Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe
-
Size
2.2MB
-
MD5
f0311421af6b8d38da26e4409629e5ff
-
SHA1
d96c8f09de584b9a063461eb2593e18e15b467b4
-
SHA256
06ac37e2eabb45bcc0ed951ab1f3b6609b80178960b90ef6511b9c103c9b52fd
-
SHA512
d8cf13f7125b81c84d59c959cae64a13e27c551fcf2d4aedc6a4c3dc245c920bc82d1d8f9e8957a1326ae57d20b4c03d931e9d72ddbb83787c048a868b36a123
-
SSDEEP
49152:G/opsDuePJfrFHIzsFKV8LN0REDmg27RnWGj:Guaue5rFYSDD527BWG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2972 alg.exe 220 elevation_service.exe 2028 elevation_service.exe 768 maintenanceservice.exe 4408 OSE.EXE 1260 DiagnosticsHub.StandardCollector.Service.exe 952 fxssvc.exe 2120 msdtc.exe 4568 PerceptionSimulationService.exe 2800 perfhost.exe 2340 locator.exe 4816 SensorDataService.exe 1828 snmptrap.exe 748 spectrum.exe 4200 ssh-agent.exe 5092 TieringEngineService.exe 5016 AgentService.exe 1584 vds.exe 972 vssvc.exe 4004 wbengine.exe 4900 WmiApSrv.exe 1656 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\eeebb6fa4d74bb6b.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b6912833b50da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000880710833b50da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022a7ee823b50da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c6eb5823b50da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b393db823b50da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019ca52833b50da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1cdf5823b50da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 220 elevation_service.exe 220 elevation_service.exe 220 elevation_service.exe 220 elevation_service.exe 220 elevation_service.exe 220 elevation_service.exe 220 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4032 2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe Token: SeDebugPrivilege 2972 alg.exe Token: SeDebugPrivilege 2972 alg.exe Token: SeDebugPrivilege 2972 alg.exe Token: SeTakeOwnershipPrivilege 220 elevation_service.exe Token: SeAuditPrivilege 952 fxssvc.exe Token: SeRestorePrivilege 5092 TieringEngineService.exe Token: SeManageVolumePrivilege 5092 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5016 AgentService.exe Token: SeBackupPrivilege 972 vssvc.exe Token: SeRestorePrivilege 972 vssvc.exe Token: SeAuditPrivilege 972 vssvc.exe Token: SeBackupPrivilege 4004 wbengine.exe Token: SeRestorePrivilege 4004 wbengine.exe Token: SeSecurityPrivilege 4004 wbengine.exe Token: 33 1656 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1656 SearchIndexer.exe Token: SeDebugPrivilege 220 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2648 1656 SearchIndexer.exe 114 PID 1656 wrote to memory of 2648 1656 SearchIndexer.exe 114 PID 1656 wrote to memory of 3384 1656 SearchIndexer.exe 115 PID 1656 wrote to memory of 3384 1656 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-26_f0311421af6b8d38da26e4409629e5ff_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2028
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:768
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4408
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1260
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2276
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2120
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4568
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1584
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4900
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2648
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:3384
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2836
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4200
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:748
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1828
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4816
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2340
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD53ca3f62f1b110923c9f114cc31c5ddd0
SHA1de2b5db5a4f9199225cab9c2a4ccd0601e896e98
SHA256a5eb99be5835826461f673ff1294ea15278123ef54023230e150da27f2487e8a
SHA51235bcd6d52e0a72ed288ac8b53b6bc7f04586d087b12afd7342d208d913f38144d43185c5123f49db3e5eb0c992239c391f18088b7e0bf74c246e354016e6bdb9
-
Filesize
62KB
MD5b3c73189d4fe393df8019ed39b806a0b
SHA194ade5a7a9020c3ca8ecac8aea598200965642a7
SHA25659bece720d8e8c1c0ae358ba21ae5839588167ab87ffdb67dfa614291022a4cd
SHA51251f2116365f5c90655d9c27bc30e439b72e008fa11d7ed078c1ca266da147c9b9bc04edb612dd8b5cecba804a4d397b30607fd3bc18d91c4ca12f4b87529ecc3
-
Filesize
66KB
MD53200606c7b92e26398d8909a39f42ff4
SHA1f0aab79f66050e6f2ad51041ebdc9ccbb192a1c5
SHA256f9b35687fa4e96763d853c8cf9fca1ab8d9f3060cc0436383aceb7ab8be18b78
SHA512ce8b4f655e3051ca981df0d31d972afac211996dbea6902532cc9357e70e7d59b55b00c7021d0ebb20009a8e096c249d23123b091ecee8ce734213ab8588699b
-
Filesize
131KB
MD592efbb40782a71e11a1f4e570f58ff18
SHA1dc4a37723bcfd8112c286d739e0fb904e21cfea8
SHA2562ae7544bcdc646e0ebf7950768f276662863857481444929e4d9020a9d8f38ea
SHA512206b7216fd8763f218fa21c913d20c6a5df4e0f0192707e57ee1deae2c6065b50f48e70e33be81337a42c3d9dbb8bd2062f34b2d27ffd99158f406be2cee036d
-
Filesize
91KB
MD59df38b96cce3d740cc64d60bddee779d
SHA125bbdc0673a5766a83d6df2ebc7e6e60a267655a
SHA2560441922ad73866207aada46f298faba4a16cba9ed98678b31dbd6f9bcd951a86
SHA5124c1b3ad13b9d165a3e9348231b16e787d8fbafff76e8b6fec8792a354f0309145d959969b27df2897a85fff462ca35a242d5cf6c99f735a4f85385cc1005a1a0
-
Filesize
71KB
MD5f58df6fbecb58ff27057f63e70cc244f
SHA1bde1d313477b81fb57b37ec7496958ecd0456a1d
SHA2568909220bb61a7ce4fb2e8057a5f28f3491d1b42951a25dc4a4059d4aaa364c6d
SHA5128aa597246286e7474f2d89c3b2211ba669dd4eecedf8a1075dc788a264ce315bf708f3035e1730febd793282e6198108c2782d8234ff78eb26e9bb4ddf73eb91
-
Filesize
128KB
MD59aa6cbe6a44b23a21307e3381cac4f3a
SHA1b1c680b08103ffefeca64b5021c74826ef3ddbc6
SHA256b974444670b8c60cf87b984efc332676364370fab18de775d7c414342cf7e16a
SHA5125e1d64fcf1562acb0d25702485b528d53ba66d93566a2aa842cc792b165579a85c3e33fc9e2065eae1ec41725f7d8d74693d05d60488c4b5f98b729c3a5be7d0
-
Filesize
152KB
MD5af32f398be74015c838d700616fa2285
SHA156f90bf8c93e673f268ff7efaa1d463ccca86092
SHA2562f9c74d010e22b617f78814b5009981f382c88b6815db057e6ba7dbe4e333060
SHA512c0a8158b02c54f85771a91b647cf6138245dfba08454607f3a8afa2b0cc0c8ebbd31fff424fd97ea5a897faa5328afe2122b301855237cce241cb5f8a9dd14a7
-
Filesize
92KB
MD5a9b522371e3003cfd95be1fed23454d6
SHA1dd95e22b0d28c7d16ff36cbb1f614eaa6922bbc0
SHA2561adae959978dc9b67519e1b364d749af2d8836bff3ed3d77f9a1d8591daf0564
SHA512136ed6355f08d00ab77ba06dd72df281c1c8357d88193128984636d468b93e74718010f8dc177de83c1a1ef10eafdd86a97910eb0e04f63492bb1092ee204e8a
-
Filesize
130KB
MD5bcd7f403a71e2faf3fd21e4150cfa07c
SHA1790ba2f230f33113d913fe378aea335d46155b8c
SHA25684b3184f2499b930b1aa1c11bc3c1f69075d7bf791fe8fc5c32528c8bc71f514
SHA512adb1a90c615bbc2bf8204993d6d5f0767698962171eb98ab485502053604191063b385127e98fde21191be750af22aaf3f850dd3e759529122b4d92c06d938a5
-
Filesize
59KB
MD5ea0bceed55b58932ff013c7d2c8e165d
SHA142569519df20dc679704e693de8a53905ab1dca4
SHA25610cf05ec435453282816a069f650d9d6429cb85d542cdc61ae1827d568798715
SHA512f27fe383c235f517883fa2635d2683926cb86f0e87c0b3b6b1980b952404a8643b82de882e5bd2f29acb5f6710e37e94b3ee38766c693d2b2d7cb5c08122383b
-
Filesize
114KB
MD55f3134826bd5d1727ebaff9a37c929a9
SHA1ff1f09c974682e4fa1905f9e4ebf4c4e3c709226
SHA256dca9a173aed45d79da5d2f5db35863cbb2e999b59ae26fe8b8a590e539613013
SHA51291aa344a17e622babcc2149c5f2a28490a0a9f14e022759f57fd6e5f87f18de5e2e0270c36d7259e0b04892b2d6e64db146b5699e60c366516d9ab7a4f51c3bb
-
Filesize
128KB
MD586d2f31db64d735eb855c558e436ba9a
SHA1a1444b4cda953d8ad74fd51ad636cb3e7459c4f2
SHA2560552f6b33ffa866004cff29f9e4814c4db1cfba16014bfd5317426e5a92d13a8
SHA512f3a58d4cfebb8df9b999ce579f9a449c8844efe71778ef993765471a884b41e1c99a491ed2937fd63a4c3c5a53e9ba2ee6a83b14e8100a678080bd4e023b69b2
-
Filesize
786KB
MD505ce7f7ec59dc138c011e25d42240805
SHA1625c95a7cd3f95f508114f250f30ca2a155a134b
SHA256ea29a4aa48d08439f7f18346d8d46eae0e682cb04ffbfb20d721231fc64590ca
SHA512d2c3b68a1926e26f7a2a82d136f95fb1627da77f48b30e1a23ad097e94303b8b3e8e8c5a357bcc21288e5d9334189718dc2391d7629e6eab1ea85ffb3a48f337
-
Filesize
15KB
MD5200dcae1871653ea9dad46348a6f9293
SHA13d7dfe9f2a74f54b3b4c5a6938ee15fe710f632c
SHA25682571c8430add09d6e90ea7bdfa38d3d3a714285ba78010a4ec6e0dc59920aa6
SHA51219b6310fe23ea1091ecedeca6182dff84a9143355bcf4fc05763eb056cb1cb8f5c3902f3678f4e4f3ab7543561558c035d8cc5a51a6c0968eb033f35d5fd694e
-
Filesize
175KB
MD543502eb051ea741cd64cdbbaaaa1b9bb
SHA188aa7d56c4c355cdd210257ac5cd0b1cd8d80e07
SHA25632ed9fd5a8aca1de6496a93e4b339847e9beea5f592a4204059e920e31d27863
SHA512305bd26239df4a621b1743abeffb5f871174d73e693684103c962f1f4f60821c60af8c05bbb99dc41fb26d97e2c890d115a1c6f9d55d5f52b07c2de1fc2e6263
-
Filesize
117KB
MD5f0f8780087dcad471e509355f3b54388
SHA117a1e1dfc5ebc60da677f9a0a3f65ce38a5d0aef
SHA256a1bbde52c19291fff8f85e806c8dd7284bda52e2734fcfb40c78b986d1d020af
SHA5128a61ea642914a1fc315189c6a0487c6b46fe3dccd569ab0b67f597fd40f322199cff15249efc541e195814b1e58f5b3754ac23710e807d286d6117d17aabb361
-
Filesize
105KB
MD581de414dff29ef22f4cf72e28d216b9c
SHA1e4107a8e72fcc95da35a06def61ab878ed4f6fc5
SHA2564cec0a7df2463e8f10fd9fb4e9ad6f5764788a59783a28425c54c4c85aced3dd
SHA512be3b4be75253dff71c573027e39175af3c5b9041802e3f265c5d3d0b7dcc9f4c1d391a573c65b77a4950f6d976315c0b4f92631d39ee43c1caef377c39f047c9
-
Filesize
272KB
MD5f54c54ff2e134d35f2a23bf5f2b38e40
SHA1ad2795da2f4a248894f58cb1324dbb8a15933893
SHA2564fe86d7749b74bef050631e4a203bb5a67f7e2edb5ea14134833a3a6366249bf
SHA512a743677070150ec2009117ddd3bb3549a0390db10c44df7851870e046ac0a363fc0470fd821ecde2f514d8b963899cebe592e311c32f496cb2568a44ee96b673
-
Filesize
140KB
MD596cc005097ceecf0e87798bf93dce8bb
SHA1a2be4d25e2a249ace2fe974c38ec7286f7013a7e
SHA2567368bb4ca4b7f55b7f32266a3788bb865fe187eb28ecbd8c5c13cf41e1726ac8
SHA5120f144c4c55ca85fcde36b3130b3f5c1be19c840d5b773533557fe0553656fd11d1bb271292274a4ecdf884c1723a6190e91dc73623299ee31019526631d96e2c
-
Filesize
61KB
MD50a1737e723e41aa21eccb6d558587449
SHA1bc88dd3af2be97bb0406fd031118656bec63a53f
SHA256799aa2397b57ce15a870c844cfb457f20c75df7e414f5b0ffadd73bd344493b8
SHA51208beb0055116cb77c245abdcc818a6398c7c2f18f7ee20174bd8ff214ce3d6fe9ae761b39e38447814fc7b4128de335b26376ed363ba3fa88fe405de80a1efde
-
Filesize
160KB
MD5d2051dfcdd0298bf902fc0ff34cbe787
SHA1aa2958603651e628ae98e6732a13fbc6dc5685e4
SHA256a7ede281d2a49f2cfb8caf6966dea25febc657799b047c0ce82e829bc19b6cc8
SHA512ff84e0aa8af163481b5a5b0f9e1e8a20771d00e815cb1acbb7c078403b163b7cff1b19a81ab26a19afc2591114643e1c185bd1a2375f924965b6beeee6498884
-
Filesize
122KB
MD5f0a1c662b17d41fe4625a163b94bc5e0
SHA19ccf1869bf5bf5f93c8d216c5af20ecf3381d6c9
SHA256a518bf32168dc38db0746b0ef7036daba82bda78eb5ec83af36c29c46dbf449e
SHA5127d7c017b40db36316b6f05ea4d8340358922029fc0e9431bd1007e47682cc41b380ca603225a134b526163037a06d7f8c46d12f1bdca732cbcdd1aca9518d648
-
Filesize
153KB
MD594b547e3da1ca3ca344cbe8763f66329
SHA174d8dca1920594319f032093b16a3288cb200877
SHA25645d543de26c6c9c57a9a437f0d12c5c0392e303e963c7424d0c293c0290e718e
SHA512b20f1d44c10b42e93897ff49dd612141b4973a6d81823df7c07cbfd9b8554b73e8e18a708133df1419dbe242d8ccf84e53779bf014fc71ae34ce11edd308ab5f
-
Filesize
135KB
MD5bdb2f7234277eff4f33218505b602660
SHA122c0fa3af42d811d2a3aa9877f0aed9ebc788270
SHA2564c2d5237d776e9dd602b66a3cb4b193a0af443625032f454d7fb6aa164eaf814
SHA5125bfeffc8333fe6d7dcff441a557f39189e4402b6e7c2796171fac5c46dbb4a89c378d4d6e7cb7f33055c4382a3f2641432d65b263099224274d6eba99f994ede
-
Filesize
60KB
MD5c999fdb9e85a04c9548e3179ed78d221
SHA1f2561aa9c2c808bbd829fe20c238cce8120e0635
SHA25628458cb0660d1d5bbc06ce1b10530097d0f240aec9481cd107b184394a4ad460
SHA5127374f5cc3139c870adfe7578d2ff5448ff2bb6102fad897d29c8ddfb4e22f749f88d71612a67b4d7c5746994712f281dd95b65b00f1334a3cfc774d560b8a20e
-
Filesize
164KB
MD5a2fb9c936cf67553d641c2ac73c0c40e
SHA1a90ff94897eda6b0da0c14dbe4b541ca2d8b28e2
SHA25627c9836c71a0760fdbd48c9a8bd406ee00f708254f652e8c3c3cb34aae8cc193
SHA5126612da4f2bdc2a7a7df0248507e9f67cd84f4b253cccf8c173421c6b6fa59c6d0c066b133892277c9654ceb309a759f15eac97ca748b9b8c24c4993a948960d2
-
Filesize
80KB
MD52bcabcce8a6723010230d1be1d485083
SHA1027cb07c62bcc832eae7972428c23a0463cc6a62
SHA25602082d4499a04058a13d177f7cb355823839c06655fa4fcf1925d0c9c7309145
SHA51232560df3c2fff73e7735809d47cf28b8ceb79759a4de286a27de3c15e07abe9e78fe910d070dfda320bf792f23021f19580002b8605272ab65d079ef9255c294
-
Filesize
82KB
MD50da386cfeb66c188e86937518324ffb4
SHA1ab4484bb952fe4b65da6d96c762ce8ca241c8af5
SHA256a6d4181f757865633dfe5119572ed51d464af2d42318ca3613cc8417494d6a6e
SHA512b23f52d4903d9f5ddb1074d60b757a021c400a81084c617e44aa6a611775f74148100e38f642c5eae973c70e76005b6c3a7b41c298674507e577d3f2e3040545
-
Filesize
124KB
MD5f165b2ff7d1f0b0ac8cc1c42c1909b58
SHA1bf40ccf1f5076db83a8d3bccbfe2e1855ff0a5b0
SHA256d12ff75c8356d78b6a2e69d9c6f8055d9fe647fe6c06f75468318f24fc9aa1ef
SHA512dddce34125339e802f362790373b809a9174d1e8559db97c6cf2f50a3ffa85fdf63553c2a91155dbae65be41720396f4882e68ec79064916c6d12ed9fd920c3c
-
Filesize
74KB
MD55dd52b1fe276e3a067f2784b98669b73
SHA11a2c98cbfcd2f07c1e03ae8f714dbd726820bcce
SHA2560650c0aa920ec1ec648c2b9595c327fb1f6c302ab5b1746953a92c433992ecc6
SHA512d4ce7f8613f05c35d57dfd54453c0b02e992844216c012df359518c88bc7e4782125c9ed665441bca324dedacf371e569bf43b5ef6433afb70d1e919f3c64cc6
-
Filesize
87KB
MD5eb479b04900bfbad2c44edd9b94c9656
SHA1003c3f89ade68b395db98351cd5e5ab00618d900
SHA2561544fcd4bb6014a130a018bcdb5528ee3c6de3209b1161e3ca2fc129ed0b7a7c
SHA512fc7b812a6c578b2783439e24ffaa4e30d9925918a4af7518940630027716692d111505013f3a7f07124ff29e42b8777c6df6fa260e89f82d64f08c09f8ca8f2e
-
Filesize
112KB
MD5b85c327538b0fec15f3a13c1f83c0b82
SHA17cc8b535d3aa99502d40923afc2366b546006e02
SHA256273a221a0873c7e2ee0570dc95e9483025931960b0277f5009617ee57a20bab3
SHA512d62441a6ca2bc9595e62e76f16344a460b0dc22c58a80123eb09ed914c5481baf08e7e094f8200d4d12ee0ec819e79fdb05e97ecb69a165d9683f3a7fed6d726
-
Filesize
132KB
MD5dd0a82f889a263cf7a3f43bda6521c93
SHA128c36ad2b60c23dee625a0b38ee59b127baa59a8
SHA2568d67888886ffc360bac143e6aad90da138298471cccc0b7244639f3f26a5f451
SHA512d18d0fec5d5456926fb781ae8c4414b6a34bcbcfcfb13215ece65fec2e37d4964ac7a1851443876acd230b994f3ba3d8d82edf85897f0ddb4f150dd8279d6538
-
Filesize
83KB
MD5735663ca49409190743c561ddd6ec483
SHA1f3410ddd10b8eaaaf53b75c956127e5f7fed3f53
SHA2563ae3c3452d8a90d9dc112630a8d254a7aadf227c541a0bdd1d563cec102abb94
SHA512275062f218824ea608e0ccdb42353d386e0481c9a609d7bf39f30fcead7bf69c1158c88c48768a47813a6d2fc31ff09476252f6d56fe060f2e490032fffb1462
-
Filesize
100KB
MD585f78e15ebfafd25db5e1f0f687b85d3
SHA1e8fe241c8065fd8650214bd4b5f22583144d461d
SHA256123fcc53aaf221d017548fcfb8e508a6893aeaa0bb3c41f951be57ecdb1ceeff
SHA5125e69a95f87a12cd39582b27e058f64a86809f2b589c5d984b1eaa3d3cc4bb0a84e13e2c462059d02123b187140808395626f92e4bea563ae70e25650c4f66c39
-
Filesize
40KB
MD53bef0e4f76d33710bec0ce27bc2833e7
SHA1fed9d826d9e918b1df7f88700e86547129cf8cec
SHA256f38a218ed6cae8e732c9246ebaec4f304b5b66cbadde5fc76e6cc6a920feda08
SHA512d191e3b300fdbf9ca4350cd4ab24164807774794872c878a3f433e79c9edfa4a5f0a192f9609f7659bed1c703b60abebe3878dbe2f75518c520ba7d7a93da8d2
-
Filesize
22KB
MD54f76898458df1ba7034e9389e586bc10
SHA17120465201ab90b0356780efba4440bddd88679b
SHA25693cfd4071c20a998bc5defb0747a6f48673e7408459414fa305236516a45889b
SHA512f4c1fd93f45a8d639691b9d7841e704ab07f9525bc29c82b0caf788b4d3488f4c96f46cfffd62394d353c17d9e234d62b427fb8f5a4cdd622de2ccb5537ffbb6
-
Filesize
11KB
MD5c353fa6c2f32a506abb76e851c7d5873
SHA1260c3e3cd57b91613db75d35c41048890507da63
SHA25626e7780e9dfe5d397a99286d5c38036f7e812c501cc17d36ac808d4d239f6bdf
SHA512adc1a919f6c90eb67131fb4562bc58cbb014102a41e87796e323137e499f89a3ecda5835eabcca58b817a565f2e344237e4a0fa6379c3e87da93f9fdd34e4dd3
-
Filesize
53KB
MD5395136be3415d8418fdea46f1eda33c4
SHA1e0fcbe1f1aeafa2a01215d740ade55df44dda6e1
SHA256b6fd3ec3ec935afa7af62726628a11d11a382e61725fcf31ac8f968a3aac644d
SHA51205a45a72061d47130ccf622404aaebd7e13b23d7fc36223e8f91aee16176cb8a89b7f92533534e76e8953ea4ba71859a1cdbbe81478c4679237702b5b3c0a954
-
Filesize
34KB
MD519f3fa8044d84b4eebc052e9fb7a7c71
SHA19264aa0cb243346cb2a9bf00cdd203b6b6f9ef92
SHA256de4280c91fe969eb114fd1cb36bda3864426d240edf6ce16b444100649b01d6c
SHA5125c56c7d93a90f27dd64eeac74471e78dc086f82f8fa2e22b0056adf4736d706eee32259eccb359db6b13cc4a520a00c398b84e0298a985138fd7344834dadd99
-
Filesize
72KB
MD5245ad33e720ac5336ceb9775a980b90e
SHA12cb53f76cf37072d0919529e327bc9fac17976b1
SHA256d13ea0c90ba46b7b3e835c8cbb5186c9aac68085bfb000b8f6d6999ac06979c7
SHA512082d72a91b92c266bb7801375350a4f63736d1c1637442bc615e3ff4a235b7ac77e920df23e9251eb07e695671f8027c540a4ef3f2795dbdab18eacf169c67ef
-
Filesize
74KB
MD59288b72c57ff093a2e17a6ec9df82956
SHA1a582f1643c1f19d6dde8fddf6b29f2fc3b9d199e
SHA2561781e6b8d2cfccc889230fede4b31ef1ef4b0c2162d4b7c2390d3b8bbc3c3268
SHA5123dcd8c89fe2730e34bb47d3729666c80957e0ca200a4273ac84e54b90259abdd30420b220331bc5d5d32a5db5975f36614443e75d20ed99f5e154482f71ef6b5
-
Filesize
96KB
MD5ab5485525e5b974200e6afb16309e4f5
SHA182b8dea3b3d906a13ea0f40365baee3216341242
SHA256284c34c45bed7c2e1643f080797652d3ada19c27b762adc647d801fe9749bdad
SHA51226e2ed248a5cda226c87c825b4b158c43166433c9e9af4fdec3f75678947c161078e5d11dc08f4c340ca258e6665eff7211840d99bb11ecf9a7fd09e117ca918
-
Filesize
42KB
MD508dba5a35b1e2ed880058d09f85368e3
SHA19db3b6b0246d017ba77cab50e5d3d9b6d49d94af
SHA256ac3150f1e1c6d0d3646670b282f332c6bc2df1f594fa5921d4117b0f558bbb94
SHA5129775296f3012f5f634c6589c00f8a50f9599e1393b183db25724a12180cf47d7ee5f37590ae4ac0e35be91f6815da69f6b89be6cd564146d85f48f176e36e913
-
Filesize
125KB
MD58c037c39372f11f4264f63c6b1cf3cd5
SHA1fd42a5ab18625660d068bf24cb30c2ce2c67d938
SHA25690340a3c8a71e4fa58e78f01870d036adfcb81cf74ede444f9cbede18b550461
SHA51231f90a06169f8564d162e3bdb3039e7b9c735e91212ab9c40b9813af809f440d0048055ee4dba852477935ffd6e7df1b26e4150d2b14c599f1c4653355c9a509
-
Filesize
1.1MB
MD578ea3f4c046b6006640529e593ef9857
SHA1d6db02eccdfcae311f13af934f2db15d9f14c437
SHA256c34ff4eef8ca856254dc762b30c5eed608e6547a1e94b39787d61335e5388627
SHA5123a68ad0204ea827eaf97c5b360595f021e4585ff3147bed075478511406a26c8f8bd5c8105bb25d68c7f43efa5de1fac9f6bb5284fe73c79d7b3ef2d7db1716c
-
Filesize
147KB
MD59babca40381115a6b7979471a84fe52a
SHA1f9af80d000f26742393f954f5e8c5da7417b0001
SHA2563f15f15581cd65f043e086cdba89d91b202539c884382248ddbaf1ff39576af9
SHA512e667863cf8a11623192ecaeded6fe98852780202bf5adbc46de21a9c42a0aa49632184a279f24a6147e435ab133d6014289a8de925b88d65d624305bd6629427
-
Filesize
76KB
MD5e62f85179e9eb141a6ea4b9258cff6e7
SHA18d75c3c0ef65b044a24abd098181744c6ae10a48
SHA256928cda2f63e7946286f6eb4c4db9bdf710670289d59e886e35be7f79074b6acd
SHA512b448009844ae8cb283335e86068180a80e52f4bfcfa2c432aa701efc00b1c13b4d387b67761ddd8762457c188e30f787f853b1f0271cdd252a1f0bd1e88fea37
-
Filesize
122KB
MD54686819c3e345210e71d39369d6ff7ce
SHA137ee3e60df4d9541e0162be931b184b934ee5898
SHA256dc761a231e6c604b70c910c40bd48cbbe4b67ec5a1476798b661dbdba70b1a22
SHA512725590442ab7839d9cd32760b7e217784898d5ffb67182a59e338f4352a829fc10f840370a3f1cfa9360e9aafc8de4176bf718942e37ed2454e0bd9fd10d9cdf
-
Filesize
139KB
MD571e47bda0399afb323c340ba3d378e6f
SHA100a9b6891be39155c74830e0f17c5221759df557
SHA256d987e8e23ef3d6662cb111668b6db80ae5459cc4784c430c08986c91262c15c0
SHA5127e849cea71c83f0d6abd0ad5c28d296ff44f478ffb80611c8ad5e12057e90c4e74d3a44ddce9541f63045afc1f0503a4d6b73d6757ceca0f74db399f893edd03
-
Filesize
8KB
MD58cebb229cb1be5c6190ee47c953f1084
SHA14baebdf9d806185b73db79d1ac23edab32d29f0d
SHA2562b03795e39ccfc496fa0ca3516186a8dd8f30764e8604216c5e73b4e749cfd26
SHA5126b70c0f07726859a97754e2d400337c31ac098d010a87452324cbac12fc5ee155ac18116741840769cfa58824d34019cf3560633d0f4497b60ae3cc0d820137d
-
Filesize
34KB
MD5463fd7a065f9c559718d06e9347b9077
SHA12b458d35ffafdd03909b03601fee804b12519fea
SHA2564f709d894af60990088dc2a4bc97f9827917a0c4b5128802f73e79e1d7439fc8
SHA512b7e75f698dd49829a6ba5f55bb1a5c4812763bd4e6327d9f8d824294cc34ce806535f986c784b8317ac591be5e76fee13b913aa0d2394ea67693dad038b237ad
-
Filesize
111KB
MD594b68b6797fb0bf7c0c3875645cfc950
SHA1b5ad738dcf437a51361612ba8c18c47582f3341e
SHA2563a66da4b599d43c6003bd9b479590283a20a305a0e1d1cbf3f55927c90d1f276
SHA5120ceaf6d23eb4a060bf65e658c07e8c96b739ef348dbca8bfe2b27afbf2782eec50d23dbdee0ff51703dac0e5ee78b21a473673069d9375d45eddbc04cc2c399f
-
Filesize
57KB
MD5b23fef01ac3921267876c69cd804a5ed
SHA1af0a4bea99fc40f15b6087611355bb4108592a72
SHA25676ac5a3382a323da90167a3d99e733417ae8efb877ab011d8c870276c776daf2
SHA5122ce8afc8ca2623f29375432e6958841d2b5f256609da0ee60b049e6390c16885bcabffb18a96a25ddb82c9a2c9a1e6da3f0bc524069ece6db7f657106bbf0652
-
Filesize
25KB
MD5d75e116e5abc35d75c9838f29911835b
SHA1ccb11b82234d1b33439bbaf882c4324a1c6a39d8
SHA2564c244f3970788b229d1ea82d3b70a2d04490c1718174f18b24efc54c07698d65
SHA512d76328f96611f2e8c4e6ed7f0e53ea3da14a45cc7088f784f58b8e9c899c7b8d0e63457de72858d3c9b8d44220490ac5cc62b17b7f41fa2512bc9a718e955291
-
Filesize
92KB
MD508318ea2cdcd201b17043609efe000c0
SHA190cae801a1fdd7b613d67dbbec11c72979a3b660
SHA256fd4de0aaf4c284653101a313d00876257b82340263f467cb4bb405be68dca117
SHA512465acd6e6dd250c23ac874cffa493fc2482a542d22f92d65f653655a668a4ff148d7ce357c3d584bca2eba4e75048dcabc68dece4f16cb9478ed1195c8aaf65f
-
Filesize
401KB
MD5f1bf58ad3e9fe1d1c2db914df5d522f6
SHA11d055379abbcfc2f8f4dea5df6d48fba82f43a38
SHA25641d0ade0c5e2437e57f306184969d3411f24c3fa084efdabbeadd3b40faecc50
SHA512c03902c6dcb29affa52b28f5cf346570e90070e7eef28a4ef391f8872aaa8b6b1829c9e2b2f38037d3ee33d43254f43bf7ebd920d2c6bf67e7f08988735a386d
-
Filesize
53KB
MD5c64fdf5bb52f7e699f1526006a8f7d81
SHA1744da793e81a23a2685a1f1a21ff9b98a096bed8
SHA256c231d139ef955d2ddfc25710efb351edbaf0f1b835f4f668f8dcc94856b0d68c
SHA5124bd7d2194f3f1a8ccfabffe333c2cc43abe48a547a190a6147040957b86d3f0a871b418d79660741b389b66f3ac74c90774b380f28cb637e6bb4055e97b18628
-
Filesize
45KB
MD5407f18905e4c98996e8d8a5b0ea398d3
SHA1b45217995272aa1ce065baeb7735d71baa8d8b09
SHA2560e5832b028bcb0e5c4b234ebcec18ee12ec7b0ef99b40449614b08f772930db7
SHA512a39a6961a40f448b00db091d728812673f75f7d7659c9466ac0a379ff936db895e23c51006a3a1fbe2a11792fd33fdfb6d982cdb8bc44828a3219e61678db90c
-
Filesize
39KB
MD5309a94dfe4ca47f6e4092538d2c924a1
SHA18b17c85ab7ad3cddff073ff5fb8d37b12bdada67
SHA2565455565dd9134882739caf2a57c7c4fa7be0e0ca9f49975e787c03e7ab569519
SHA5128bb84fdf263c1af7430d162f92db6753b666ef2d92ed9242f39adad15ea7328a76cedb8413c6d4ecd8cca8395a769e36c44dd4efd1983d2f634cceb1e1948db4
-
Filesize
158KB
MD5ae5df16553d54db7504b7bb85cf9045e
SHA1aa34427697ffed61f56a80025dae2fbc8696453e
SHA256f3e46d6caba6ce0de0d962084545da75559441f77368967e0bfde8ff3b3712d7
SHA5128c18defd009b679749af793e363bda94a70c464e2e3cd2f7ae17c26375d1cda4d5214b8f2034ce0bd715800472f4dd62f0aa137b06cfc9f37e91b3d1ad85bc98
-
Filesize
39KB
MD5b5f264598bbe18db1ea1dded97d709d6
SHA1aef9a14ca4590803b8074ded30f5fbf3632282f1
SHA256d44f081d124a3bb4c816048785e2c8342f83dea415658a83945732abf7e08345
SHA51235d5fdfc6c8b403825eeaa004aad3b679d520f401028e2bbbcc98d12b16dae16fe7db3c3f49878812d3c6da2d8f6e7f265de33954bead1ed3ab189e663c6cc34
-
Filesize
117KB
MD5653cda4f9a1cd7ac2c2963511e81c66c
SHA1833c2da8ef74790edd1b2ae20c9421d862bb9ee0
SHA256c766e4e08df22f88772bcb769235c255a28bdc0ed8b13ae0fed6c574a483459a
SHA512df8da4b812f2d28a96b94730823004e343a9308def1e883a7cd4f5d85230af0bbf204974a8c898ba9f74b46436661048b49f23c4b8c96c8363a1170e1569943f