeDebugPrivilege 2964 alg.exe Token: SeDebugPrivilege 2964 alg.exe Token: SeTakeOwnershipPrivilege 4056 elevation_service.exe Token: SeAuditPrivilege 2404 fxssvc.exe Token: SeRestorePrivilege 3260 TieringEngineService.exe Token: SeManageVolumePrivilege 3260 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2100 AgentService.exe Token: SeBackupPrivilege 2356 vssvc.exe Token: SeRestorePrivilege 2356 vssvc.exe Token: SeAuditPrivilege 2356 vssvc.exe Token: SeBackupPrivilege 4444 wbengine.exe Token: SeRestorePrivilege 4444 wbengine.exe Token: SeSecurityPrivilege 4444 wbengine.exe Token: 33 1876 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1876 SearchIndexer.exe Token: SeDebugPrivilege 4056 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1876 wrote to memory of 4140 1876 SearchIndexer.exe 121 PID 1876 wrote to memory of 4140 1876 SearchIndexer.exe 121 PID 1876 wrote to memory of 3028 1876 SearchIndexer.exe 122 PID 1876 wrote to memory of 3028 1876 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-09_dea2e79dabd9d6654ca7b41fe5a1fa7d_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2272
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1748
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3916
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:748
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:936
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4252
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4692
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1104
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4376
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1168
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4140
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD503d7068ec90b8580b4f44ee2b706715f
SHA1906b32a00a95fa80e6614fa6b315091096458a6a
SHA256f63cff58fcad9b510c92da30649da314cdbda382cf969a7a4e50d8831e6c0bd1
SHA5120704e7a134d29366ffbb8a921df39cea7832f6728000bbe08f12989eab8ac7da32b8738f2d2538abdcb2a2bd1addcfcce48944907bacc4402dd625d27eed06c0
-
Filesize
781KB
MD5c51a12eeeee865fbf3e8556f45d6bf12
SHA1719489df3ebde7584a1215218bf9871f46840cfd
SHA25683666d116fe7c4aee1d64eb7f1f7f4dda543f43ce0718b86e6b29067d953fd56
SHA5121e6e8698f77e8a9305644b8d1325f2092ce1113ea5ae8f4c509a9eeb574ce4db60b2892c64676fc42658dd5926ffbf55484a1c0097fb20cf825b7cff3888555e
-
Filesize
1.1MB
MD58dda9268a8a0a4f158fb3ab65ae39ce8
SHA1a17d8b57e7d7e3cb388f2ee71be292645dfca384
SHA25674679860d8e0009ba845152f8dc75cd7a6c7dc9f314837651678096ec6feb39a
SHA51260b76be7c8c7290c456c2669f242a6c47c8ee0a3d77dcf649c101b0f0ecbff5ea8d27db7d636e40d15d899a286323b0226ce5e21abeeab53afae49a4540fa25e
-
Filesize
1.5MB
MD537420f639ec4e291ac10aa77ece0c43d
SHA1554f5b80aad69c5aaedcdaae79fb5f5e846c5ab7
SHA256d252f1bf587d50f78f714ef06f05e092149f132ff2475a0f76195984ccbf6aeb
SHA5127bd55ae2d8e07965b04341007e77b57596f623a90bd88e02533e3a647166bbba2f92eafc90700747bd1f1cdf34621703346b5d4d410ccc99a536b536abb0269e
-
Filesize
1.2MB
MD5548f70b0c52d6b04077ea39f8771296b
SHA195db37461aea55ca8906e37493a6cc8489e26545
SHA25675138e7fc791810d0394bb8a277ef1e2ff9e0f6434bdc54c952adfdb428191ff
SHA51223bac00567665dd64ed65d8b8dc5de20352d2685fd1e1f00e750c8b96d52c78c8ee2a26a5837019403c5f5dd9f7ab11801d342c658944ec95ad7dd1926ddaac4
-
Filesize
582KB
MD51157585e9f2468b35b6e75a3aa3cef0b
SHA1ee0c92208cb0e409928d39276278d97b9bd8b860
SHA256bb1845c0480aa5b3dce55f0c294bd056d11aee0eb06c86b3c00847927dbb8a4d
SHA512b59e6b674bd8877cab189845157ccb34a759e632ff76e2772ff59964b91b0e2f724737b72f47f2ffa6f4847cd12acae814770454031e634c1e43fc9cd2d4abf1
-
Filesize
840KB
MD5eaa266c0d8848dac8e0f43bda485876c
SHA1343545792233ed8b42d66f6ff3aa57237d05ca36
SHA256a95212b05ebbc19c25630844f381129e28860074cefb033c2436b69e48fb3b03
SHA512f60713a1e37bf52772ded706aee527b97f686ef1b3e638df55cec31c540f5e71d7365bb0238e53dbd90c06e5c0c6056539d0e930911a03039167aa6550e31135
-
Filesize
4.6MB
MD5209738e8b821f75f5148c4293d4a31ac
SHA16080b4de23b4d54002c2c32732d16cacad6f53aa
SHA25650a25d72be3d615c24067dba326b9dedda7179ae34eb46992d8de26770538df4
SHA512caf3b616a992f9e00ebaf389390b4628fd7544dc381ff69325b1dbf775c3e098325fdb624266740fb147a1cd6f8621de3ad9b72c140a9b1f4f0cdd26ccb5e365
-
Filesize
910KB
MD539cd39059bd06deaf29437769dd2999d
SHA1e73c3eb7bf31fcb61d9765bb81c0bcec7ccfba44
SHA25624a4e810ae0709c351de6262c466873f01fd7378c1977ab6c23beeaecb0ba5c5
SHA512b5b63f154c1b98b4bba1f7b94d8558f62146062d4a898b6e8110989ab3c3798a662d2fe3ee8e73f61725a9cba5ac56b5d80ec9f3093751a885470d7fcbf78339
-
Filesize
24.0MB
MD521e50b0a80979303085b33a04cf2b045
SHA193ee5bb88e8e306cdeb439719753101ef23d78e4
SHA2566ab3c017348116b92fd8238861b8fec13b5faee23a8cab35f80f8e3ea0e4dbb4
SHA51229005a327188ba7d6a0d594c2008560e01f10a034d8cb3d6aae9c9f17fbb1508a8cc2796b6b0987d1b24cc6ce4b8437f34166aa394033227f4f9a4e897e4d133
-
Filesize
2.7MB
MD552ef905991fd79b63caf266f395997b3
SHA111ddd20cad03192d5cd2523ddd058dd687ece648
SHA256c0d89563db23e0a4ed755af2bcd87b3a7a9abb75c075738268b6b8667c5c9e5a
SHA512ccb8198e8fd3546c82af373c4914b0d830c01810604799ba1de13fc8f6c0dd1cea15609fe7a6bf8d40d19cefc8a983bf5c13a0c65e41605d8fb205be8389fcad
-
Filesize
1.1MB
MD533167e968d67e11df385a3bf0c8bb05d
SHA1f58e004641e571ff019d32b0837f5671791ad282
SHA25672de0871f9be27f4dc0b3d6119bc5f7eb0c8be644a806a52ca72f87b1269c0b1
SHA51247225ebe5780aafc388ea5eaf992f422dcac1907517ac6f3c82ff4292d550dd8a674e8085cc651af1c96a31cd0e418b6b392393f974ddb3aa51d1a0cf825817a
-
Filesize
805KB
MD5ef319a49b0cfcaaf3657b4642756f8a6
SHA19a1f479ee5a730961e22faa164aeac840230e7cf
SHA2569db6d74863e9a106eda0382c6a85a2e883b505b4abd6f81e288070ca68afda7c
SHA512b411538a6f8473bfd6ffb577437fd085c07e241cecfa86c26cc2b1bf32863a903f1300a8cbce86f9bd810f62125e4d2aef9d3382313a4eb08357916892f78964
-
Filesize
656KB
MD5ecbbe398b3a2de17a0ffd9a212348892
SHA16f76d7ade3083bc5c0b5df0c6f8ce9a6c581d615
SHA256994f75094845e91c2785d183f7d432ef02e105d2c23aa64c69092de5144ef485
SHA51238ee4cc2bc4923b549fface2fbcafb6489e5078794a1719a9604b421cc2dd34a8338325902804fd08f8075be9e04a7412a6e82f34a63c2088f04fc1f93519448
-
Filesize
4.8MB
MD5c96ca7b011290239596248c28a242be4
SHA1add9d8baeae0c3a9314829472547f6fd6e325312
SHA256956377c48140a905faf48b75a8c8794ff94864b492a78fed68a1d0773b5e5cbb
SHA5122d4c898f5f12542305d44ebe80b6ac44209c08ce5002f7a81402f1222c48f70c18ce3007bf2f0c652a7b4c8374e2474ee63bd5897463c70ac6abbd4e8425032e
-
Filesize
4.8MB
MD56e862da485aefe54b672600b6cb4375f
SHA174e5b20ec7ed9a565ba1b6892c934aef5cd0b727
SHA25682434d6c77da15083464c757968db7b252df875e4b5afc3e8e63dafb23b4b463
SHA51276dd5da973b9e54fd09c6b3c4ee66846ad77b354f848361c51a4fca5980bcb48a0be35996173bba80ecaf79f035f8992942a06b0a3a058304dc2bba9130b194d
-
Filesize
2.2MB
MD5df19850c94f8a6e68087abf9aae0bdfb
SHA1a663a729fba01724e1d5350fc8d6985b57b3d01e
SHA2568b2293daf89740308013a495ed4ecd9c8b0cc8cc3c9506a49aa167d11fbc6750
SHA5122ef6c6c2515584978c862dc8d795dcdf1fe99a568feaf5e4d8c88be5992ce618aeadde3f398cda14918a3634d8bfb3853b7619ce07b1fa677436dc4737313f4d
-
Filesize
2.1MB
MD50fb4194c2c6ce5e047076b7d59abcff0
SHA1f2d142d76782e278f57d7da0d7bfafba04fdeb60
SHA256dcaea378bf51cd7ff3860dcfdc706450540b1f0e70c77799ea905d265214ea90
SHA5121f9ab0aa245323f587a58c1e559935be30e2dae1af60c8aebb0528211d73ccc1f080b095bb9d5c822872b5187b392f701f14bb4d5b1cb3b91279825ed40941bf
-
Filesize
1.8MB
MD5a56429534299c80c0b5347f9bbd99fc7
SHA12df90c0e747e09e31e700b74f0d0f7d3c8e66c5c
SHA256edc288d590447b8d38a347c8493fd64414d9d618b4b982df104bcfd073860c90
SHA512399f1217dcee84679e0ed90149d4ed8c8a322d5eb1082672defcc2b026accae325362657fcfd19c2c95dc7b4c1cf97ab0d9e4c25c5d8486db40ee2c7e4503825
-
Filesize
1.5MB
MD592342d4430ca05b0f763c52ef86b3e93
SHA1aae9135b8dc9a9a61dfc29f98ca6b2784af68bb2
SHA25603b904ef8ef02a9733e638f7c767eeabef3c9a23722abb8c323672434690ae7e
SHA512831ee8609f4802c478f597cda476bae6131df3646d5712d4213b13d32280aee95c1ed2d241c567bf436914e619a7f5c93b23cbc17cea8fd4d12b718064430ccb
-
Filesize
581KB
MD58fbfdc28c261256562f04a37ff0b934d
SHA12b230eacea0ecdd77a5f113f5bf4e9d56009bf24
SHA256b23129145820e5b83aa437c06d24b18dc8746a292db8e985d31d1fd183b01d4f
SHA512ab709d08a2fa757ea90bc2666fad53f268e11baa311eba83dc1c437843de79c2e7174b507e32bd77e61b3aab640607d92f93811aa8a7a305e03291339d8b65f4
-
Filesize
581KB
MD54a883c05c5e24f2b21767be454df2432
SHA1d2b9c6491f89ab48db12ca69afbda9afc57ab96f
SHA2569bddb21ab9f78e2de6efb4efe03bdcdd1529cc64abb6a8a6b90c07386c2c7e50
SHA5121b9c85102fefc82f617fa01dedf42fa0712bf01c51d884404b3f6df1b95306a903e075ddb90ff56df774e6b113dbc3853c78437c73bcf1ae9a9ba41bbcf621cc
-
Filesize
581KB
MD5cf92647bcc5d987d6284af8bc5e50e3f
SHA117e478bb8bd3ef12b1d3377e2efddc6b41cf457a
SHA256813662b43745e0d836b06de2fed15becac514fa417fd371618b48b18adda15b0
SHA512ba24e90f5780b32154eeff27c3245ba402af3e703e0b4c7a8c9619cc853d589be8ff1700553150bd93820cc878a7d054f0deb0961917959aaf9462b7151fc8ec
-
Filesize
601KB
MD5f910dd58f8ebd0705da2ba6a08f41c86
SHA14aee15bc2aaf2dd911b0e01c5be5c4ad91748ec5
SHA256fc28d3ed20632a063a4aa5026fc0e4d082007a3bd656dc88724e920f12a11a62
SHA5121748c7db64f62ba58aa04cd697c74ee7fef119a4f4535797833e5d4f21ee4c8ef40bf30590ff81cb20c72dcebdf8a401df4ebc828fb8c14f37c7aa5afaac7148
-
Filesize
581KB
MD53474cfb7b21beac2b81c88cbe8ea58a2
SHA1d705484fea3bacdd8d2eb869f614ef365b279e75
SHA256612dd32585e7c93555aa8e09894d4f795df83bf61c080c3f5e391f336e5784d0
SHA512ec32b991b69c1063cf28ddcf28596f6819a29b0a7c8deb0637e865485410259b394bee7290f5a1e3c52e2acc03ce40c238b1002701a09800884b9ce09fe26292
-
Filesize
581KB
MD5b27dbea2600f56091c0855f83901d125
SHA1eab0d94413030a2e2d3ccb41d16ec22720a77366
SHA2563cf556cfc5d6fe3c138297110bf34ad82ba7428018e876192b0acdc84838146e
SHA512659415bec214494ff46a291f019fb830eac7eab31cc629d27054a99557107601a92051bfc2542b049046acabe33333b9720f9bd3bc1bf3ee73834560aa6397b0
-
Filesize
581KB
MD52751ce74b7c99fd120ac50568da40428
SHA160093ac73b8429d78a873e25a58636bddbbf75ef
SHA256d09711862de0637aa067f1fa1e194f98dd4c110a52275961bd5323cb6b526abc
SHA5124acb5f6f7d424f67c55e0e6310fca568b772efdb64a4503dea7d2b04a4f577ff6b05205c305003dad4fec9e93e0a3c4e397f40ae328060e1a4d9b73456c6712a
-
Filesize
841KB
MD51d9d1a6a470449b1afe65517564125ae
SHA10b3936a8ee97884c8ea56561ef6a8c1091e4b8ac
SHA256c374ef2a1fa4692f443ff44e391e29466afb11d11ceea12bbce46e223ae15e2b
SHA512fd0c0ad34a0d2b819d84474d136cfeb33b69a256069a189d56eb2922497b49f82ef2bb5248d2ca0091a0a8713267885b9a163b08f37fa32aa41c9364dc6c48c3
-
Filesize
581KB
MD5c2ec2c1f8444e285a30ff012812c6b22
SHA1c782ed750ba9c816898041ab4b1658e789ac9755
SHA25658d580c43fc0cb2a90e4671104d0d6e7db3b544855fe7fc36a4ec01ed0555b5e
SHA512f40f838f9263222c9656df0ba7e03868022a859b708e3ce861183ed9d2800512a1baa6b564f76f4ffe69b793a5ac480e5b3dce4ef9e0c45e9d7c8f23bf00c7bf
-
Filesize
581KB
MD535aacbcb2eeadcd5d1cf5abf16cfd30f
SHA19393a17309f1ba2e317fc02a66e73f4d48c5de0d
SHA25693f14011344c812d89435a13fb7ce2f0e0a21e8f626cfcfdf90831d321d2dd2e
SHA5129514a556575d132b1da382da51d3dd6c31cb3b430e865179d442aac11fcbd0f11ae8e2f35b851e9bf005e79efd8c8b29c8d9b2cd3f9c4942537be19b978b118e
-
Filesize
717KB
MD558cb5af95a9cae8032a29ae1688442a4
SHA1bb27dce03f23012d2acea2ca54401dca1d72f82e
SHA256d6d7bc803f205a6189d91b00eab3a5b8e2dec05a5c324df8ea9b27bba7b3d053
SHA512876a5aa4f1e5f1f5a1033b95a3f8e6412c70709dda91b0c1422f54c2dc67df5f7656f65d5e617018b9bac2057cbca5012e3aaa36ab2db981dd233b18b27422c6
-
Filesize
581KB
MD56aaef6231844b6dc0694f5e4fbf5b560
SHA1055233f6a467713aee84af7873eb02924f83502e
SHA25639c4d5cc9225b01c6ae56e7a000b6df9dcc63b685c0160c8633ddb7ba9830ae9
SHA5120b7e1c10725f54e6a143b55c8237dca6db087567bbd8bbc174e5e9fdc54c8df4a640dba9ffb76880d0d0d3518cdf5fdc3086303a4757268cd49d3da910b5f90b
-
Filesize
581KB
MD515435a9a400652711dbbeb39fbe08732
SHA170b00856f27d3fe2fca59fabdd6ca932033046c4
SHA2561e533e2e56b14ec43dd7dc46bd9b1c04b5764aef9e9fa2ee5d958197b49e3453
SHA512f44cbd6d29de28cf4a61602d6d67df63c3f946e783cd5a60fda5ccfe6bee2260a34f62ebe27e811227ec2ce361f08f9090b23f55662709a9e6ea5f3b676315a2
-
Filesize
717KB
MD5bd08785b90bc420f4ae48503bf956362
SHA17fcd2e582a9e2a8fc74101d5d5ab4650d3cf82ac
SHA256e6b773bd6d87c50401f992c287cf73f77ef2cd24a9d7a84f829a39a856a9c026
SHA512dce4d7a9ca068ab0354d9a2828d06c0727dbfab9f33ecec7e61022788bd6bb1e8fab2a67e1ac6fa584f27a6c07e8e654916002e5ebdcb0bf186980d74195b094
-
Filesize
841KB
MD5364db129f6248015e42d97f82872fd09
SHA1f273484ad7b86412bf1325651e119b8cbde968ae
SHA25690723da4a27c39b08e67c23de15fd1bb2daedda14c8a58344e1ea197f1e29d9b
SHA512dd37e653e1e2102ebe7ff781570b749035414863ed07a86e952f2f2c364d354734b456a20d7e80075eae0974314486be7b896c171b13b6449eeba33ab827deaf
-
Filesize
1020KB
MD556ec36509b50d314017b7b33c6a74b62
SHA1a446b3bd10643819c1a6630b77a64a8b621b60a4
SHA256fb26fe137624b7cd2df51baa6a58bfd2c1d51bb194a13157670cf67c3e612435
SHA5120b164e52ced1dccdd4432caf9b47be07480e9018de1facf01ff24057d755d0d96e30c4dd213f123d52af2d28fe97b1ff0b8c10d58626205ad4b9763bf9b4c368
-
Filesize
581KB
MD5b9355048e4443065aa8cbb70f76c160a
SHA159db660963df4e8f084c8ffdb3f4d089eb868db0
SHA2566c096460673ceb52722e2780863777697e4c090fc79b93be483ea51a709687ef
SHA512274573d10b7397b182921da72b1b430443c5fa8b1143a2d80261f85fea1872387d6350435e93a15c86306563564dcd96a3d7bb288fe4220f4b445489e62d15c4
-
Filesize
581KB
MD593a54717ae0d6be5e3a3d8c7b3c90d9f
SHA175ae36dc90bb18958cab7951488f4f9b71f78aa6
SHA256f8f6cafa1ceae5e6ed1538312f0dfd01c018a5be24311c31997cc164c4d035f8
SHA5127d815a06433ce56e14972b344bee0b18044f3ac4ece33fa998d7337e2a6dc56de316b439e3c3dedac4544db0dd910b3389c61678d282a0f700a0dc0ab424e76f
-
Filesize
581KB
MD501be3c7696d236ed8717c861d0943b12
SHA10cc7bc7bf028e3df6541af2a1c9cab2bae29ea3e
SHA256c46ffb89a0aa799366e2384fb2bececc4cb4ce71f51152374c084cf517bfba20
SHA5122090ddfea5167e67ea58c949cc42c7251b1da4b9b0bd1bfdb5402a5d15bbcc61ec1319d509893c2a93deee521f9c208847236f951e402769bcec09cd972d6644
-
Filesize
581KB
MD5dfbecbf95b7c96ac836cfc049e963dd0
SHA1da0b9f4490a31511320a4b0d7ba3b742282e5c6b
SHA256bd15f21801a1213a69aad849d951a49e8c4b6d6865571f43a58c46247b52c55a
SHA51293ce094b8a1394a3357c12edccdee67cf1d196100ace1e67a9ce937dbbcd3d653c596562e937e24df6690e3fe68d399882354bf7f869e26e91894ec932195d30
-
Filesize
581KB
MD5b6bb747832daa3656ebe247874f6b9a7
SHA18bf9c1b4902ee8dcedca7013fa716dfb7807ccf9
SHA256130848cbb6f7d39c1afd3af4f8a5a91f552fbcc88a7e382ab699b9fbc2e05e5b
SHA512829986472262d3693d2e573532bf688205fdd3d553c0df3e56064c78670cfdad31a160361c3abb4f9669eb9e8b4febd6beda6983b1331e3484cfdad33310a57d
-
Filesize
581KB
MD51c1b648553cbd8bdfd133418b122783e
SHA174028cd5986a773c2efc65a7c3cdeb9139d0db19
SHA256907bac2a171a7b1d4ec9b7efb5ce9a5bfc4beacee42825cd5251afc42321cbf5
SHA512103415eaef90b3ea9c11add0c3a565b01dff3f0943446f8da05b97256a535099e2690585ea4f3446899ceaacb1f3ff33ea675ac1ab24433c49d423e48c818081
-
Filesize
696KB
MD57924b64434bac8333120dd79f6df8d40
SHA17bb14c867af30533647ff2a47b35de6cc7eeb3c2
SHA256412a97fbb7e8133eb9057ee23dfd6a7c12f4a81cb42558f5c05b134bbc34874b
SHA512ca6014cfc3f49727e0f90da6cc8f5899417069a3bffd3b5f76fb3db1ef9a3c6e97ffbe551e3d0d2b56ce6bec60be70d778e884e39e9a156d2b5707d40f7dce08
-
Filesize
588KB
MD50cefcfe198e86d9e7a1afe59902097bd
SHA1e0ce95957bfa52b18be2dfb96c109761c8bd11e9
SHA2564cc6a3d73f146838b8137a250be5fcfedfb5be894e8c78295b2cf2bbbebb6e2e
SHA512249e3c87aaeee054758b40007741b068410e7252ebb099f2e5969a20b6984ac422075cb65984f314fcb2fa1453f24f66b2ec4c27a405eab870355fd929067538
-
Filesize
1.7MB
MD552a5ed670fe893065ab41c2bb1177771
SHA1001a252ab9fbd700da2ba7697df1e14016fb3148
SHA256cd61791d2ccb8df6e61281308c678a52153a1080f4927c70aa467a08fb4e56e3
SHA512ff4206c49249805e9721a4d2707c524450a7b537022a2b3a3c00a68e5eeee7d10121300da883dae261401d6a3e6c5f525c06371028d29b3b3f2c27c7760bae22
-
Filesize
659KB
MD56c70a3dc0704079103475ceffcee40c2
SHA19e9da5f6e99874751270816c0c1e1e800667d92e
SHA2561b3c2abc8046dc17db9eb285c2cf260328a030f724383aa75b4af2e7c7085572
SHA512177fb4df94e974266a1cdbb9cc79cf69578bb58a154e00243efc656955e6e97db5c50a5251835b560badbb45a3f63dcb3614a457e4d653855c018e01cfd02caa
-
Filesize
1.2MB
MD56101bb4090dafc597491704361d21d93
SHA14a3d98cd5909f7776abb378ce62a00b4e762f417
SHA256093929568af1d466564628c84e41f9f273af13178fcb2ceb908cfd00e8a22129
SHA5125cda07452e696071b47d6bab407d1b5b002207555339c7b7f3f2838f19de6be0ecb347a37aa311a4597e676ea3edb2681b263b8d164e6de081ae9f29132f112a
-
Filesize
578KB
MD54d779e6a9c75e163282a1a613446b266
SHA1234c0d7133ea099e9b43b3314581e1b3f17e9447
SHA256f11131f8e2fbafd2eaf17f41c8e1d2019b406a14b6cea17b3224cd9746c44d27
SHA512d489aedb1a4731a26ba0eb3d24767c1f1edd18dbe04fa14f1e071b12f1a78d990008c4e0aeb5f69b6f49de1cc3cf3148a57b9ffe4085962e2b5a1f6365369902
-
Filesize
940KB
MD5ad17446ca2f3a734de6a004a4d5f5c22
SHA1b1e736ea80cd7d644770ffa24dabb8165f107904
SHA256a97a3c0b7d7f9216d314b41d2553f262b29613cba29ccd048468fe44fab1c703
SHA5129d1d440daeadee838ff12454a4313e21afae9bb3a291f1ca7a1cca368b80039c0c8bb82eff7d03a57fcb587211c22073c387abc033f4c745bb3b1f9c4b6c1c6e
-
Filesize
671KB
MD58020358ddde8284f54cce15ac792d049
SHA165bfff798241f27d14c8ae0e4ec2a27da3c7eefa
SHA256583786ad1e73af716093f8490b8020953899c826be4994695f36b474bf80c9e8
SHA51245dbe2ce5ed52ace7837dd99183754497ed7af50de001985d00106f972f3f472d71898a2fe75cc97bf82e33029c491bca6b88e447b6bce5938085ecbeb51835a
-
Filesize
1.4MB
MD5581499eae225f0c92f62ce3802d8a9ab
SHA1e84ab2b97f559d379b5d6581ab318b072df3ce28
SHA256be86c2da6e2c8729d298861ef1b1cdb86ae8b1b656bdbc8edf11f9f6dec51aea
SHA51249350693ef8ee532dae1682379c1311458e6dbd374f313501b9d7d3f84927da95492976c529c135c3d16cf1581a90886b8edb691724109cab9626ebd8bb9fa5d
-
Filesize
1.8MB
MD572e6e7e24bccdefe8ec6672f4ae52bfd
SHA1fc97d61819ee16a15b12f1a10d4098457d5b142f
SHA256252fed9dbfef6cfd1bb367913947b5d3c010be9091967948f8c13856e9c6e393
SHA512b7416ca74c11924a9e8c04f823e5c145f7cf595ac8be52b547b6f20cf0a21002394bb356866146811147539850e79be7cb251eeef15a73eb2b31a1d4244f24e7
-
Filesize
1.4MB
MD5e832f94cf5be2ceba2ae2fca19674a79
SHA130fe870737f8bafcbe56729ec6c1b7ce76440b4a
SHA256194f9682983dcde9efd1a2838b9fb4c0bd1434a9c8522c83bdf1cdbe1d0a2715
SHA512e4398ae226a3e70ddda9dc950fa1e57e6127ac643b85dc6cf766c089ef7091c0175e204115884bd7384e62e48a9efbe0223d8e71ed7d16326960fe6411c2a6eb
-
Filesize
885KB
MD5f947e339c57fde8e46e412b690662544
SHA1dda595c416fd20e36d8e1f0c29748cf24ae0a421
SHA25669ccb6a9936694f2c75ca4a1b05d502ff5efaaa1cef4ed12a048c6945f3620ca
SHA512bb3a3808e6ae51130ff309325de151988ca4ef503fa867874db8299073b82fa69552640fc061849a4da5c119a21b934b5df32c4aa26c4d030e92598711c842a5
-
Filesize
2.0MB
MD508290b0fbea07a708e233351134c618a
SHA15bc257de44fcaa419d54d2454067fc79edba19a5
SHA25645d8161949e4684c3a0f76c40fd7d8b8a5f861d1ee316b308164211ea24cc2f1
SHA512c5d705c85c6620ca2911aa85aab0ac9b82012553fe436a8423d307d420b9424fadba24b8ca4d17b919a31374f9a7c4492f32253f334c698ba3e4b647e34e36d0
-
Filesize
661KB
MD50c8d4924beb0cb633b6d98a84abbe695
SHA1f0dd3d760acf67f34d69167d8bf93520c367a851
SHA25674e982a58dda894234f604a6487d5edaf2f02eb8a4e797a6d676d9fe0ef42a50
SHA512d67fa059c3dc0b8e35e959b212c0be7bd74e955dbace1fdf2de563159fdc289273a30a82a6cfb098966aa919fbb54a60b0c0447ece9308d204ad0f0fd731ba1d
-
Filesize
712KB
MD5e9095c14b57e7da48ea41f151ab47221
SHA1b1da890dc647e32c0d49f64d746ff4ea16ab46c7
SHA256d1833398f5595b28669d7da4ec18c87beb93f168dbb11c539fc53e40818c1aa7
SHA5129083419d1097bbe96193748efb55fdcb47ea4234663c17813dc922df1a4313933a562e15530723658d070f70d6042e5504473fec271c48a1a92d5533546759b5
-
Filesize
584KB
MD5bf8cab3be7568b4f0d77335a691f3807
SHA12b69b2c7186095823fccfad970ea74993a9734a1
SHA2569295b05fca8cfd133e4cabc4111932e2cc0aca1c4d8f1d7304a098e262c2bbec
SHA512d7f7514d033113803c92d2a71fa059212fbaf52497790dcf1cc73c5b92040c12b0a3dc9b4f74f35e687e44f2df43f0e71d183864c880d52b3d6aba3e7381c21e
-
Filesize
1.3MB
MD5c275a25bac2d275b3f5b2085467b987d
SHA17ec89f5034bb7528176bf4043c02ae7fb53a11de
SHA256e224dbc5f43ddc5148096d109c3fec874c63a2f3d21f9b14ca491e6be63d9435
SHA51240bbf6e28dd9c816669ab2a50788517fac2b7cd581911d3d353e1a6584340bcb7ad75ca02ea122175c88a3aecc955076baed362a8244339dadcb24c58d1432fb
-
Filesize
772KB
MD5c3b6c9b66d0907809cb6e2f5e3511744
SHA1bb831656e3e033607656f1ccff1e20df47be6cac
SHA256733d91af3cbbee017dd2f7ae38a1a6bd1df30be897cb9c5d224cfe43e5199a8d
SHA512cb6ec6abeb3212dacf9220869a3df9066ed7cb4a910b29d576b6ad4ef2d016e50cc98b20df0af41d6714bd96bf52313c7fa9c2d4a203ba9ad30105134d308677
-
Filesize
2.1MB
MD5c14bcab46a9fd003c8859f1f5a7885a4
SHA1b17879396eed3de1493842f3742e1b558cea631c
SHA256297c15419f4ffdfcc23d8a037b251ea6dd6a5d6bf1d9412dc87c8901eb853692
SHA51273e0d59c972b1230b2fef2a92fed496b4a82ec99cb101747f14902f2bb67b70ecac03da72ad2d4980f92da6e5819335c3bc88061905405d620bf68658e58191f
-
Filesize
5.6MB
MD5f90f69602293d1d9dc92bdba76671ab4
SHA18d1e2ab1ee594c1bb960f15d11de6ba1a8c03799
SHA25644b085ffb5a22dc2803ac69d8852aaaf9a48f739c186597a9b07fb8efdad291c
SHA512ae171b9ba1144b618e6b6ba64bb1e99abc9576680bf8f146cc6d875c7dd29795095fb44e97d0a7b4e8d47294819d8532dbaca5af7134dc6eb5d9554b5faf2232