Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 15:43
Static task
static1
General
-
Target
2024-06-02_e38ac770d527087d0c5a1535cf597db4_ryuk.exe
-
Size
2.1MB
-
MD5
e38ac770d527087d0c5a1535cf597db4
-
SHA1
30b4a92704929e94bef9977d003675d59c7803a8
-
SHA256
09a88e788e64fbd886346044b5ad906b4aed15c0f0125851d0b836ab5bb203e1
-
SHA512
cbc96d8873fb7422eaf574165bc07f43cddd283a63e239891885196be47011f98ef16c99bc062be8b6428e1641cfd701014092763e402bb54859e1301fa8ca69
-
SSDEEP
49152:XikKqNuKuNgEBV/wtjUNqE76CHHwbSsEjhMjSax84:XiekgEBVnfbsQWdO
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5000 alg.exe 4792 elevation_service.exe 4064 elevation_service.exe 4256 maintenanceservice.exe 404 OSE.EXE 1544 DiagnosticsHub.StandardCollector.Service.exe 532 fxssvc.exe 2104 msdtc.exe 1052 PerceptionSimulationService.exe 560 perfhost.exe 2480 locator.exe 2008 SensorDataService.exe 4028 snmptrap.exe 3016 spectrum.exe 768 ssh-agent.exe 1328 TieringEngineService.exe 1560 AgentService.exe 4420 vds.exe 3624 vssvc.exe 228 wbengine.exe 2108 WmiApSrv.exe 632 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_e38ac770d527087d0c5a1535cf597db4_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b7bd13cbe703f493.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a22f9ccb03b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d2e15ca03b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032c4adca03b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c840fcb03b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001176beca03b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4792 elevation_service.exe 4792 elevation_service.exe 4792 elevation_service.exe 4792 elevation_service.exe 4792 elevation_service.exe 4792 elevation_service.exe 4792 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3268 2024-06-02_e38ac770d527087d0c5a1535cf597db4_ryuk.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeDebugPrivilege 5000 alg.exe Token: SeTakeOwnershipPrivilege 4792 elevation_service.exe Token: SeAuditPrivilege 532 fxssvc.exe Token: SeRestorePrivilege 1328 TieringEngineService.exe Token: SeManageVolumePrivilege 1328 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1560 AgentService.exe Token: SeBackupPrivilege 3624 vssvc.exe Token: SeRestorePrivilege 3624 vssvc.exe Token: SeAuditPrivilege 3624 vssvc.exe Token: SeBackupPrivilege 228 wbengine.exe Token: SeRestorePrivilege 228 wbengine.exe Token: SeSecurityPrivilege 228 wbengine.exe Token: 33 632 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 632 SearchIndexer.exe Token: SeDebugPrivilege 4792 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 632 wrote to memory of 1640 632 SearchIndexer.exe 119 PID 632 wrote to memory of 1640 632 SearchIndexer.exe 119 PID 632 wrote to memory of 4912 632 SearchIndexer.exe 120 PID 632 wrote to memory of 4912 632 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_e38ac770d527087d0c5a1535cf597db4_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_e38ac770d527087d0c5a1535cf597db4_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4064
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4256
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:404
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1128
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2104
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:560
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2008
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4028
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3016
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3480
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4420
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2108
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1640
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55998d41538648fa9177274dc8a8c5b03
SHA18068fd1c34dabc58b39a4f94b4cc0226d14191db
SHA256c6e683068100b58d2e27a7996b40fe55f51fae4d2decc42b8ca80983db757eea
SHA5128925dc9c7bfac198550a92ee684cb358be56ccb5ac06acc0beb16c2bdf0ef845695071d0b16bdbff5994f2dab4b6c27fb58a33089e93a25480cd966f1b6fdf38
-
Filesize
1.7MB
MD52e3253bed38bc790af211ecb746bb2cb
SHA1b06f9da5edee7c6ddbdf7e84283bd795e0fd94f1
SHA2569d975665715e354fed28275efb98c348f89a645bfd9da457380d3808063374fa
SHA51269b4a8045c4221d0445cb89438c1952aa716d56be8a5c7453c968b47b4a1c4e6d2d5a6e46c424bf075541479f14afceb2cf49e54820967c09b6cb81e161e93f2
-
Filesize
2.0MB
MD5621e123cb75fb9df9331569fd693d19d
SHA1c3e0c2a94bbd4189f76a6d519550ac6eafb9038b
SHA2569e3f8009b728c96f640c1af84caac35d2ef923dde00ac6d3303e647559902899
SHA51258d33b9542b60114572aea517c451caaaab3af2e5e192c9c745fbf00a100c099cdd3840a7709b00680e113ae649a52b732f1a5eb706eea2c67c444ab577eacd4
-
Filesize
1.5MB
MD57e44ac2236844022cb92ab83e2c81576
SHA1a80f90878b92648315e5af52c1c79b8258a46c41
SHA256fe0449f96ec12d387193fdbde89898cae92882dac1eb61ed7421ade26cdcccf6
SHA5128205b288b7ced7499c98907d915f0978dcc7cd4656abac4b147c7a0c27c03195513968d7b702bde38dc1cf3fd0bf20772dfd38b811abd6cfed1871a733e5844c
-
Filesize
1.2MB
MD5081f9e69c1cfbbe58125981209675378
SHA1648644c73511329806fe20b6f6425d77a5224a3d
SHA2560da3677a95da8b11b88fba5605d385a8bc264c8c21b1e1bdcb427c00955e878a
SHA512d08dff6195448e9eb374b9da5a14da34bfb78d029f886ca9629e55d34073ac5ad39da40d502ca90647f8490da85ff5d87b8684a233978fb87b3f78cfec766b1a
-
Filesize
1.4MB
MD5e47ea89b7a537529c28d836bee29eb88
SHA1b62621b27de1ea7508bd58dcd738d70a0f4e98e3
SHA25662e4c8c7f4b6b65e2233e325f5a841ebf2c85e8adc09669b117f8ac2e383617c
SHA5124790dab565cd86d84ae200c314da4691dfba1e8be99e38ab19432bd349cf0456b4a2ca2083c22c8f52778d0c3ed5ab91df40bd2a822f7ca0e12e3635d9b8cb05
-
Filesize
1.7MB
MD5b37bf41774fe75ce094efbd81bbf4a7f
SHA149ec2a1071ce732a9436a2e72047cd8db2454e71
SHA256aa602aa8c7c0039a6ca08f95df26c394778ac621c483bac204c257843b8c05c3
SHA51232aefb21ec9412ebe4727d77c587c8e3af6d4b5b25eacba40eb4236617ed1404880c77548f533a381f5b3457ec937d78533c67b80fb63fc9f9d5bac87ba7bce2
-
Filesize
4.6MB
MD59ad7588f5379adef89801a671729813e
SHA13881164172e48aeb864c3d339a5ec16529fbe1b7
SHA2564166047f35875929748fd8310653fe48c158e88558aaea989eeb896eceecd309
SHA512c0b203dbf71a5164a7249537d580956307c1012a61b60ec4021870156c09d9124859ed015bd12e105f75b36e4b6aa6ed65e9fd580f0e791a44400817bcdd4a62
-
Filesize
1.8MB
MD56a0b44bfe3e122ee2c97b53e9855f8cf
SHA1665af39a6210300524603168617015e02130e459
SHA256bc6cb5ad255ae13ca5aca5483f335aaf061da58b7bdffa273a0e86d5f3ef74e9
SHA512b752b34e05f76a6a173728ca454798a3404a48bfbea387b3ebfc4ab268615a75a67426032b8c5fafa578e45a203a3a0b75a19e5bc3591b266c08440707385d8e
-
Filesize
24.0MB
MD51433a21ef3033a16e0387d302ce98358
SHA1b37000f3cefea993c8278ad4601dc09352e34841
SHA256af6024ffe12988efa5b586167f709b7576c1e5b03a64fc2163bf9892a191f8a0
SHA512b0defecc0b96ce3fb99751a774cbb2490892c3f46a8d3621c764d282010a58babc31960e3155d8008b2c42aa18223e96cd9eb4c99e998ccd7f422571050ef260
-
Filesize
2.7MB
MD540845c78ace2c8bc330dd7308954173c
SHA12f4b80b908a039a82775e54161faef4c4d75d128
SHA256cb87977b2bb235f5e1220f9f1e6b358b99b700b55cd707a75fda1f7e2f584889
SHA51204c7cdd8d429456648a16c68c200c644e2a860df876524bcf9840b1f058019a1d0ef840b34e1d6ca3a31a3445241bbac52dc115a846705c0c00b91bfec02b74a
-
Filesize
1.1MB
MD55dce4d3c87292a425feab839b2a2e66f
SHA165f77858d4e278d72ca6209de81fa93ec4c70466
SHA25684509a7c2e6f75f17d21d58ecaf0c9f2f865397d55086ca8724d1e366d06acca
SHA512389158537d522c90fb4a3141f4837913422054b5a387fca20ee254b6d79ec0dc9ae198e6fb9280b46804ab16e83533902158855c334e60964d9bc79d8a4a0410
-
Filesize
1.7MB
MD58e651ddde6bd90de16559e3f81a6f2c9
SHA154098c0c32f994cbcd07b7bf09b53d06ca10aa96
SHA256e3f1af23654cc252e10c876bf25c88fa88249987f46f149c76e45459ec1b15c5
SHA5125fcf952068a28d70ddf576d0d535a6467aa8cb66cf89412ae8b872fdc6d6c22a17b6af6eadaeb315ed1d2cb72a2226022edd73ee9144d664db710176f2247cdf
-
Filesize
1.5MB
MD55651277601777858929089be93d69ed3
SHA174f6d8064933c62f61309df6b5a00f3e2605c11e
SHA25606495b6ea7ddd331c6ba21fd1e883eb634742a412112a7200de8cda4510b1bb3
SHA5125e36f7e77ac0a45d037e7e1c09a31e5e8f5f68eacdb186c9de6fc62392925a7f251b2d5e940c574e756563b9a580374acb118a7f61198ddf404b7ea89e6b4075
-
Filesize
5.4MB
MD5426d22b426937407f3bbc5257fc4d7e8
SHA13ee7583e06b136955e8663aeb7b0636ee8bc2fb0
SHA256b21601a5ffff328d936bdce21b88ba11e2b8c3f472e6ae88ce657310a811cd50
SHA51227ca31eef150cdd49e058125f422dead6d7296b4bb38779253110d7b6ee3b45059e70718b4ccb442f40ed3f3fec85adac6af111527b7618117813dbc59665f27
-
Filesize
5.4MB
MD57807c3d76379ef0c7231bb90c8090cda
SHA1b435878954e6e64f9fd9548f1d7235a5324ebf0b
SHA2561c8bb7727c80b3c41a6eb5c9cb4d41f79f8d5cb162a6736b098181cf84bdac58
SHA51255d0a560493611507d45a3404c42a6e103d0e841b19cfd80f5e695bab12143f649527c29051b38b2f22fc42048c5babbfa7c3b3176c5e95a518f63596e6cefb9
-
Filesize
2.0MB
MD55c53e22abe485ddb04cf67262bdfe690
SHA1a04ea75039dd2059e78b3507bf38e7a97d209097
SHA256ab50e2fb1f079d7347513f9f54c3bcc27b6df8304876f6bfa79fbc86a0a501d6
SHA512d87a620e301561c6bb7b7d6e47fb67437ec43ad7c4869bc529e257eef766580483d2c9ae5c03011883ec4dff586d34e6c6244256b07405f1cf2547b6f0648f67
-
Filesize
2.2MB
MD59155ede23466eaa495dd26c4b28a4ee3
SHA1c305465b6df5ff2d69ec486ecb6250e59173885a
SHA25679726a287a4614f5d8ce1b305c02ea800a7d4ef8cdd3cd5943cc0954bfbeeeef
SHA5129cbfb643ba24a9ddd0e7e4e8b23416a546e4b6bffbac82c2e3626ddb8b00aaf3cf6fd9054c0f4b8e13dd8df9f0607426a462545f11ffc31e4786da5d1a9d75ca
-
Filesize
1.8MB
MD55be5912c63f4f6100a711eb0ec80d473
SHA1d44e15fe5c8c5fe96967508851e2bd11554d1318
SHA256100b43e8be1c8adabcb0958e205e0d3385d6dc4296267344cf066534b7eb4bd2
SHA512193f4e78dbfacda673464a6566568578986dee3fc09987caf174780d74dfcad08ab08af2710f43d7f32b226a4a654b57c1676f7823e2557755f46e11b5ea3166
-
Filesize
1.7MB
MD5a090d152b24faccd10240f446451ae98
SHA13e224f16016f4b2da038249b54fcd7187ec68c89
SHA2567796173a924663c35ca1dfc02708987eafec174ca895df8cfe2331a2c4096bdb
SHA512c37916e8df853ebd86ec722a8f591988cf8830c56334ac35dc38cff0f32560d1747313983d74cb3d259be8a886937c32232a63cef082c9a63f5506fa70a9e2c8
-
Filesize
1.4MB
MD5f82fb49b99e27ebdd0d88fd146cb6a3d
SHA1caf33c91ce9bdd33aecea1e23ae07ce90070d843
SHA25601fc76e6f9d9a3fadf25a48efaf21d9d1cde8ebf9b30bf968e8c67c3354fc0d6
SHA51221952dd815518e94b552fb5d30b86598f39e853784f2ebff613920b7b7e79dadfaf3d780f3fa56550020c61c09d1847781c82741a873a83bc74f95fd472b213f
-
Filesize
1.4MB
MD56c5a2c6d092a85c009e5bf1440223472
SHA1225b0e9765fa4f826422140dc723ad95517e9437
SHA25689938ccc0e84bbbfd5d9af975b8d7aa21cc76b5484f7124d9c0b8c9d73ab4219
SHA512765bab54fc1a3a37e08db3c807c02e712c62748d537fc8cb16da7f632e4fce5c7193d0a3892aed35d0b7da7b22c4464225e37b212323bcdb2737b6e1f5952a77
-
Filesize
1.4MB
MD583307a839851619536729c5aa11eeef7
SHA1099fb4bb5478c4cd6219a6c5e23ce886d476d52d
SHA25691dd57bc496c2a5baf13599c1836de0aa2c54f104d8bd848e1ac51da00291124
SHA51223cb7001409ef5a4c05614f70c1e91ed44bbaa41cc87fe60dd94c6fb2dfebbfd2eec81e8e8202def0c955f9b4a0109e3c72bc7d9f488a1e8d8f8450f0c31a04d
-
Filesize
1.5MB
MD57a786e2d01333407baed12d20f430640
SHA1136d1752d977fbb16ab82b47f13b9f3bec0af273
SHA256b28bb4921e3be74d8350bcf75ecfed147ab669ae3df6d2b96d530012e8fa9acd
SHA5124927b53b2da72f0272137646210e05ed68136dfd66ad1babdcc3c2c1d547d36da05a60d81a478d192ee8cfacbe0377a85d3bcb390192425808710af940feeb4d
-
Filesize
1.4MB
MD5c9cc62a03f64b2b451d92a2f401d72cd
SHA10364d7a10fcb665493685213badf606fb580fb6a
SHA25664bc7724c68fab95d9f809be9d6b31f1633022149e55e0ad66bd56e52f5c4503
SHA5121a0636cacb4f65845c2ad47a23f65f258b79395fb784084d70f6eb3e6611246a295af632440948341747539da7f4a02527f748050e1ee9f86a3a15c12d3317f5
-
Filesize
1.4MB
MD51559c31535f7d9990d421eca84c49fe2
SHA1904de36604fb770f13337c1f4d9de85849ad0f4a
SHA256e2d20e8f16eec03bf706d9b659026eedca25afd3ae6dd90e44480352de7869e2
SHA51279751487abfbc7b3faac19f725c6a6038ce7efbead2a8cfbb0bb4fdf09cb0081c13db0edf4b93b82fbff8e932c8b3011bc5dfd2fa7632d991e026c9080894271
-
Filesize
1.4MB
MD5c0b7935679f51f3c17770cfd6b08bf9a
SHA11aba6581b5db9f056e4ea1e5ff61358bff801d7c
SHA256468d99741f39c2cdae8caaba04511808d96be4f399e060898ccb4a1ca959c6b8
SHA512f8d4999bef2422bc56ef2ccf7089e14d5c1d807bcb4d892cb1c370e4edd741626f307a33beec8d71acd27ae2b9e9559be40e0fbf0193f0e578bb8fa6aafa54d8
-
Filesize
1.7MB
MD510720329e1f91413213088f2db16d7f1
SHA12649c1fda424405c479f93f822c6d1bc2da3066b
SHA256181d32bb14295649f3cdbecdd571ca4876be14a7e699aeb8a09adb59eef247ca
SHA512bea43228a0d767f744f702b0e10a1414d70ebb5e00a944ea0e79fb5e5d5df59a7f8bc330be7a2fa36413adfbeba9af2674425cb543929aa6da2164d19a304134
-
Filesize
1.4MB
MD5306b7bb38b0dec0f0c08c93cc4524d36
SHA1262cee36b317339cfef52c7c4d6d442a6f30175b
SHA25626b93155dbe856f689b706330d3c547bf8df96714bdc843ee2e21b5334c5ef23
SHA51295e77c4d47e5b6a48ad1d7281221f6929e2f8146ecfbbbbb23882b99103f8c7391968419fa2a7b4eb83080518fc8293807fea51e1389380ee7dbd05ae44734ef
-
Filesize
1.4MB
MD5bb18d2a516e54c1c2cdde56100b62e73
SHA1aab62f542cd04f5c5e7fb6e1c49197ac83af7d6f
SHA256e10fee36e00c1d879de5b36b3f536406ea444d26a43a8328eb700a0eeb65154a
SHA512c9353433f306b2ae29b9b5feb54ec65a016bb458e882ff7b11ce67903afd2d225d7b1d8ad725daaaee9a091b656196316df4bc83b38e500e824264b11b09feb5
-
Filesize
1.6MB
MD508a4276f3d3cb43f95730eef5253d917
SHA132debab5127f9a06ddac8810a07fd4a581a6772b
SHA256d7a9fd14052d36fcf2e2bb25c4ac1740c547ceee909431cb3e6e30b4d82dd077
SHA51289a257d5e927653b981fc8c183ba1e55584bf007e8de560951eec6f5f148e697a4822380b8e9767f7672adade7d22d7178fd3ba0ae2bfb62c5ac6d67aa80e425
-
Filesize
1.4MB
MD5bcd1f115fbd5c727b0081d3c97f2dd3f
SHA1ed1da08f6b7a7f738b01063dc7060115ed33ee12
SHA2568165940a40d2b9e99388eb2969ea4e70ab05e94345dccb01f28c2c3c1c723637
SHA5121e391bd8003a3554fd1f87eb512a88fb997a8fbb93a356f17386d82c3ecc86ded3b4b9f4100a5709318e6630cf5687fbab2c21f1c9067d23df9dde3a098344ff
-
Filesize
1.4MB
MD56a08f45995c4f5217d2e370a7db0fb9a
SHA10967ccafa6a8305c8b0eca6230628f98202854d2
SHA256ea4c4b8d14591f27e6dbae76ffe66d2e93d19345bbf87c4e56cccf56caac6ad1
SHA512ce06a197c059bce0e5e9e0f2e9adc3dc4330f68258cae97f9f42aadc7c036886ed0e1d82877fb109607e49f31485a13c085c38d7739c520b896f429c10077aab
-
Filesize
1.6MB
MD5e9c57e9c682e1123d95f78be595ae112
SHA16aad9ecc35f8d28f6426c9a4f801f52e2f47a0a1
SHA25687fbc95137bc0c3d260009375a3a07721437d048c40bc25c2156567b44820f2a
SHA51291ff132e868da145c518581d47b3d7888886ff0dc6e58ba61c9f7d0fab51ba8a698bc754bac4169a911b3aaa955c8aa2119d57f0a28828fb7a3c418cbdba1352
-
Filesize
1.7MB
MD5dcb74d61639339eeb439c6cb20672fd6
SHA1de9cd6484dfea92b2470d20685c4f132870723f1
SHA2561489aaca0d6a2e20588abd6eebd43bce42ceb6809ba689713d12b380808fae9c
SHA51249dd2d04536890ac7ccca7e4ca19767bebbe3cb91ffbe54ef8029b9d3c24c940508f603bca4b1594975f599b79c1d99ba1d78afb61c4a2e9d4567df723d37d97
-
Filesize
1.9MB
MD5e151f2f19ac49bcbf671d933d76a1b8c
SHA14795dc03fe802ac898d047804d9e796c1a9ff4ad
SHA256d06a18066a8584407d97fb978c3216ddd2c4b59f501a43631a3d5d2e4809b025
SHA5125a7e247a1ec42e2c6a3ef44631356deb524433b69e79c44dce907e5a8a06714e10e200801b28e4b8e1532fc03d7c1f2692ec8c25d934a9580a30fda722137846
-
Filesize
1.4MB
MD5b93c1913d293cd464ef3b9135a1254c0
SHA15feec84b10f5c9b47e55daa9afba71e5cd68b285
SHA2568a0b25e7f2845f57c2905ff52bd160ce774b55b55690a667db15424eac4cc899
SHA5123f8c3f51a138db30867b8a43bc60b039d891d9d13b5b0a59ad778e3287d3e84aa2f0f7e7a5bb706f9299f0013850e71afa1a8b2da9e389503eb848f24952e5d5
-
Filesize
1.4MB
MD522f939652741489c0af407407d2d3ca7
SHA1a3cbcf6535fac9ffd8815951dc6bc1a20a447b4a
SHA256a0e1bdaaab76263fe1ea9d26e3a23337385f09677478641837c5cb8186d25580
SHA5122c57251568915e7b82a96fb609d42d06abe1bad8dd8c71284d98ac3ca6e32f20941a767a01b79d2c47a332b364682d93f0d32747ebbb0bfff709ce5dae56234f
-
Filesize
1.4MB
MD5dad3d363bd6b25912dd990e75045cbde
SHA16c215711100bc15039779f902cedbc963d630f89
SHA2568fc7ce1a08947dfee5f335964c5af87c4479e47f7440b21a2e85c515178e99ab
SHA51278f33e8091eddc3cf9ca2cf09adc01d690e29e939efc8c12fd2911e3177feb901bb87d566a0af8d528d3d7d8ad0c914ec955941a39c396e09fef0c7636e1ea64
-
Filesize
1.4MB
MD509d2e7e8eca6222bb43576c5a635d482
SHA1d809d011e5ba905ab5cc9ee1458ac3c81d923bfb
SHA25618facaeaf75f3acd6dd1a1cd7be992eda18fb4fecff55fe771f5f02587a2b6c5
SHA512d523f80705d8ba569cbd5dabbb9f0fcbe32799a44bd72f8cc789e41f7f4ce6b792064d4d120aa5d007e26f3c81c78e906b94dbf573e21ca0cac6c74e294ed4c2
-
Filesize
1.4MB
MD564727aa3f8036520981ca615a68fe24e
SHA173e17d4444bd2e5c4290385c0c6bf75ec5626901
SHA2561faa7bc775ba76022d94066c4a8a0375001865bd577be72f2228b3a22f35ed70
SHA512aff458995b47d43071b9ecbedc625d164a6ea197776ffedadad7f6c60546831b9a2651c3efef3bb5817fd1e5a8bb3ecacce199aba3db85d63b0db400c0be3158
-
Filesize
1.4MB
MD54e1bdcc2ddfd6063c85880f34d832a5d
SHA10e1ef8e7533e704c5ca9737da6cf720f6455ae5d
SHA2567d3a184e3e0ab1bb04a93f9a204a25309dcea50c93d357a7d69b7601d1482c6d
SHA512f58c8d26fa09bd05688a0d83f14d7e5b3117900b6c27ab2ffc88a74644ba64818b9950764c5d281445175ea7721f70cef2aba7d885d5352ecb78493beb622ec2
-
Filesize
1.4MB
MD5d960fa934da7fb5175cf96404e1f0874
SHA1f4ae19f7f04132cfbdbb97b3d0e8e09875d5b66c
SHA2562bf811e1114baeb206d1fc105f542f9362e8b1f6d658162b0558e7a7f89ffd3a
SHA5129a6551c53700095ba989f7cc5135bce5160176dd44c3ab56cc931a8907657c66c68cc10c37cebff7a7243183f7637007291fea50b6b60adb0a53a77897045cea
-
Filesize
1.6MB
MD5e9cbb9db51717219f8972f8d62e292db
SHA199c2eb7d369c9e181d998815a616ffb5e1ba1bec
SHA256118453b433133272eb4a4004774bcbcdc664ef92cdfa9bfa68f6a646cd04a0b0
SHA512461c2b12ef08aba6f935b30e7c88da189dd901077cfc70d5e5ded4e19a1eeadba5bb550b6ab4d7f89a1ed7ec13a32d9341ae2e2ca3bda30cd8bcfca374d02091
-
Filesize
1.4MB
MD5ba1f71f33d465aae3956e1582067dc03
SHA1c1d2ca66fd9467da47e0367300c077afaeda65cc
SHA256fee0e5d876fe70bb276ef80e784974c09bdf39fa40c0b8a8c1ff068a73bf37c3
SHA5123ce98a7f3c73e88dbc1fbd3190c7780089d0276b67bc744f14cbb12769ddb345e10d5908c3d3525b7e97685bb97573da2cdf194249a6cbd45a8b9666e66d3ec9
-
Filesize
1.7MB
MD53af8f9743526392b6f74f4b53f558d33
SHA127b734c16067ae56951a49cd3c86b94c02655d0d
SHA256c02503e8bc5d5642c95db647d36fbd572419ff48589091cbfd06a0efb1138085
SHA512aaaf4720b58de5544bbfb23946760b8a0df443dfcbee24a30ded1846f25f5c79600650f1fa095dff1b891884f50313ef12c6638574c1a71d5246d2ece9e8267b
-
Filesize
1.5MB
MD5a89b891922f0f73ac936049f29440a91
SHA10ffa655677bdcd5ef3ccca6cf95375f2bbbda8e9
SHA256ebe210fa13d0b57b9020a0859c9f54ebcdb984c91fff013bbc7f9ee542d27d9c
SHA5123c77deaf5401712d7a20db8ee04480a670032e431c0377fed8100f90cceb965bcbb1b898f5ee6231f9bb617eed4f297c9aebcf8730ccdcf06a1676d6bd3aabc0
-
Filesize
1.2MB
MD5ba139535cfa919cc519de9f7d1332af2
SHA1523c89e048c3ba4a7bf6e0c0f8ac282e03badb90
SHA256bf83dba25b65e6a9a5b10df26e8e1b49ccd3259dcb2a5c4040a812f46f07ff4a
SHA5127d66f9b11b466d2feb1a6967b077a6fb9b32cea1ba1c24f2554180e5f5a2eab97ca51cd4eac406ae00bb8f3e8f47077c7d3be11fb197790663d13b590fbaf5ff
-
Filesize
1.4MB
MD5d2855ceff3a3ca323f299afa748e1eda
SHA1041a1428b6d92cb6f10fc9a19235a8efafc0ae28
SHA256d45121d20f934359811fa874c740685f17adc4b36c4b5e80c7d8874531070fb3
SHA5128b97a456d23c3996854b415789b66c6896b84654403c72965cef8179a6bcb0b7351cf295099ed30babef5638620a07dfbf66f286a2a445038a2273d9a36f5819
-
Filesize
1.8MB
MD52e8ba9ab07ea6bfef12c0f4c4c7359ae
SHA126faf7c1c05e90bca021bef6f789389745c284e6
SHA2565d6932e18459aa9dd9f2211144351dc0cee7b6b818840d9263f91a5e37e5f54f
SHA512e1293efa51f205620be59e7234d39a8922e92cf2e1471e997ce603840e45de075ee7a65cf5766e4dc4d78232d518cbc6603a6c8f1ec6839d645c3aa4f2d9ea8f
-
Filesize
1.5MB
MD5a2b2d278002625b32538cf4f40764297
SHA1b1357660a92015c19cd569bdebf919abb8f5d29c
SHA256808e04507a0ff059febca837ea272f06c8d0faa5cd23d0181f76dfa05b524ed1
SHA512b38ba7479e410f95112ec658fdf6281f946ab4e58e99f2cef97fc88121a843d67ccaa6dada75505e947327598361453026033d461cef739d4720f8a42b4f91ca
-
Filesize
1.4MB
MD52388ef3e28ac6674f38671d4dc822a35
SHA1ecd5048adcd79ad7336d675a1fcfe3eaca700c70
SHA2569296aa95fc44e7d9b8affa4cf74f116b3e68332290e3a4c27244607748f782b9
SHA5121eba423e994cf778a423f6dc3a244919e998d649a759d6c8331a377fc66b5b908f24ead6071336de2cb9ab5160f79956111a8c64358cd36b66d044ac3169fce7
-
Filesize
1.8MB
MD56498a203b4f34fad026ce6169097a35f
SHA10c67b0d30f3e361d3de69a391add70012617f153
SHA256dba8b92e80a9eec3319a4bfc59624e709c7db658db7334238d82c0ce987eb3d3
SHA512e52d5aa3dd8ba438ffe27ca4562b24e8bf5c08bc0a547a3c2ed6c5ab8fa4e76fa89492fa61e335462f8ffa6347165d7cc183e5af1e84b1bcdf26fa82c3980b8c
-
Filesize
1.4MB
MD507c640db9a7669383bf0b928b25ae80c
SHA1ec9851aa50744cb7b4b8dff5673f603403326cd6
SHA256c3bd6da9fa7b1587efaa8f590f94ac44e153d7e200d1d51a804b86afdfe6c55f
SHA512099571cdecca71a1bc78b79802c8180e222e564e68ac52d42ac0d23dd3f4f771958ec740bafadf511cbb5f8329a394f822d910883c06be7144ad7fa4c57816e1
-
Filesize
1.7MB
MD57c298999186909377ef677493a6d4439
SHA1e78e506588cb831a763d263202d555968483e050
SHA256497dfdafd41cc8f63cfae476460cdd33c1f6c23bad90ea8eb9bc3eb41044fc8b
SHA5129954cfc8f7bd868f84603a7f0db132cc076ebc8249ced3df373d60c564a78875a13a08d7bfe80337a68809e6ee41c19fa908105a7f4f895fa49a48b8fec39eb3
-
Filesize
2.0MB
MD5b6c824d8bc2bffef2d1b471f896f6857
SHA16ade16a1ca52f90bd427d04c2b3e0570ef554cb5
SHA256c5751ef066882895445c144f2569feda7090ad7f7e044cc65b775f492b25c94b
SHA5127d9eca256a3e1737fceb8242dd3dad515930dc0588bffb79ab43a70653f2dfa6fe3699554f7912ede5f23a3f175be13349a540a48bc674670232286e37a3e6f5
-
Filesize
1.5MB
MD5798beeddbca4402c6df0f4565518c4e0
SHA19a2c0b9055f41cac989fc16983b3dc3ce0f241e9
SHA2565cac6b8ec9f1c9de684745c1dad19b2a218c3f7baefc8514eb7f943d07d89ea4
SHA512f7a80d4f38972741e9980c1a86a2587ea478629adad869146c2797aab6be1fd77bfc7551ea79065da0a4415cb56e39f319b1e37652396157703cd0f0aa658b22
-
Filesize
1.6MB
MD5d7ff5213c89102842f9dab93edb27bbd
SHA1f432e2da5ce109793bb9e337c85ac7e64c4dc205
SHA25649731e1b96d42eebd31989110be1407ab54c110c2dbb25b13d37a3e83b71d267
SHA5123e43fe06fc29bc98eb87788a1c437b6a714c86b56b1394cc00401bb13ce788cbe24560abe6181eb810a3ab7963888eaf5edd494dc236400ab517a00011b87c28
-
Filesize
1.4MB
MD5847f560c69ba7ba88cfb6fd4af2b6770
SHA108065fcf2809680af2f32b6809e46ef2286d8ca0
SHA256df31359e98f6de3d4f3081cce4d4e6096c8b32afdcc81aaff7b9e343efa73a80
SHA5121fa11521638347a5f6a6d53358222d5a72b336ef8ba78f956c337f0b911e0647a4d84729c76068899a0fbdd7d66b3447b5a0d967e3bb9006220b457555ed73e9
-
Filesize
1.3MB
MD548d83a1c616bab01919f885833181cf7
SHA106b1d1294d05b4e5af6904e2ad60f1d9238e375e
SHA25602972e9cd33792099fb5465977e7218b17fd89fd78ef0d245c470a269aa797d3
SHA512b808f9789b52d63440346160c4ba2a46d8d00093d0adca8ec34437069b91c4f36b1b992d7d6215431e4017b2c1708833f7f885d45e4efbe1eee4bb668329aa1a
-
Filesize
1.6MB
MD5e4f6ef51bc3a68d12a0446d7af31184d
SHA1f127c1810fdb2925720def801b259b80901466af
SHA2560d2f1c8bdb4986b761e72a970a1cc53e36fbaa34385fdfe7f8b1fa345cbb2fb9
SHA512aa88cd26340ca288673b9ec5e8402def197c25cf351b00b301e20e0d4c12c11106d31d13d80a52e3597368942ee7d0c0a85d55c7d288b11768e6ffc196259e44
-
Filesize
2.1MB
MD53f02c8b5f63e527f0c0ffb4739772498
SHA13bc1d0807d6048bb6e6b9375cfb09f3ddf9d8eaa
SHA25630fb9f91780bf242d2f8c584122ec282b4f4fd3cfdca5fc29b411977a077beab
SHA51219f16fc9171f039223121e658779e2b80d8d7e0c952046ca02361b984ac0aa28c3300d98002b3db8ee09300bb9074ddb550c437156da6473e74116167bd5c2b3