Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe
-
Size
2.1MB
-
MD5
a791971459b8374d937ce29e59386a68
-
SHA1
a3392b545a8e81f6a343595db879c6aa666417ca
-
SHA256
9fe73a2057d9bc930554cfc691ebe5b12401e71db3b2c1152b13b9bdbdb20ff3
-
SHA512
a5d6881c4beed6fb557def7980f7921b9eeb70fcc4afdbcf02092b8f84fbe60bf0ba2249b6d10f983c1386aa14d34ff0eebf864ae3c3e432a08dcb44f563850d
-
SSDEEP
49152:sjFX33t4INlfTqkUMLu/52bulcI1wXZTBz5E/snji6attJM:s7fTqmeX1XEnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1752 alg.exe 2160 elevation_service.exe 688 elevation_service.exe 3372 maintenanceservice.exe 1096 OSE.EXE 4992 DiagnosticsHub.StandardCollector.Service.exe 532 fxssvc.exe 1968 msdtc.exe 4796 PerceptionSimulationService.exe 2008 perfhost.exe 1492 locator.exe 4924 SensorDataService.exe 3572 snmptrap.exe 3320 spectrum.exe 684 ssh-agent.exe 2936 TieringEngineService.exe 3344 AgentService.exe 3396 vds.exe 3568 vssvc.exe 2744 wbengine.exe 364 WmiApSrv.exe 4968 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6c3e0e8d7d34635.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000773dc4197d91da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c5c661a7d91da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006264cb197d91da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3337e1a7d91da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d00e8197d91da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002413fb197d91da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfc30b1a7d91da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2160 elevation_service.exe 2160 elevation_service.exe 2160 elevation_service.exe 2160 elevation_service.exe 2160 elevation_service.exe 2160 elevation_service.exe 2160 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5064 2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe Token: SeDebugPrivilege 1752 alg.exe Token: SeDebugPrivilege 1752 alg.exe Token: SeDebugPrivilege 1752 alg.exe Token: SeTakeOwnershipPrivilege 2160 elevation_service.exe Token: SeAuditPrivilege 532 fxssvc.exe Token: SeRestorePrivilege 2936 TieringEngineService.exe Token: SeManageVolumePrivilege 2936 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3344 AgentService.exe Token: SeBackupPrivilege 3568 vssvc.exe Token: SeRestorePrivilege 3568 vssvc.exe Token: SeAuditPrivilege 3568 vssvc.exe Token: SeBackupPrivilege 2744 wbengine.exe Token: SeRestorePrivilege 2744 wbengine.exe Token: SeSecurityPrivilege 2744 wbengine.exe Token: 33 4968 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeDebugPrivilege 2160 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4636 4968 SearchIndexer.exe 121 PID 4968 wrote to memory of 4636 4968 SearchIndexer.exe 121 PID 4968 wrote to memory of 756 4968 SearchIndexer.exe 122 PID 4968 wrote to memory of 756 4968 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-18_a791971459b8374d937ce29e59386a68_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:688
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3372
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1096
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2308
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1968
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4796
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2008
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1492
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4924
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3320
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4284
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3396
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:364
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4636
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5556d824fd95bb706feb5de59af655ac3
SHA1502cac6419bb9961ba0b79c1d3ef6a7caadc1170
SHA25617100e4145b54571d118672cf4ae2b9f184c99dda582469555b4712b85629cda
SHA5126bd657b90cb30ea8ee163128038fa4e47e6f9dc7982f31964534a6a194cf1e9643311e3416b09b1fac0532947c0014db11fbae6848bb7fb6a42102a9ee9aee27
-
Filesize
797KB
MD54920def6b19a5fb0cd9475926facd54d
SHA1855fcb3ea1db971c22c6a046c5aaa5a193a25598
SHA256501cbc34eafc660b2b250426428e371366f5b08428df188cbd52d85e4f53382b
SHA5127a5df451a78038ed66da40ae121bd8c94f1f7b326bf298e7b02b7af1ffc6a5504ca3792741fe742ce1753932ca76d86454d25a00bb8651eb71955650fbcd7874
-
Filesize
1.1MB
MD52ca43442ff488ec650fa5241923a9e98
SHA1d09cf59f367c8e5b5c44319070ac39a0b36edd78
SHA25607539610a92feda81e26504914bfd1dfdcfc61db70471a33662b4d8e9b66286a
SHA512b758b1d26b93e9867d7f5a85b412e9f5234c9b0a972b91c140dcc8d8e9462b11c7d1fee1673a4074bca5d119066fe309ae9b8d483449ce606f288815d63d91a8
-
Filesize
1.5MB
MD576cf46dfe1ce61b9859e2837e327f57d
SHA154d9ae515e9cbf013d61e3f5a4a5037b8e2418cc
SHA256bc30a641aecb6135d4fbfa6b4e1a02b08dbf2e95513f50f1eb55926516725a43
SHA512a0a674133e41771cec3b7a4a645656f19b0e8cc959d8ffa11e3526e35fec16b2f649d10818b2f1df028681236af6e0fa52df99c9bcb6b8052e0ca0912573d0ff
-
Filesize
1.2MB
MD5c5bb8469b8bc3639f73d34c8105ca0e7
SHA12c714b0d7df9e6c859fc320fd692b8ce3802872b
SHA2568514bde201bcb2e02f25cb5f7dbe09e8850d06926d00fbd448ea2fcb7b99afce
SHA51204aaf3df84cc7ed6ba8be98afd7cc7dc76f765d60ff7439a3c6be734b8c5212a4499e4a8b204ea6e52356853930c172076130e6e34237da3efdabfe4e204be45
-
Filesize
582KB
MD576370450ad87a7766b10be47ea388ca2
SHA1496463d0e8fdbb3ddc13ee8f193bed7ec6aedff2
SHA256ccb5f0e678f3f4742459e7cb57d4a140c762711b1485bb0179f900b4a44d8e87
SHA51278a649d46b4d2454cc30e463240a1b545725510f428209072ec73aa5ef19b2f03d6b224726b7bf9026ed3e4294fce9e53cbf54027259dffceeb6269b5e8115a0
-
Filesize
840KB
MD5df4ac10a227256d66d53b2f058553d6b
SHA1e1c74ce35c696767c5b85284a71a3ea511f8a69c
SHA25655fd761d9e22d32d874f4aa74d11b174fd7992f9c804fde658b388a2c5bdf541
SHA512231a9ace9cf2210f8f105f9b2667715c68b8e687716a672456eb495a102d75f9c033176e851681965107afe7c31ae2cfa046490c54af47f4403f9872f0fcccab
-
Filesize
4.6MB
MD509caa4f7e698b183692aab0d5beb11d0
SHA129eda3db98eb7b9ef0bc94710e04f17622ee7b44
SHA25621ce2b0a178183b968dde646910614254589dcc13bf544add0455acb627a3f85
SHA51203622317fd9008df4afa897a16d0034f8ab23a2e1b134fde4f1cbb362b95d9f1831cfcc1be46f9abb5e95641f91dd77a363aace0db497bfc471da64449417ffa
-
Filesize
910KB
MD5b3bef8c3ddc7e86eb4edf5d7f36283de
SHA1043296af7006d7d67b49ebe14b56dd7fc2b2fb0a
SHA256c4d726bf1e1143bcb6b1cc0de62f7b610a0bdb88a6b835eee7527699741d6827
SHA512fd625ab81ecbee411b1f2ee8235b683517c8fad258adc6b6a85a508e2b32f45272fe9af7546cfaab63f0f2200ca5b4fe29a8efdc12575a2d06f1705a570c5b69
-
Filesize
24.0MB
MD5a004dfb7d55da437670ad93b16485761
SHA13310dbf9d0b8ebe9d371bbd39e1e5f9891841f53
SHA2560d3fb8e92becd195b9b56c95dc3becc7923b803cccb228663784a0f5e21b949d
SHA5120ecc8b5f86c5f6c9cb19ab7dc289af43105679dcd8b3747c9d105e8f183cd1ec85e2f8e70072be6d4daad2e42769387f2932ede6f8e92d56bdd6e2b87ce8b716
-
Filesize
2.7MB
MD59f152b3bdeb62e4a6f560dbfc27289b4
SHA130e12ab9a4466a477ee44d66a58caf83a44e4f86
SHA256d53712f3a3478f84b02dac76f6742b334d658011a0913b154933ba274df04ff1
SHA512224e9dcd6e5c089814c447db0b5a6211e69b0b36e3f27dd9acf4b9d5180c1596d4d4829e7408e5b6831e1c273715c6c5e1fa5338547fc40c8a020b98d92c3bcc
-
Filesize
1.1MB
MD5003df350a83ce5e9dca68ebcf7991dc4
SHA1fe18ae1645087e7fcd8c9768b7871a93528fb698
SHA256eba070ba71a6710ebc7a951b58258e9c05fa38ca7a62911133b00a290f29ba2e
SHA51212d38cdf17b7a0857c2358b71012da6543d8f2733249d203d43a45c7f8749c9d1a2ca0007648149cc56485db7527433752185aaa0be28776342e33c947a3bf58
-
Filesize
805KB
MD5b24d915aa662d2f277c6fb4d2c05ad61
SHA113db8d1b19065c702dbaf179a4435c87c2328132
SHA2568dbf8834383b039890bf515ebffbda50740909d3788b2cad94f14c19fb9a5c0c
SHA512c1855d7a2e98de1096691cc149ca700832b4b326d8c95bef1a3a3bace006935c7fcbd6d8ebc7e4f709dceeedb9fa1e94c4142f41ba1a7b7a783aa9efb8273234
-
Filesize
656KB
MD5944fb9d3a0d9e1c425d97182c675b0a3
SHA16549612bb8227a169d3a55fd63880e1bb3d3672f
SHA2566c70275ee0ace55236e0ae3d1a88e858a6e08c47bb78490eeefad43c6e44e38f
SHA5128fa7934e7a20d7ee24c40c21cb1ec082a987994c943ff079f684d89888e5ff237248a3cd332d48fe6859db78e57887fcb0bbe60e1528ee42ecfacdddfc2c0707
-
Filesize
5.4MB
MD5ac03b4cb51793d28e4fc72def1c496f4
SHA17f11bc10f1dabee329debd2f82a2f2f234a774af
SHA2563cacc430ec5fc729b474807eca6f28450d66c4a8005120e32c1d669754ff33e3
SHA512aa9c798b07ce194730603518d00a2c73ca77fd7822115479929fbb43dd6235b48005fe95b97b44f6d23c7bf5451886df2494e1a7a1ad7196929efea8ff4b3a5e
-
Filesize
5.4MB
MD5f61fba329cea7dd2cd2357e31b83b406
SHA194b9ec145446dfbffff55129481de073b375c705
SHA256ad0bdbe99a15c3a9e06ad32d95d79cc663ccc0107a83dc76f4b8ba01f48da1a0
SHA51203f2260ff261891989aac68338c709651829e7e634ccef6944a46a29234d86f3463a032b0d4dc28cd2ccc7a0113293dd67e21439d999c185c2d300bb2d6fe0f8
-
Filesize
2.0MB
MD55975dba2dbf5d2a41b493fb292f0cfd9
SHA163743372c52d11c4a507e138d9797dce4447790b
SHA256fc8ca4b6337332b0529f9224c17ee09eb461a0f7d3bbf0dec5fee58047f24392
SHA5125f2877d808d2ae88608334c41eb243db078ac95219f0380797f9b5cf156356e904fd9d1935c017cf0d2d3deac309337676a0b3ce3fb71a52491b889d951aa744
-
Filesize
2.2MB
MD5bda3b68d6a7550a54e035c0c95afdc2c
SHA1541c2615cdd002336b5a29a8d57bae6425280c22
SHA2564e71d2c4a832dab5ef9edabf79704eedecbc865bd1a82ec4b8850dee43a82b68
SHA512bd245d8d67269cea7d63269f9c7a73543571b16bda6a56a4d91b2ffdbbc8b899f70b411854725901f2a70d18ff42a6806c5abecd5d5e3e30f285bca1361711e8
-
Filesize
1.8MB
MD5d5637980042a457f1a4f7f22cf76cc87
SHA1df61196d80ffb9a2b06d07d5cbeb33771d951ea8
SHA2561622ba92149cdf51e79d80a735b540c796e7dafb333148c79dfcf7fd9cc4eac4
SHA512de576caa2eb484d013753515186cc48b7d95862cf89b2baaf7cfe0366ab46358512f8b1eaec65b1ece9f3904314296e5f83a6b34d5bfabebe170ab0a6a0537bd
-
Filesize
1.7MB
MD5c75e6a4c54e582be70a747e31ff669a3
SHA174c069530fd4380c9849843399594b682ced36e7
SHA2562a1d75b2de577c32327e5c572db5b68a9abfb0108a2c057b7e3a1ba32cc78b2a
SHA512c8e10418f043c58dc4c712bb503730115b39fcf17bde01718d30d01e1d62a298e80807f9b06b73748f7426e66e8c1426ba07d559fbb08bfd85ad5cd99549bde2
-
Filesize
581KB
MD53a542e97016eef656b97b6eb499f5c30
SHA1a62d29b920dc5c0c8f5bcebff9d6c3f166347919
SHA256ee9e682af3ea6308734c7867c132dcfc5053264844db518af9ce0b42044f0979
SHA512bfb8a9c1d342fcac954996659be7da4fbe7b63c5d4131f0c8534a7a1407d16b7eea24f2836ad3cdefcdef9aebca6fa16846011d35b670708cc4bd75ef63304f8
-
Filesize
581KB
MD5384bc9120c6b746a968d634d257ad262
SHA108030037c662a6779b35e993a770a1354029d781
SHA25621d782e5455db989b883847dc55f66a5dec57a97f6c7d06ee8f9c6f4c5a520b7
SHA512a3de40df430b4fe1747af794debf6937f2001e9bf7ff37e8e669c850093a02146c33e6ee2888fc69ded1df0416e348db326e82caf8c339facd16a7c768d646ca
-
Filesize
581KB
MD592cce5856201b7a432d028451ece0595
SHA149fa84c8c57b2d303cc334d64dcc66c827414b45
SHA2569bb4052b9d1e9b297a13f71fc9b8d7f240ea7ca3d8499a9cf446de0ac2999e27
SHA5122f7d3d43dc856b67826d8fc3b1fe1ddf24514897b7e341bc45646377b9dafb3c1a66e3bc18ec09d39595a174deb8ad4dde23ce5e7efb160d686bed775095317a
-
Filesize
601KB
MD57e5f604db75ba96384c32944b438ac39
SHA18aa58ce2cdd9badfbce14cf7508ea8ae99c63d2d
SHA2563bffb2cfe357a936b5d2feb794e17442d1fd788dc83c9e3a13551dc831490fd4
SHA512c5f8f7bc4e38c8842bd01876d544470d0df9f47917aa1967e20d12bde579e1777dd8728e296dafafdcc6547967b8a10208eadc3708bd6eeab47b1c35c52fbc9b
-
Filesize
581KB
MD5c4679294ea868af36e5e7a255f005efa
SHA15f7a70254dd1226054ef7fa3dfbe91505db8c1e4
SHA256799e93bbecb4bb8d99e8d281d61b10a0c0bb63ddcaf5b521e12d51446d64082d
SHA512bc39cac306073699b7c935ac6a73b3c4c0d6c12b19318bc7a6bd366edb79741fd2462df73d3676552957071a82d297b0c7d668c75dadc6217ab5704050cc6bcf
-
Filesize
581KB
MD50cb54d01d8edcd110adbd80c3b3694ff
SHA1687a72627151649ddd999a2631e599b1b4146e21
SHA256f0628b0778c309620f0500f175982594cefb743a1cc73eb9865ce863680c9f85
SHA512898e706adf3a95c920629c973ec1542dc3fff4982556198501aacf1a3a1c43154c928483d815e7032e3747556a5681f9ab0982bde8661bb2db8a8586e70accbb
-
Filesize
581KB
MD5570fb09f4fa5bf145c8e912e732fa4f8
SHA194c2b6596464291584dc031d463a26109f778d1f
SHA256af00166b936e096b6a774d818c71f137156a8e9dbf9ee8516f29a872d5342540
SHA51257f63b667e8fc35b8fbf6316804352415852dc33ccd4e27df6df550048d94a938cd58bf5abd25e0fa7cf42c9c8eaa2a4ce363735fa374eb29782d54f4f783e9b
-
Filesize
841KB
MD5baea1e86e86fd149f52d43921f4c6389
SHA1a80053cb8c929bb5f38fce2eac6565a3afc2d551
SHA256234005dd99252b51f9e4ed6c9cb49b51f80c421af2bf3c40b4176801eb265171
SHA5125c4ddbb105bf1a8f5f445911e7d93c6a06712d096d1c58c09afbeb1638fc3af5dce184c0abb9f8f839a523cbb9222362f42f7db074b7995a41df562941bd2c6c
-
Filesize
581KB
MD580babf95ca603d50c34ad19dda6d9500
SHA1b8a44a08f0df9006e9d4c399520918db8667db48
SHA2568883ec7f81ee49800f35eb26d9cc941ff165389428e07ec4844c9ec4b6b3440c
SHA512b0594a9457f82878148c5cf680f14107d127cac1e7d52ea3520e1f822b78f8da6c535c0cfeb27f73955a48da4440ea6a4a3725f71d4a684d7d147ce8e16f5c61
-
Filesize
581KB
MD58f58ccda8887b447846626bca841ee36
SHA16251a0c586d49880fe30fab91447b09fc21db4ff
SHA256b25445046178597782e1af162d3f6121050eff2b6260ee8c1c7c07aace4dda29
SHA5126f058b05bfd03bfe271ebde8d146be6c30694668ab7e71215d9c1499a81e8e5778b7a987969d9c0585232e4e640a2ed117f2d4d5f1c8989575a68ab14f9c8be2
-
Filesize
717KB
MD511cd29f8d1e4c1549a8d211e9c528dd3
SHA16b258fc4d21972905b66a7d3dccd3d40933e2a2d
SHA256940d86bc34eb8931ea2d41b9bf8d3b7c7bcc707fc59885f5732dc8c4e426481a
SHA51253d28ce63a135491e213da49ee2b910a4142b103710ae9cb8175310d6e92eec56ee5109d204d749ebeb7b144a1884aea1b5a97128d636879dce900f3b2e3650b
-
Filesize
581KB
MD5d62956a9da4582746ae757862da787d4
SHA1b51f720411d9cc9acaea85b6e562a71efb2658d5
SHA256b23c2ceded13cb120b55331202fc49438517606656887128ef189bdfd7394ebc
SHA5127e3aaef4b21695b999f5fcfd663cbb1b5d47eeb7465751cd25411421b3678511e3bf639f92f0c3d082e653c152ea769ab2c8a1915e4fc195d5f7201a0ec8f432
-
Filesize
581KB
MD5e069442b30567822dc66ff2c256e9b9f
SHA135b22175e7079ada310945ade53f3115691e5249
SHA256bc7bca5d10d30c0a5350ecaacba594e0ace8dd0b9ea4b536ff6ba1befe694f0e
SHA5126a9ffbc83e2a76719b4699171acef96292b4bc2112f8faeb782af4b937f1ef0ffc933ba3cc18813fdcd0f9f3dbeec26ff71c2f8c1b56662bdb1e20e3cbe7ac7c
-
Filesize
717KB
MD5c60ed4f82d2943f0441e0e594d7d9697
SHA1e3f2f92fe48d2651cf0ab3b8ab651079ffeb67e6
SHA2567758699da7f57e8f932a1d976dfbe5edaa9f07740a5a07af8da728950ec2aceb
SHA512ada0e7a2032cb734f45ddb92c17d95df21120c5d1ef76086f39d27b4a2aee0bf8378ba812dd89d3a19eccd8c209c90af5beb2d11796b5ff663210941a1a2b466
-
Filesize
841KB
MD5fde462f0f21777bd459221a2e16ae1d2
SHA19d838b4943dd415829f5933dfbb2aa7de1a9da5b
SHA256275807c3127f384fed7930093b6204604c6d1d2e1053738ed8fabe26f79cb6f2
SHA512d4a00d49c924aaaab6a8d29b01b52100852885d425e9f1ac517a036159e066f9f838684126dd7873154d4696cb9e154efd85eacff0304d2da9b2da74c009046d
-
Filesize
1020KB
MD50efe33cd8ebf08410d8a4048b8100a58
SHA116c7e6b1f4a74ee832568750b982693e52316182
SHA256810c434b2a9c46b82fc2e0864d37c35423678757085f38fcb7987d2e6e9eaee1
SHA512dc69f38978bf251456c6929a9bc10a6060d49906b18b0f4abbb8e6fc7300b303754428fe31dce11dcee3c66d495e3f4845343a77afa327cc2234bb6623243ccc
-
Filesize
581KB
MD52cc469cac3559570a6213928f8ed17d4
SHA1a77bb20fb5ee217407b7a2e6286f9a20f5598f46
SHA256c3ed34e3a7f3b4665dee3f2a3f2f5f9f4622db7419b1c5c1cdc8ce4a51ebce60
SHA512e58cc44e5e08d080c4073ad0305d9666310fbf286a092d2edcf6902d0f787ddc00c0712b1875bf5a6fb74de6b8fafd816df625096f3979af3f1ca9796fa4e679
-
Filesize
581KB
MD5dd64ac7f51a8ade00e809ad9e4f14467
SHA16030d68b18144f7c203f1e777e401633ae689fba
SHA256cc53348cc221ff85f27d25c34a28998c510b8728882040c32f1627dde34a01b5
SHA512aa4340b7468b0df75347f0642b8a0aaba6877283b4dc9342e4d66e37516e549f90b75e7e290ab68516e056fa03d6fea2ce807bcdc8bad59e3b0c23eb54591019
-
Filesize
581KB
MD5f7c3b7f9c3a46bd10f3665c22e04c944
SHA1520f4676cf97054e06bc570d44e732ed99da0fc0
SHA256a223c0bb884898a37a3d62a37cc6fb48c53532f015159c1bd17bd2ed214f4918
SHA512f22f35444e53a5d2e675ef40d9fae3bc699f56893e3c1f7b9eaa6f5b43635c0f95c19a8a28ef4b9987566629db05d2bf5b7ec1129e61fbd56c6e0370502273ec
-
Filesize
581KB
MD505162d4702863cf8a8b3d5f9edf143f4
SHA11b2b67c024b18588161c38a11003f8a214114a51
SHA2569415db8d0c3d60e777d447d897c080579ba5bb5962c0deeeb6b110b3fcb17dbf
SHA51239f6e3baad41104d171af8f3b8c2388f30d5958dc0b80a4ba7622523e141534adadd2b2b3c4bf0f99cf3eaf140b4bd464687386d22c6d57a8424c765788dfd3b
-
Filesize
581KB
MD5911c8c473df254de7d2bf9b2e4843cef
SHA16a6e04c884d82c4ddccb07052c22d55ae77c6fbd
SHA2561a69a2204e9c37be48facc7ef2d381622f21d83ce981795d7a4a41dc68e32101
SHA512ad917e85ca74af512497caf8e55ced08e3c119b0f1bde708802f94b2ad98fb6a7d977ab52604fe4c0a6f4b302f60266fcdb7f37ed4f4820db009ed49af29c118
-
Filesize
581KB
MD519de1976e6ecd1fc0a08b750f408f1b8
SHA1b1afe2616c3e2da022dfb18361b0781fd0988e23
SHA256a057cc56c467fce547bcf37a70ad46f51fe62bf0a98d640fd49727f403fb21d4
SHA512aed28bf63708e528f7ba72adaf1fe308dae8b0c6bbf4890161a82419221d3cd5ac389049cd34b58a2d860cee9697f177bc168853776c6b1f463a88a69cd9c78f
-
Filesize
581KB
MD53f3c468a2feaabb5ac11416daa2ecef2
SHA17f73a3873b0878bbcdd9b1d63d6e84b2510fcb69
SHA2564cc5b82c550776be5dfcb0e6e10092fa21977379d91c570a6e185ea8e93b8fce
SHA512e48187bab26a370100823c4aa546fa1637a52cc333a3cf05acbd5ff157fabbd27c3695f1110a362667ec5e56911ca0394f5a44bb88e6a46b8ee480823c2a030f
-
Filesize
701KB
MD58dad7305af53f63b2af7a05aa56d00db
SHA1b82fe6ed27aa6959cb1c7295bbfe8923dc13a69e
SHA2562039990d3a208de6d91f2b9479d31f885740f8d3e930903b60c7ecbff6d6d8c8
SHA512fdaa4a772824c18e9dda8f9e7f5920138e0e33067a3ea6205356e7356b6ce5f7ccd106d7445c666cae232e27b804d612071327af25e8ddc7ce56381a57a6a4f3
-
Filesize
588KB
MD5a526abeadef0126e5be346cabec33110
SHA18c123de58fd9dfe56bc65852daa0c694d3d58948
SHA256f4790ad9763d155818d3b21dcd220f098266c9801d3701b1d3e9e8e37a460c07
SHA512bf96a459e9b4505ed076fad9a03cf6737065fbf99e3d9e8dbedb0d2a2273417a6407a384dcafdb4ab32da1a3cb6e25a995451aee31106cb3cb333a445edf8fb1
-
Filesize
1.7MB
MD598edc75ef7b53aa743e1ef2209f54c04
SHA1828d50531f962fd3cee5856b332530faee536643
SHA2562b816159d2efaaeed96774a8fa87378142375402973750139b947c7cc3f05745
SHA51284275b2611372f4366835cb12ad47b735b5b08e8fe4f51196448086c14d462c3f3871f3e4533e952ba426cfb33f9d8962dd80cc73531082bfb81d6fd7dc6d5c7
-
Filesize
659KB
MD5e9757e72423e25f3e0b3f0977ae2df81
SHA1139166b0bc2223e868aab21c6b562c10c246c358
SHA256dad1a1aa2eebf12e930125fb460a8bf48a49d673e8be99937c76d3e81cc64a36
SHA5127c95d69c458639e7ed4e4caafc6334cfaf94b8fb55712d4515decc9df093d80c048496cca665d1cb1f7b0802bb18c7eb6e3ea3be217ae50f906bc5bb957590e0
-
Filesize
1.2MB
MD58b03c58a37e8ac239b0b9c217e4b66f1
SHA12a28e523b2bcccb1ae3068a323c76df24dadcd94
SHA2562358486345f2bfc5a68ccf1986b188a0d9b15894b56ab6b497145fd5f99ba4cf
SHA5129fc163183176cd3d082f0af46ba169100c2e7237b433780ad986ff90919adb02f14040e2a1f597e7436ac1ad421f7d657501d48ec6f683968e8359df041bc8d9
-
Filesize
578KB
MD5349db69602c097b066abe74a1d64fb39
SHA1ccf2585302160a2d81e156f72c4bb2a266de8cda
SHA25668a3e19a461f9e77ce97cb0d54f008302943e98d1d907b702a893906f7106023
SHA5122734a21250242bb279b0e366612bbda5c4ad6079f03574989d1e7de7ff359affecb16e182a53457931fbbce231e74159d1faec25a44b48fce62795244312ff3f
-
Filesize
940KB
MD5b6c2171a6261beec242fbe297a6103cd
SHA1c96e1bbaa40f83fa503aa3ca6d6eb3653a045412
SHA25609e49b9eb3d4d4f5538a17bbdc0f8999df61d23c0d6c39277ba4eaaad7500a40
SHA5125afaefbe2490f88ff71bb79cdfc38b00283ef47f19f94b14c2d5805538f33a51c07d8222894e2f5487a04b51901036e72b9544285e77eb86a7c697b66a9a51cb
-
Filesize
671KB
MD54ee9a04a218f802502fc8304b08b5f79
SHA1d7c7f556c6efde7d01eb5bcf5bee0067b3f59d84
SHA25683d03c5b2e61f0bc601f0391ad8efb610280384cb14b7b7f389d8c6636588ea0
SHA5125b6324221c1123954e4d144c79863a0c89f35a5a1dc84706833b6942c847455150fd96eefec2f1290e275bb5d9e07eea0c64251eafb8ad4e49ec0a31480e2a9c
-
Filesize
1.4MB
MD55f7fb399c97ac741e474b7967b7a3c79
SHA1f0153dfc2e73fd4145da66cf010d3f439e3430e6
SHA25640615ded7a8c16a55a4916a033b11d083a1adf02d9a89500d7e7b014cb876232
SHA512fbd44e049fbef8579796a4cb8f2e2d1bc4643d0b052d2a87d7fce6ef77f12c0aab2aeec3b15c5406b9a301bdd2cc8909d8ed1875307aae1a8511217a802c096d
-
Filesize
1.8MB
MD5faa254228bea2115b037b453da364495
SHA1b0fdf34c97b1f78b38afc0b3e62d926838991cc1
SHA256d16a50cbc670b67f2fece0a6c5ae7f1dcbf7069e1681d8f31ca4efe0977c4456
SHA512f4c1a57c589f80b8bc001d31c28d944c3ee868ce2efb75cbcd9a979f730af89b1f3d17b291cbcef0bba1f0e9129dec27c21401394f8328af7913974928e623f5
-
Filesize
1.4MB
MD559829f8578bd05339c59f28b254de855
SHA1c00a62bf445f10ef66d2ad94350a94bb9069d972
SHA25623314c23d0fd0c659b6d04432f8ac99f51bcf015ffa4d7e30eb4ab535759bc3f
SHA5125a2eb88bcce6dbdf3bf1ba4590cfd76910d5ab32d2fb7c410b68b9c078b1a14022a94e553c55deb0614b68cc1189d1764af68a60e02f69e5b68f8b2f1b3ad5c4
-
Filesize
885KB
MD56ca8fc95e40e2f2d131c5bd776e87966
SHA1d89bd117b241ae766c6289e047fe343a80a17d0b
SHA2565a7cd3b6ed3eca8d7c7d4adc7fd1fcce4c201fabf4398bdc71968b991429beb4
SHA51208a655ba894877b145af3804608a662eb169cdc137e3a89cb25eddadde74b7ab71e1cbb40a46e0ac0d6b357d2169f513ad449544f1f29ed86c85e8dd1ac83210
-
Filesize
2.0MB
MD5e8102679063e84ca35bd5cbe08bb8683
SHA1cd8f4d0b463d00d0642666f2e710f17b28a2ae8f
SHA256f0de0b4106cce524c05a1b4ed8ab2a1006ecc14b00cfb25ca35a0a7105404f93
SHA5123e5363d9cfaad5fc8f0f38e28bd7575069e5910d559a6577c1daaa14209f31376af0486520b0586e12847113f30ea9bca7fff8bc918a9b36bec05d3aab1e2196
-
Filesize
661KB
MD5d7f89a1fd416753ac53756419f8fe190
SHA18f33a9019296b15072cc60fbe6e17e64c993509c
SHA2560a035b2b2f483d2f2b08189e1e4297416ace58bea7b6cc47f768d899d3861dbc
SHA5129fb5e3c54414b133479f779684412ef239734d343b25e7dcac9f3246c02300659389200b4c66b380cf8015793b2dc64c934d9f8111ca99808b660f2a0ac973b3
-
Filesize
712KB
MD5d59eeddaf109730418c4cafa348e9024
SHA1c2b54639d06e0a25538b432d6dab65c907a7d42c
SHA256a33f521d07477434870c88928068fff008535f1fb8cfdd28e257e88d500cfd39
SHA512ac8739abfbd364407c16ed4a2ea189f780ab43b37ad6137e2d5ca7fa4aa01c64bf8312563d34f119ecbf4acda655828acbdfd147acd9fb590ce05d126cdc614f
-
Filesize
584KB
MD553d77f312bd434e602c2dc5cba185df6
SHA1c7b78cd37641b164bf7bf1e3ad8d981fecf6e2af
SHA2568e746a6706e70d9ee4ab0dd5b9bde5f43372a73be213be22a3cf9ad1182867c5
SHA5129a2293e357f461e4f57aebd8c2ad3f850c71fcff0fb9b83b028c03eb3ccea07d47eec1c805e70ea33f60eccaac39ba70a9ab439409d841f1567edaa176c88b66
-
Filesize
1.3MB
MD5746031a54964fba26ffa129c6c052a14
SHA1babca75a35c8b8b09240e43599be29ea20c4185e
SHA25601302f475c1bc2486ea074f4077690b3227a5486bc387dd8334825834930927b
SHA5124ed7c7702afa2df9c7651f01f6783b86b41cbeddeaef2ea23f6d67fb9aa70f0820c1cc4bb8a793de24953a02959767a6d2795e0506f4c289593eb74db6b0e4b6
-
Filesize
772KB
MD568b0185aee87ee8c9d121b8344bf8e67
SHA1ca15e8927b8754f5e5ae6cad7a6daac4b4ae410f
SHA2563f229d1af94b822648f94e0fc60a8b5a4bd1b9c0ed9569957cc32fc573bbb9db
SHA512fdcf19baedce904e2ab20c1348e5d0e242c28d07d9b9454506fa2e63a004b3c06ec2c9c7388f468df2d643cedf37a1b46de81ff1e3de886ef7909d4737f3fb54
-
Filesize
2.1MB
MD5a88b10919d4c0497bc8a8ae4a05f4738
SHA1b44896d6e13194a3dad038bebd471a2bf7b39687
SHA256c3c255cb6fc655ab49d60e149e6a624968166903134ad56b41e0c00dee3df79a
SHA512cadca371e32f3bf025984969ce5f89ca3c7e230d12d8a081c7808e6c134f28d295e847fca127418a8da7698e519cf739b61c5996921b67faadc02b3edef4dcea