Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe
-
Size
2.1MB
-
MD5
3cb0788348d846a3078625d3563e82d1
-
SHA1
15ac664d3d25433f05097305e7929dc499019b82
-
SHA256
c5ef08d5fc89462935e0ac93af3b15b7af5085bd89e2cf4b8fc5cb2f7dac9048
-
SHA512
8d20b5c2ed9b5ed10909c979c21f0b47ce2e18af31ed02e937cbf7964ef47690c1a804025e433a59f3e1c19c8d24c4da3360451b7776c97c73e2f700b539241a
-
SSDEEP
49152:ea/3xXBSZ4K5MJ1LvTMxbfsYBYSgxu9+fw4T5/snji6attJM:AZ4K5MJabfsYNwEnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 832 alg.exe 1212 elevation_service.exe 4616 elevation_service.exe 1816 maintenanceservice.exe 4864 OSE.EXE 3680 DiagnosticsHub.StandardCollector.Service.exe 2196 fxssvc.exe 3068 msdtc.exe 3972 PerceptionSimulationService.exe 1204 perfhost.exe 4820 locator.exe 2080 SensorDataService.exe 2044 snmptrap.exe 776 spectrum.exe 3592 ssh-agent.exe 5032 TieringEngineService.exe 4764 AgentService.exe 64 vds.exe 3420 vssvc.exe 2004 wbengine.exe 1316 WmiApSrv.exe 1804 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ca484935e703f493.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000474369f827bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074a90ef827bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030630bf927bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b69df827bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033709af927bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4e066f827bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1044 2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe Token: SeDebugPrivilege 832 alg.exe Token: SeDebugPrivilege 832 alg.exe Token: SeDebugPrivilege 832 alg.exe Token: SeTakeOwnershipPrivilege 1212 elevation_service.exe Token: SeAuditPrivilege 2196 fxssvc.exe Token: SeRestorePrivilege 5032 TieringEngineService.exe Token: SeManageVolumePrivilege 5032 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4764 AgentService.exe Token: SeBackupPrivilege 3420 vssvc.exe Token: SeRestorePrivilege 3420 vssvc.exe Token: SeAuditPrivilege 3420 vssvc.exe Token: SeBackupPrivilege 2004 wbengine.exe Token: SeRestorePrivilege 2004 wbengine.exe Token: SeSecurityPrivilege 2004 wbengine.exe Token: 33 1804 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1804 SearchIndexer.exe Token: SeDebugPrivilege 1212 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1804 wrote to memory of 5084 1804 SearchIndexer.exe 115 PID 1804 wrote to memory of 5084 1804 SearchIndexer.exe 115 PID 1804 wrote to memory of 812 1804 SearchIndexer.exe 116 PID 1804 wrote to memory of 812 1804 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4616
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1816
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4864
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4432
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3068
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3972
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1204
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2080
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:776
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1832
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:64
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1316
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5084
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f20004afd0bfdebb73ce5f0ce26ff595
SHA1811dfa41316f03e5fa5c7dc743832a9a1da7a000
SHA2563125d669a60a7660a89ba58cf89cbef4941cf2738aeca2f4b1766292e670d563
SHA512fef9420823cfb406724fefd23028300f75b2126cb60c257baaa24aba24cd46e3c30409ef13da95fc49bcdf4d6fbc3edeab11803483c7b0bfeafbae5a85d1db48
-
Filesize
797KB
MD55639d2e9e91e3685086342f9c9c069b8
SHA1e7b8161d217b67300b5aa2aa176fd8e6f3e5006f
SHA2567969f50a8ae8d19b3777ed5c0be565ec7902f057d50bdbca03256d48ffffad9a
SHA5124635e19ad0e0c8a6ed9f7c9b578a5256095d9a1389f97b51e5a2c3045d0b436bc6d4a2c67386580adaa5c07a1118978b08b465157c8f47743d803057b5d07526
-
Filesize
1.1MB
MD51f91339cc4675c65a14001f1963fd729
SHA1fcf34614721877b3c0d9d7a1ad9bb2a7ea424f5a
SHA256226ecb87409a2095bf49be4414893c0de1c8f6d63c79be3711c8d736295289a8
SHA512629ff6f049a65e0421231270418f1e574f11311274c39bbf3c40f235bcfa72a4d561ce1cf4c061ce37e1492cd5af63b8ef4c3f3f94e84bdd12a58c7c0a8987ff
-
Filesize
1.5MB
MD52b14af44dbe9bae35fdc36655252386a
SHA1f11b10e46234e7d8c69cfc199b210669df4d9315
SHA256e9e5774ec5995f8b6016d182bf5949d7e58257b642e78e3728892f08642f41fb
SHA512af2bffff337b899d7efc9b3e4d50c531586d17056cf62171f61dab134f5a920f24694a131e5f309d628339b9cbbe5eeffa92350e1225c582eea56a8746781c62
-
Filesize
1.2MB
MD5277cff18dca9436a32e17e4fe8fbf95a
SHA14cf336058c16d947337e87b55203b598e14d8bf6
SHA25625069294ba34919f3f08d4d0f9a413e4b36707dcce7de69877ded21e16caed71
SHA5128514d134da4d8d9564bbd2cd1d5e830f19761ac75bf33c975eb6e71cdd2ef48450f081fa6c7ccccd8d37d958b40fa6e593a2ba0fe5593994b151f53a35ed0042
-
Filesize
582KB
MD5a4fb89e7042c92d3e8c8e2db14da1da9
SHA1ccc7f1fbb0a504e08694206ad84eeeb4c18e579b
SHA2566fb87c86184bbbf0199914b4b4227c6051bfbf1795e14b637b286df739f18616
SHA5121f8ef15f18031f39191007ad7afbe748f38ff6b40a14b0f4bdddcd7c53f48fea90fc69bba60345800fa4c2050048e9e388a39ea856e02cb679e8c64de27b8053
-
Filesize
840KB
MD5f08762e4c8993263ce947e0e7f530d3b
SHA16de905a00f3ebf21e71eb24079a58ed185469e57
SHA256bebe3971e9b2719c19cf6038e14046379e7a5140b97393e6b8fc083c1f894a30
SHA5128d71bf45d0bdce83f6c73d6deacee2a2a91d535d319e0a84d720733882eecd0f5eda6c08c39cecc981fa0e1436846e882ba9439b04da4245519fae56bd23df8f
-
Filesize
4.6MB
MD5b2b6fd930e1dadda75fe47a7ceee3aca
SHA11588eecb3af5fc3c09f14a8e7f113d3151c63745
SHA25615896db6937752542a3c55340ef83ca87963bde5494a53da558fda671aea220b
SHA512e13f0d66eecb6e53b07867b01fa4ab902f351b5926bbbc69b0eff6f7d10902d9d75b2c67c0eff67fe046aad7aeaf4d420f346e112d3e47c76355cf6f6af75e5c
-
Filesize
910KB
MD5e0ff346632cfe45cef2448c33075a5e3
SHA137a69d4f3a86145dcae98a598301a646f6a0c51b
SHA25624468406353955da427eea8b690d29e2eb53752d29f86a1df8097d8cabbc358a
SHA51225399be80ee47e21ed50f2186679fd966698e80e1cdde679120fc569f5005e9d00d429f54613feef80459207829adb0708bee3d29f7b300a6865b8f712737f9f
-
Filesize
24.0MB
MD5408b34fb94408fb99305e6304bb8117b
SHA1586514a70812e4ccf86eaf8371c5779fb3eaf890
SHA2566b0ac606095bf0d799c32c9af01cc48738ea12616c0f92b47826e3e8e35f1f66
SHA512ab95b34a0bc7d235e5d81fb102189ac4f164ed41e8ac8f8924b23ddd330e00c2aa54946cce814456e499da237c6f2010ed12daa52a428c447c34964f73e16d0d
-
Filesize
2.7MB
MD5849d5671af8957c34d4a5ea4122f4883
SHA1292df146f06af5cce4ac04abf902f105be5f664b
SHA256f4a5481d7d5554ad4737297792f7a533986fe606a492613e13ec8d45f781fd15
SHA512b7f1714544b0ec72d6f4fd9e8f2074f08ae666033f76f32d84dbd57a62eedb20f4b97c03a55718aa70dbcb1d779da4310dcfab58c35d43c5cd2d54aa494f1a9d
-
Filesize
1.1MB
MD562fde58b2eeae73482319efa3dbf2dff
SHA1a475c64fa707431af246429d31277f3bd35bcef8
SHA2566145fbd1e1493fab23eabc005de3c9214193dc39162c460a36f3c9c47b55d8b9
SHA5126fe8ae5e7f384bbc7798cf4422b8d81cd0ae27ade81ecd1b99abc24d81bc3ab073469ea54a462bb36a1ce59ee458c81b4640b84a0e19d91ed4d622b99a4a62fb
-
Filesize
805KB
MD59a9ab3dd6c00f9db589b8f958b0f3f07
SHA12f412563d84ea3de3cd97d8fe3a94012dbbaebf7
SHA256e45f507ac18d023e4de30510a5f11fef7f65bc11279bd603ce2ad259dc404050
SHA512db740a735d3550f173a61e28ae0ca4bd5af74c69f7903a4595c9d739c105eed6e5617591fda357f23755c95901e198b2c015dccec2f929dd9d913e414f7f03ae
-
Filesize
656KB
MD511658a2a9655a4dd7a5ca1e04f6fa182
SHA1aa70fca2af43d6613199ef595386652a13488259
SHA25611c370cccdf5caa1f7df84879451984a3ca7cdffd5d426dc941e7378a9eb5683
SHA512672068887bd2821fc91ced156ff950eb5a3953fd8d99a8105db0c87491e70f0d3a3b545856ba9d044bb5db883f49069e79bbbcdf34d4c5780ac7f7bd0498afec
-
Filesize
5.4MB
MD5721cd31796feb34920f27e2ce5ed432f
SHA1b7418e0fea19e353e4644802b0f66dacf4a93895
SHA256a2714f45548b456d93e5a1e3606a806e866bea9ff573bf07c7ef636dda243701
SHA51282b27857ca04b5afcfd695cf419b8b269dd4dd5436f9cdbab11ae178052ff20df2d378b7b7f6adc4fb1107b1486803a62e47915e81035973b2159c95f7937e9d
-
Filesize
5.4MB
MD5a36921a485f81f05e6b8f5c303fd13f0
SHA131770a8300e628dc0be733608d39bffcd6528b96
SHA256b0d80bb68d17b75613133dbed30ab6ab0b9f4a19402bf7754a5ae2b74ea6262d
SHA512a673d5df31848a8d21faeb1b0d75cb017e4eae5802b1d2e796fac2353e10526432148fb388257a67f8ead5dbb3681928cd16abbe6194b0ed3c739362f887daef
-
Filesize
2.0MB
MD55533b4b71b1a437586f92bc2b95107b4
SHA15091a3e624573f57beadd3f7ef28efbfb76bdf40
SHA2567768aeb4f4edd6d2de76e1cfd8efcb066e4751d0d8e9e342f367b88c3b5c778e
SHA512361a3eb2f07e7b4296606cb29bc0c1e7e9459de21c697cedcbd46ffc5cf38e5c87e3d507e924a4ff9881354c70ac1aafadcc3d22f3e400e828ae188470902f66
-
Filesize
2.2MB
MD5b64ce2407a5c1a4d3ce3e4a3864f2d65
SHA1f06a8e5203868d3d8d166d58ec380d1ce5109c87
SHA2569e0927530bd66a323ec9f0f94824edf5108db7cab3f635b78974cab51b4bb066
SHA512fc2b6a66dc48c3c4c7f583330dafd0ca39e2e4939534062bf7d09e026e591acb173fc5165cfe802be75315b038cb97a28ed395f8bb7a12ce77b2f1d49655e2b5
-
Filesize
1.8MB
MD5f0dd111bd4b20c7b2c812d4b92379c5f
SHA178131f3e5f921a7a39bbba7b5d53999708d3d6aa
SHA256b98b32dadd914a10d28bf04bf19b0893407eb5c5d000bb746803b1b18a40b84c
SHA51239545f383158db2ee20b21fa8884c68e3a52d32c46b7027b9cf946bd7fe375d340264016ef108ef7e057c64cc86cb609f3a9090f775c7f31adf6efa2b60ea8f1
-
Filesize
1.7MB
MD5e83b075204fc92c46007de75859dcd4a
SHA13981a8b49fcdcdb36357aa2f09706d98eb27b1d8
SHA25666e3e26e8228f9822fdafd2a583efa31183a79fb4f1bfd5b1b63737e9ed593b5
SHA512086e15d3d1642fa9d827acef9268dbd37e5083bcf7e17e6dc1d8bcc6da026d456213d373aeeac801e1b8512743f3eb61cd6a4ae45a4dbd7461fecabe774edd0e
-
Filesize
581KB
MD570b45e4b7ca6d52539a74fa7d7c321b0
SHA16525293c9687a940016257d95012ecda304ca9fe
SHA256ea0adf6adf861ce4af806d9ce6decc7bfc62d963556076dbbb3e133c133b8f99
SHA5123d014871906aca013e467cb6e2a5a07e9c1f6bd7f6d4550005a984013eb2b583428b513745ce7a8829fe96e8f6574f4297532a961773b89a38a6a3927e973f0c
-
Filesize
581KB
MD56aab0d319634c60c586365324824758a
SHA187e1b975bb7696ee5c60d5a28addae794af5965b
SHA256b381c2e3fc2b13afd56591c167216b4e48b422df92984ad2c4f65cadfa0eb2c7
SHA512109b8a0ecbc96bb4b0e3875fe52b8c328f8e8c31d0d40f6c2f596d6531ca7e4a96573db0c1a8f18c3f4a6b5dc186694c54d901c2b9ac3b29ee2bb53df056e14a
-
Filesize
581KB
MD585d08ba9f51eef3f8a9ee6b1ffb9b012
SHA18cad8ae510756cf48d5f564aa60e9168aa871b79
SHA256adcba53ee28200af52ac336f1b45214b6c4983a6dc9c9384ac8ec6f1a85ffc6e
SHA512dd84ad35dfcc134467202bbb77464373db1a3dd139c4426707ef305d9870acdbe69adb64fff492243dbff142ea55d4093c8715ddf079ee8773f8111f49413437
-
Filesize
601KB
MD5822d5a34cee54fc541e696399cc74488
SHA1e4207db2e584b3f7b325a16625001a572c6ba476
SHA256584bb86363530883a883b21c50b05386403deb6a304cebca61c6547649038284
SHA512adceab2a3429db1d14be481ebfd1b4e954363a59c940b216c7f1ef7287d6229d225d1f735cc5d8ffeeec31b5e3c8b73a4b9cfdfbd2dece3054123af029f6189d
-
Filesize
581KB
MD5e774b251a406fa44a314432f311c238b
SHA187fe6ea12c9f1e2abaf6d2903dd4caf7e17e2aee
SHA2563e75ddd0f2542ee5a70761013154658e9e89453628da98029dc0e3fcafcc397e
SHA5124efd2493bcc13284313737a0ffd29f3953adde9d7896977c82190b55df659466d54a74a2e78e9127a299affef6ae827a5cecb58bc84a0180aaabe0e2116f7bd9
-
Filesize
581KB
MD5458f5ce2abde9e5c2bdb995fac1ff003
SHA1532e2a6f02b7173123864247b9f90a0275ebac0c
SHA25691d220e86fd36a5a7a17827fa1795adf225e7e19e45db7db11aa94b88dd3c922
SHA512ba7f9e8980336d329c5285489c8c0eb920d759f0f17dc905afa9137ed9022932a7ee9c9bd7995de7ee1953f8731b89d1e20f123537f92723190ca6ceee2d9f7f
-
Filesize
581KB
MD5357e6b4f59baa52187f29690394e0da1
SHA1fb2a8697238ecc4547016d7721294137de361559
SHA256eef677fcae9ed134ace84ac4f2a93eaa41892fcc849564b379a92ab7f7a79823
SHA51281053994e8e9f7622e0d268af16bc8f55e74cc6d83c98b1797d7525925c6a4bb42745e508f2e956589c700a7f4e1bc85b4ce7bb8712dd33831c7bba2efcb125c
-
Filesize
841KB
MD5ba71d6116cd73028f2c409eb09f26887
SHA1b9b0cb91129e226766dd963c2d6423662323ccf3
SHA256cf6c5d55f964ea39dbbce7c1c72caff62b588421d23dafa218309bc33f19df55
SHA512209eaa1709df7b2ebeed8f9de95ff3b5ad0fa62111f7c21a26ef3bce75f78464c6bcd920a694c243b74a82b6b1f60aef4ddb4f60eaed9daec597c1147a5923de
-
Filesize
581KB
MD5841ab19e53d49ee5715caf70cc9a264d
SHA1e308531ce58a1ee82e0df99a4c875f7716fb5e06
SHA256cd8cccc8b0c86ce4ab2fb340dd162c2f079c6ed0a990ebcfd8b807e95d0e0e62
SHA51297e3ce715350da7eb1037ec111ddc55a3a188bdf7a0c49fd6693f5926e763ef0d8ffe7f1ee5d00e68e8cdee228d2d0bac8e851594f448ed65146c316e882fc42
-
Filesize
581KB
MD5dd9621f8eb9b89c41d48706c43e7f769
SHA16e060b9213efff61928b10f217ec456eb4c7a98d
SHA256131d9aaff9610a831d19e3e497f5a300be7d634e6a3672ee6b76b5fb9cbe98ef
SHA512ac00bc2b3d751c0446da622291df61589767ef7bc096e0961ebf17ce29433641d4fa9d0c5a3ae4751f05d3ee554216a84d732e01563943bafeba5e22dc8572c6
-
Filesize
717KB
MD5c0e0f8672819a70dee4d7e690edbc28f
SHA1e107fd77ad6b7439f0f0723f995e398fdf6620d1
SHA256cf374f67441fba264df993b4375797c85cb4c3854de4dfdfbd08c4fce221dc3a
SHA5128d2a8e324fa140e8312837fea06b3608168688e7b2f4b8fe3d6594b146109931556202ccedf3c4ca355975adac46e48d9623e4d3658347aeca6d81a1540ba8f1
-
Filesize
581KB
MD5ebec70c3bc5f4d9b58fcfed701ac994b
SHA1c87a875c4542b9f28273a3dd21b28512640bda21
SHA256eacd4553b22d232bd0053e2b8e88a938c990cb8e1326d69107b3c23cbe12d04c
SHA512b7f7d03abeba08e6ef802ddef28e74e20b0d44aa78b42a4b9ef3190776e128ba55ef95af4d7a4907f177517c336cf9ff4210249ee5cd56c46e194c6ea2d5f75e
-
Filesize
581KB
MD5f1c2abc7a19282addf8bb96481b8eea7
SHA17be27ade26be6c86628db68379ad73646971a387
SHA2560dfb422cc5c92c896a8d5187949944611a986ab9d24bd3b2a75b61a9d6499582
SHA51281ec118038f4c09efc3a2bd3c7bc7b5460199c0f2ce4047a36fc60fcf81bd67e0a1b3cb6b5d29e0cd3eabd49ab01b29e6f5aec74295e88a720be43196111766b
-
Filesize
717KB
MD5912ce783bfaf391d732ee599c87a6a83
SHA1af9197105e7b6476ae324109c2c289b189a31794
SHA256a6cafb8973230c7e7d3e8e99fde7d0937bde458b762a5902f60e5f19938fd532
SHA512f9a7d62e8bc521b418bbf5d69ae77a4d2d1ce9a509fe0a416c714a58da28254991058c8246dfe89f6529712191d315352ffac90d7271f762492408f3d881f4be
-
Filesize
841KB
MD5f98927de7aa8e24a9f210766c4c8b69a
SHA1d58d7459cbabf9bc8515613d1552e02fe4e7eea3
SHA256f614e3a003964a178d494bbe721a6e592d442014439dc847721a651133d13ad2
SHA5129a32f540d09198b0edd224ed6e7cf5602bcde1868afd60124c014af3262791a5d16ff7230e34ae19c6b83128ee844913f2a66f95fd46f571e6641a7050b322f2
-
Filesize
1020KB
MD5d4f8dc0509007b4145356afb9c0f6266
SHA10a9a50005b0238db2f8f633fdd9d6a675d0aae3d
SHA256f854aeb47ed85d7d5866ac268e12ee198aca232993b027706e42637893541769
SHA512ecc1939ea33f746071f61d78bd4d722624706e253c8e03f9e21593203349ccf53afc0967fd77f6df50eb2a080c21414b25d1ea724fd35c7ff782d45b3757b4dc
-
Filesize
581KB
MD567b55b7cc5fce7af0035f05c52f2d71d
SHA1a93f0ee9c28372ee4ba9962035a30cbef1aa235e
SHA25621e1af02dcfcf31cf6782b3f05a1ccef0394049cd40fc48dd66611a791e8de45
SHA512baf774d6f14828968f0e64bfe0b5d1733a09368f42ed18fd9375edb5b88823c13c39e38aeac247e4a0e3e4a29c45503d16fc0c4997a3255871d106e0a8af3335
-
Filesize
581KB
MD57faee2e544fbdcb78849b8ad56652496
SHA1478588df60744895485a8b19f592e265d3b4465f
SHA256fb72943e9a043373a8d19436bfa8cb3475e42689c0c1485b66c0dc7e4ab0c510
SHA51275a64a258cf3b2965dfeef9ffb476c8e83a9114b2e8ba8007e176401eb6041552f12f6a992bfc59067022d0dde6b04f1781da35185959b3c5a74fbf0e906e5af
-
Filesize
581KB
MD551c92f9ca40678d4bea3120075b8aa60
SHA192c849b532ff87f3675d63059d899ad796fb7d60
SHA2569c75ae82b42739ef4a1cf071e45690754315133ec8d5bd23035b39da03cdc888
SHA512104f4b55628f89e5c9e2d0c6ce7ccb36c34b7bf4e8ab50099bdce4c9595e532ef9ff7105055f4a82941a4f20e0c274074de13e4f702b0fc75b68abf6d05bd452
-
Filesize
581KB
MD5d40a1a3f34ac528fe429fc1c301e9c80
SHA11cf0862e709fa72fe9595a6afac37592308af289
SHA2563d7ec703b56f04d736a9a29ed7ea6039b95575c6ab15d26a71b7e783f835e981
SHA512d6846d3073c2c5b4507d8562c20928535a49e5c18b34e71f04f07ced5b58465c25dc2916658295b79219da2c9e2c673ad884bbb1b8e073eb07eafd7c589768e0
-
Filesize
581KB
MD58c9cc17e7d94dc9811a3847e58c237a4
SHA1f669523e466877ca233f55756bc88586f5bce3ba
SHA256613ad1e2f041518092dfd0cfce7c288c5b51c6e5af0f7bafd49110c40a3c56fd
SHA5123db3ae4127a906457f4dd37d79c1bf5e3d110049f8c47f5a86a4fe15bc10ea8f7a493e090402773a329349fe0c8d787dfbbec5e7a14971afa3f17ad1938735ec
-
Filesize
581KB
MD52f6cef672437198bd9a1a15e602eff90
SHA1db1d31be4acb4470b39b1077dd81ff329c598ad5
SHA2563f7e7994eedb23bd6ee4bb4a3d89bd5f6abe6341186f03b55c90006c51990e61
SHA512ad4df42bc3b8cd1fac18a18542d756562a9c7a519b660bff1b662501195ec133ba6cb246c33f21a6325dba1795f5392504f81caa19c43760a959ded5f5d8b9cb
-
Filesize
581KB
MD5583813c4b623545bbf559552d258d698
SHA17013535309390f0d1d96f03a0c7637a2d9821ca5
SHA256c119fa68c54ab75fb4e1a0d567b32607ec583180b1d032674ce92382ddd63c3c
SHA512b781bc30c33a751e13579b5dcae5ea796fecd0711b13a5ec4444502db853917990eb46a32117f8293610ba0ad1bd010fef5ff8d795083982d4eb1137566b38dc
-
Filesize
701KB
MD50cb5161f64f10836847a2ec911946ddf
SHA1d212e110314432fa801bba2c96fe4acab8c384d0
SHA256a8705943445da8d8729de98f1ade8e5264ad42e0129ad719970203ecb4870428
SHA5125add3f62a63092bfc1eb443c7adb0eab284aedfcfeb5b8d4eec0f17f03c8e542c92e74b98053abb36b294649ffb347db0d8e6d5d93a125cda126b7e3468010c5
-
Filesize
588KB
MD58ed36de79893aada82792046d7c89fab
SHA13eb6d9d75930e705546ef8e6dfeb715f822f9353
SHA256339cb8b43a3a630aee59a329b21771f1c80615f29c1b8b8f6bcdb45437de8e45
SHA512de34928eb427024087896bba417e1966f1ff5a73e3d8a69a7346f5a557508ecb95b1da243af48a099f60caad65cb3b9a14e6354db273b0e112d9433b3dbed597
-
Filesize
1.7MB
MD563bfee43c6c4c3dc091c930a5ebd7c68
SHA1277a726208575cf6c114521cc1bec90be6272315
SHA256df3eba15cb78fd1fbf8681a60345608c7caf370d2b23e5ab4851d3dbb3123dca
SHA5121db7b0610c8a02086cd879688e3de614435199c93f8c68c3f30d239ef048fc14cbae8f0693cc089a5f94afd6a3b31cd5601ead6664b5a29299c0d3c3915a5df1
-
Filesize
659KB
MD5907ad9ef3f96b42a6b02c2b8fcefba1f
SHA16ab566b63e274150018755371813e4da9f4a0bcb
SHA256fb8e611d5fed3d617088aacd6244141d40152c366d027064d6fb0377c92290d8
SHA512792dbda0bb1a83f6a5120978437b72d4e77565d14bcc67bb1e429429d58212a7a80e0e864e99429772c36c12779a7ad5a773d3d7061a5726d5c877d40c0b393e
-
Filesize
1.2MB
MD5a0ec3db837298e6b3e8a5db0b5f1a54e
SHA1c5ccc4ba75ad3c13c2ad24215c45f96c4a09cf09
SHA256e13733515cd700856bb13cfe788a7aaeef04826c5d5db881448e79325be0941a
SHA51222405f495723d727eb83ba56c775e2938e7ab8aee73fe1287711e71905ff80b1c77017b74c5c6007095e92bbf8ade61cd1be482b9e57f597ee0d77810290d0a1
-
Filesize
578KB
MD5421ea08a9c5d04565e10a7c3fb1e83dc
SHA12ca5964ebf6e49da218eed55bb725df05525187a
SHA256f49b4f369a28dd7232f8a55ca60a229d35bc015baf4d37c741c151a6676ff5ba
SHA512b7f53e943fbcc843c424558467f672fdb2becfc3e68afda99529c2daa51e714b40ca6915f1492d34b56e9b55e923b9d0a75618625a571b78d5bde51456b984ee
-
Filesize
940KB
MD58b2aa38752232ccdd6bb8552dfefd91a
SHA130abb183e11f3306fef73e0259c61bafa6a9f4ff
SHA256b3ab911e860b6700fe2fbafc31d12062fa83a61bd405b1a7c50256860e22f56e
SHA5128d84c9216158f7a3eb984066baf39d86d9cdaaf782ed3241379383b5149d3ca680bbebf7c74bdbfc39872cdbcf617d0463fb5f0a45d0f290a1d5ed45d6e7cdb9
-
Filesize
671KB
MD51d182e8e61aa365fcc2bb869c6c683b3
SHA1ee945d380462342c0519cf9da2bfb5ca4b8691b1
SHA256c1ac7a17c40ddd6be47e510125ec22ebb4a1fffa2d10111d4b285d8581a161c1
SHA5128f8454dd0f5f93a2f546535d1aa9419a498232e6ea286962f6d7535e400af37440039a7c6ad981d024567459fc72f624e958c0c12a4756e63b4f5b40ead90bb8
-
Filesize
1.4MB
MD57e414fe323c3f5e164dd9e755224a42c
SHA1e12e1e0fb4e6715b32287f7ea1d1b825e3766907
SHA256feaa07d92a0bff269345bc954b0c755ef0ab8c201dba74ecb4e8d82bf9f199e7
SHA5126c4b72a4649cc7893b62f9a0514fcfe563af8316de2601ba608ad129bab510a27a8912ce579b15c13024cdd76e3ae07da2794c9cfec693bbc0ca827df990fa5f
-
Filesize
1.8MB
MD53519e164b0b03cadaf3def48faa5e0f0
SHA1beb0054d4074af8fa1c038eb657eecd7e83bdc5a
SHA2569b72d83c411ad3ca9a11edcf4d7b8894d1d2a541c764be0cb2b080eae2a69353
SHA51253f8657d70f991b37ffaf9c81c74ec83f7cf5c14e3901608eeffa70ff45f5cb6b4094d5438ea62b4f795c626e093326fb9968dbdcee40fb55d514e8a7af58e80
-
Filesize
1.4MB
MD50cb8bb7d54014bece73995e78d93750c
SHA119c30d39077443eea01a80d2a778428cc5d62009
SHA256ada417707676dccf2fe1566ffaa8ddd64b43e5791b9d8ec8cf3fb983b1c92a15
SHA51293c6a6eb0f0c9abe384c365259479d8fea9aa4ade62059b139ec0e1ffe217197640586853f67dea16915309f4e9cf11f3e74a72d6c63b291f3cac7ec75831580
-
Filesize
885KB
MD51b16eb6534b2a7df7f3156eeb4ddce3a
SHA13377bae43a78353db9e3ce596ced5d845858cb95
SHA2568e7b098d9b07e5ef7e37e2dc577910d1efa662588c62f8836921779f291b52b2
SHA512ddb1ea0f5d8c91ed7c130b2db4da99a2be19b9eb52b0664874f86f71a62b5019a6fb3aea7f678335425ba7ca92a341cfcb32af4638c21cf6ad5c0030e995d5ea
-
Filesize
2.0MB
MD5d1b424268f9ae398375e16454140d31d
SHA1595cde8be43a8237b7e2b3a97f8c1e1f42c516ee
SHA25644e3d9309a7671023a1bfda87c208ee58f7daf64a449e9a5182f2e0b865b88bd
SHA512e87c446952b1b091cd65d675c8e44f483870428c262240ef32c8b572c0a58461a682ff6a8c7e415e2d4b9bc9a4ca2f9a95e823088a77a33e919cada138cafb2d
-
Filesize
661KB
MD56d0719e0245edb9c90b0a94e1de5c39e
SHA1b676107994ec10c3a7887e9a2558578509ab2f16
SHA2561d1289abddd3b855d4b95507f3b9d5baec4616a64cf3af2ea3678a34c9db0836
SHA5127ae60c6d16ea86d7da9bf18c4c9d0d2e2238fb906f2e28e75efa79db342c1aea88de4d193fb2fabc2cf6dd367e87f2e2b5058bf51d04dda5d0c20ef6ee8fd9ea
-
Filesize
712KB
MD541591efa9a44495e31776f28b6c561d4
SHA100e24911e796da899b665f80569b5b7f56cdaa72
SHA256856943df45a848753069b3098e307b66912bd62a0fb127a23860ef41d345e58b
SHA5126d6aff9c3c2e5295d7b5c8d1469da2822e0fd6d04b97b8c9bb732ae874cff02292144503a611eb79dc7786e5b7267b13935d78214529e5d6c82ec26205cb9dba
-
Filesize
584KB
MD5ca0ef0c5b17b5cfc9b3b70b83d653d6d
SHA1e545ab46509f476fbcc1012a4163897348a48d7e
SHA2568f32ef0601a186363d5575231ebca05559731002696cf78b9f341930270cb400
SHA512aac7d59c8cddb74d7b16cd60afc3bbebb9288e71c0e50b98200cae57a4fbb7d1e3629cf76b5f7d40e8b68eb9a573efdd2147bd08bfd0d761faa25d989255a566
-
Filesize
1.3MB
MD57bb452ca7802e06d605135b98a69ee34
SHA15e4f521914e2852bf8bde06fe8db35cc8c1f9254
SHA2568438e7a46fd952e8fbdee96f760daa170dfcf0a52071737d71e498764a74a1d6
SHA5120f32eca506db85e36d1bea5244a0b32ca2657caec75439176c3a984b1bb8e18c8efaeef9fc21fbff5e6af583a16aeb58a7fd5aff4eb933dbe004e1e701048582
-
Filesize
772KB
MD5c2ea6ff745a6b2108d42a3f4ec89e7f5
SHA1997691d4e06dcadc6334360d2732fe279c0fbd67
SHA25661cb2bfadc6dc9a4720a92fb75d19d8dfebd91465e8eeded6a163f35148fa34b
SHA5128c808b8fe839036c6bb418d0518636b6ae334bb5342a4e14f9ab5895831226f669f1b278db0bcd63fa2745dad1e50ab944cd85f5b1f059a6ca8c6c4ee25f8c3c
-
Filesize
2.1MB
MD55a2d48c56824f11de2025700cd445174
SHA14a24b100bd9c6ab9db620830546ad8a9ea6d5951
SHA256310112b488b699f693787556424c0ef9c314496343746d118e7c24803042a2b3
SHA512db6c4652d947a25c9da190dc51be835bbbfc2a56424b78ad2d62a81ef8dd163fcd8eefee5fe704d2e2e27283ad24315ec623cb7aa4ac4e932074e95ee9e55d8e