Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe
-
Size
2.2MB
-
MD5
61f3dd87071f8aa3cbf0d83cf4c59b40
-
SHA1
964749f663a0071c1556febde7a0fec1944b1948
-
SHA256
9cdc884bc126ffde354fc3c625769f4f92cd0b3ac553acce8c1aaa692d5d60ed
-
SHA512
1305850b2281356fba8a09dfcbde20ec2efd4924bf9595f39bf656d5fb78f76c8e787c62cd12979577f5c5795521f7ada6805f4a0192689c8064911546af9edd
-
SSDEEP
24576:4OObVw4TaN1wdeukCba4oXtgLhU3wEdmh58DL8y9jemwOoUOiN297EKG1SY9:4OOh3aN4euLbegmtGs9RoUSVqSY9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1404 alg.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 4000 elevation_service.exe 2512 fxssvc.exe 3676 elevation_service.exe 372 maintenanceservice.exe 2944 OSE.EXE 208 msdtc.exe 1576 PerceptionSimulationService.exe 4404 perfhost.exe 2996 locator.exe 2136 SensorDataService.exe 2936 snmptrap.exe 4800 spectrum.exe 464 ssh-agent.exe 4772 TieringEngineService.exe 4392 AgentService.exe 4196 vds.exe 4908 vssvc.exe 2832 wbengine.exe 3060 WmiApSrv.exe 3708 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9f1225234d74bb6b.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85453\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c00390b1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae50090b1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd8500b1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bf0e70a1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bf0e70a1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000209b740b1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046c8ff0a1252da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4623b0b1252da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 1928 DiagnosticsHub.StandardCollector.Service.exe 4000 elevation_service.exe 4000 elevation_service.exe 4000 elevation_service.exe 4000 elevation_service.exe 4000 elevation_service.exe 4000 elevation_service.exe 4000 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2020 2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe Token: SeAuditPrivilege 2512 fxssvc.exe Token: SeDebugPrivilege 1928 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4000 elevation_service.exe Token: SeRestorePrivilege 4772 TieringEngineService.exe Token: SeManageVolumePrivilege 4772 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4392 AgentService.exe Token: SeBackupPrivilege 4908 vssvc.exe Token: SeRestorePrivilege 4908 vssvc.exe Token: SeAuditPrivilege 4908 vssvc.exe Token: SeBackupPrivilege 2832 wbengine.exe Token: SeRestorePrivilege 2832 wbengine.exe Token: SeSecurityPrivilege 2832 wbengine.exe Token: 33 3708 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3708 SearchIndexer.exe Token: SeDebugPrivilege 4000 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3708 wrote to memory of 1812 3708 SearchIndexer.exe 122 PID 3708 wrote to memory of 1812 3708 SearchIndexer.exe 122 PID 3708 wrote to memory of 2028 3708 SearchIndexer.exe 121 PID 3708 wrote to memory of 2028 3708 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_61f3dd87071f8aa3cbf0d83cf4c59b40_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1404
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2840
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3676
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2944
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:372
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:208
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1576
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2996
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2136
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1140
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4196
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3060
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7841⤵
- Modifies data under HKEY_USERS
PID:2028
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"1⤵
- Modifies data under HKEY_USERS
PID:1812
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:464
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD54425c736b48ae6cd31d39fb3ea46aecf
SHA10f887fe97dfcf8159823cde964c8e144e287eb0f
SHA2569c2323f3caa867c57a1e05a123610ed55fd8f5ba1d9c6add1e51a5948f092d2a
SHA5123be8d3af092d07ec8e9dbbc136d8c1068298a514c5a72b1c4a7c385f12c3243b30214acdd44cc97d7a12de8f694ac5b45e1153bd61973c343adab199fc97989a
-
Filesize
781KB
MD5fd2cc89b744e8ea9e026ff9a1235f8a6
SHA121ad047902659e0f57ebc36770f656b0128226c1
SHA25619f4527d835c4dc26458a4a1fdc32e1372fcaf864a01f61e9e4eef37eb98a65c
SHA51244ea2a37e33c80b13f50fc972926d6f1b691b747e53eb8fe1ccd5155fd9bd743d168088bd425045943b6def43531fe573dae14ea2a2b0cb296d196aed47e4468
-
Filesize
70KB
MD542239bc302b3fdfc186903650b7b0f3d
SHA1685df2eb66dcb0b917e8fea424f28eb93ff3e387
SHA256df1fa72d3d088951700b274f9afcb648912bc98aaa4a737f4597bd33b12507c6
SHA512b5ebd3581739347b351d76742cd904b45d82d7666db4ec7e513a924c82193bde78a0b1a8fb19a956b5e43203e4eb2ca9b39218198b5883d233cebc6617437f45
-
Filesize
190KB
MD5d600e24f7bed78bc23cec81e14cd98ae
SHA1bb3c155d692ef0c4f25f29cc7a8fdf83e01f250e
SHA256f279530a3dc3367451d700d9cbe298390bd6dbd65a2731bedfde2b8d2b6d4207
SHA512f874bdf750b31266d679228422cefedd27fd1811fe5738c8cde90d7752c2248681d1bdd6e9a754e950ebac1b6371a1afcd4d19a9e30757605141eff652a2ee8e
-
Filesize
119KB
MD5549a679767fbef389f658844ff75e8e1
SHA11792b0951652bc54d026610c8712ea37037b446a
SHA25600db477e236e49495ca692ab08e84a71250ca13658071583c6ca64416c2c6ae1
SHA512c4f99367679e2721592b467ff8d0a5fc31871f4d2c0707800b39027d468d016986fc61309c633a81afb320a2d4bad8c8015195a7c2b8a82c6b3bacf00b043056
-
Filesize
211KB
MD56ed4cbe824674fe0076c06d71de60c67
SHA1ac336a1128a85f6706f5bd7aaf6d986385337986
SHA256a42c2545b1f8799cfffb1777ef7e156c4acd9cffbdc406a2302edf9fdbdebad0
SHA5124b17194c60c91e28c51df328c2a01b69dc62fbbe9525f8710df82f6d8f78e70a222d1e7a0d61ae4ac95042c6e18dd8178ef5cac5027ba4281942cd22c5ea12e4
-
Filesize
226KB
MD57d9c7a6477759241661879eb88cd5c98
SHA11fb0fe1d12c51bf9b0fca270972d91a2f1a368f5
SHA2568337eeec981a62a1d89ff6d511f86b5dd4f8ac5f9d6e05dbfbfdfb4758337ca8
SHA5123a2db1834f92e5663d957692b3c0545090d44840a68877aec1bc6bed1ec9c837c58188dcbccf7d5270be150b32c30ef763b184a679b29ebef0d562fa4aaaa1e7
-
Filesize
279KB
MD522de09805112411faf3cffe6cb28f469
SHA1a672486c1b2533ff8fd96d9d1e90b234e3ef4c0f
SHA2561806a141a7561c51c3cc4f5d613175abaefe5cb3ccae0c6cec8f13348b121a4f
SHA512ffd596a6bd5f2863d565f541f4da96ba8e4f73161d550f9895d5d7ad2fee873df0440d408b9dd2e40227710af9df59b61eb1e85ad1efef8041f342106ae12d58
-
Filesize
204KB
MD593fe28b1642268c3f1dfee8665429cb9
SHA1c32906e5bb2befe6e46f0e5cd9fe696300a8ed29
SHA256a95730e17456e7ee06bf3700885b30cf55259ef4f30cc2d30f6ca49f96211ce2
SHA512341804f59d6527db63e7d87f25d0a60757e8fff00a229f3c788b351b6e8e2ca8670d014cecad49b8e9bdf0baeb24c7902c5a3c7c26c2746492ca507c98691ea5
-
Filesize
242KB
MD5100b0e1dd9d43b007140da6c8029d628
SHA1ecd5dbb465721515b95fd6ecec2df30e0684d931
SHA25662eeed4a5496c6ca0bfb8aaeeb97c17b81f61a7842bc386cc84497722f2b6f1e
SHA5128390c1ce7be0e632979c12b91193b53da81118236fcc7a016425d54a4bd5eea98b2cc03a30c8b1e67f2674c881e6476e1c16728b97cd276ba6e412c7d46d2151
-
Filesize
185KB
MD53bff689e307ee5bddd1571120691240e
SHA196f4836ed9e828d699ed66c351932bfabe9f258d
SHA2568ff196c20f97ae78072bbb8c25627b2630665c71b1952cbd7167d6c861ac01a0
SHA5121165295c3622feabb59c6faf41b918f98404ba575b46abebdfd3908fde4cb3f3eef92eabf9538b3d4dbf57db48b2c3d8fc7a4b48455d84ec1de50d3468d7e420
-
Filesize
63KB
MD538aa21bced5a87655f3fa76d5ee3a7c6
SHA15f1cb39bece30952c0fd693b8b16bafae2ea2262
SHA256b1cbd28967a9cabfd6eca7386b261ddb3cf7134f024f1572e7b1236a5c98b5c7
SHA5124802cfb8986db7b1a5ffbf61ad37a237d918ab6257734491e01ea7ed0013be31bf809dc8be18242358cded6999c2424440a2da11f87783c129bfbe49dde0272e
-
Filesize
92KB
MD56915100dcb966665d37f977c6d4e34e8
SHA1fbb25f25355886101a8c2d743d9ea6221c0a84ad
SHA25644155fa849113018d4fe128fb0c97479fbbc88dd93e89239a31c8604c950a72c
SHA512fec4e745fd6b3c5c193fac4fbeb05d36887d952d00dca03f389cde70f0230cd0b01ff49bc1464fc5b93cce3dc3d6d9c7b65e7aa62844636371784961fc76eeef
-
Filesize
67KB
MD56b2a00c1c130882558e42dd2a68ca074
SHA11b181a48c48a3e41df21203e76bab4d02ba6065a
SHA256d7feccc4f1d515a1e7957fb608f0cc8f64d3d17bdc369e38b32fb6462fe6729f
SHA51279cb2a55ba6542dd8fa405fd7ba7f7bf5a859718266e1ee501cd17faa32062991180b3dcf639a5d3b8819106dbf162760bbaa7cb1ee134c1f6f1de650125c765
-
Filesize
247KB
MD5f30e33372308ed9829f0c3320c6b5a26
SHA1f2535d35416c656c08ea533d711e949b644cb0ea
SHA256c2e4189c90afd536c23f5b8b4eb0861d8c7b4fdbb3282676143b9277108ba9a9
SHA5127149e46077b9b56d82db74fb421807e328198126616937a5f503c1a7ee04c3267bc6bab0e811f670f62b5518e8e29123a4eec40992dcfad6e7587f05f089f0c8
-
Filesize
92KB
MD5164f4032fb64251b26967a4ecb71fb81
SHA14bfdc16f34405e81e9703f0c1fe50f49866dc4b5
SHA2562f8167f5cefa829494ca62e7b39665fa2b57b33170dff89409f618efe8aeb5e2
SHA51290be1bf087d5c95eae7a8000e5360f0fd96c3d5a319dd50f7eb4051d0e5e05ab9128290acd52a6f8f2d60b3f3e6e77c8b2cf104f7823279bfe86c2e6e6707f44
-
Filesize
149KB
MD51d48f1f856a548ea8060b8e06fde32d7
SHA1968315d1b530c74b46949fc73e6ed85a7d1f1f83
SHA256978ac028c2993f1c1d8886d65583d64b23e22cb7e917d7dd8ad10367530fc15b
SHA51251b6fcdcd92e3ba71dae383d98761ebc3f42a4a5b6611650d221fc3bb4a6b2e8956e7d260fa8716c38974d92b49342b59e4f4f3e1499a42b5a5a51378a4d02f6
-
Filesize
159KB
MD57aa59660ff513171a148f634f729c05b
SHA1728d2c0a09d88f8832d2e7f3b54f4d689f8b8e61
SHA25610b10cf96882d7bbef422172af3778af6fc417240771580cb5c2a006795b5b16
SHA51289f0c3cf031b128a9b67109bbe2bbc1002d321a81b825de1567fc4bf3cac85f2b28c3134ab3224c8d1be1d7b6a32431c70b3a07def0f776f0d72a00882985aa3
-
Filesize
87KB
MD5331932b51c85d67d22da9821a5d9ebda
SHA14333205cbd87205a4eccab0428daeb465ff32de8
SHA256a2a1742c39e99334b87e80809d8e2d7fd58604bf88808e065130be0f22234d67
SHA512972e0c7a6f3ea4a5ca601cb6cf7901d3e2953282e764e3c2a1b9e384fcb981fc06a9aea32666e6dff136606e07519549aa50c4d183d6d013ab1d22b203198a9e
-
Filesize
290KB
MD52ee6fb1c7a8e51288530a9132b2db08a
SHA109f38947e55aaea3c10b9b5d1f136af8ce7196b2
SHA2564ca4d55be9e8f120dc608be1d9303c2dfb324f8053968af13faf21bae786fae3
SHA512d3d46704d8be164aa8f29948d04668aee627133db980bbd51aa255aaf0097cfa6bc3260713cd85fe39f4d91a093784c9e4d6ff26a771a33bc69fba0bb897e210
-
Filesize
163KB
MD54a5d24a1410288e665dc46477f499f75
SHA1be9c80937f002ffabc60b29eae91af77450063b8
SHA256cac3cd7ac57c6189bf2e82d8be3b10f374e2f35cc22c779852e10c04aa0e7c6c
SHA5127afb7b2b7bdd58cc7a78ce55053006f28fece3f63c2aa1a4eacb4aa2ce325e3e29950fcd150bb9a3de742bb87e1002422226fa16face97547cd75ba00ebcd751
-
Filesize
217KB
MD581d74501ee161c1c3915dd0041b0f72f
SHA19159416fb9272aae6060d56c910237292a828bdf
SHA256c2d95edf0c07f9ded059ee026bba7a3667f6b848522773b12c8f648ffe46d259
SHA51227c1e1a99288512532cccfad71f526cff91e819d5f0e9859865675ae617c1ca89b764bad134c1806fe5e111ee6e0cc7991f3ce1d09ba4c5527c60d90f59c6b67
-
Filesize
163KB
MD5991d68e5a747cbaac3c58c096138be19
SHA17c100144336a32ce93d1cf9f10058ed2a0ba0759
SHA2568a7f7de40712b8db9b1d997041b1d373c2cf6aad0d14408e473fb6740487d908
SHA5123c2842da4d81a525c10c7b02a22ecda3588999aa688f566653c00e7aced9270bfc3ea060faab63b8a0c2742be0ecedcacf47186ffa6106d8d8974ac902abc39e
-
Filesize
125KB
MD568bc18a9fbb51bdfca0f2f907d7adafe
SHA18e203a4738c8ce1f8bb832a8a85a8f3da8a0aa69
SHA25647f66473dcfc47a77fad33c9d2fe36ff4a8b494d9105fc42419c116815e872ec
SHA512c195a22106cbeca13b9e887030525b3b8aaa0dbbe1a87e1d0696567df6de755b6a77815a0ceec95b356bd3fdd328dd078a2b0a0faab60578761f7df3fb8f6e4b
-
Filesize
79KB
MD5935a3f6bae675c3e641b09c0be3cf0e0
SHA1ff0848cea230ce4dcd835343c20d19e1dbfcef22
SHA256603a6556e6cf342c05ae5f861ec9a6f612295d9270217153bcbad1071c027d09
SHA51292038c4d145551cd1d4faa533a3f325642ae56fdc31ed15b1d72480853fa3a3f28cf282d1805d98227c76f2381251b6252df0aa262cf58d415bd711fcd07ae7a
-
Filesize
192KB
MD51983ba29f876a8f373ee12b7afb268a6
SHA1094491223d3ac63fa72ae9e19e92f4c2bc90dd8d
SHA2561551ca39a42ba15c056009fa8197c431ae0aa0d442848419ea0e233643a11029
SHA5126711b3e8263d4d9df518669c454f8beb62b42c91ff75fed90f740c0c90bc3d952dd4354348a98843443c3584fc523c98a9cb2356a7b9d93285b55da7537baf24
-
Filesize
95KB
MD5fa5cf7171781c787d1f38df62c2c24ee
SHA101b2dfa0ba1e7cfdf26ea5fad0bf77a53af7cb31
SHA256c5b6a5f4136a1fb6b953ce7c59815b3050eaf1b72b1d7cd7d5fb9be996c97b9d
SHA51247f3afd27ec5fc82699b5c811930d107fb94353c32c059e7ea675630d94eeb79cb954e551669ee7c96a5239b46834772df5ea5ab75e5354109a3f4f17889e7b3
-
Filesize
56KB
MD548f14ddbc157a561cb4555facb229bc4
SHA1b636851ad7a43f426f1296f10d276656086ca123
SHA2568366b3e2ba68c66034956dd69858354600aa347694dc53bd8f8bdc6411a42244
SHA5121f00320a31503bc3c66df151e10708ee06986a2aeb41662050396d296b96a93313b9ac7cc46ed467fa6a26d73115009821cb5dfbeb5338e443007f8fe8cfd7f7
-
Filesize
65KB
MD5c889240bf3f579eca7408e6b9c2e7c43
SHA188470d5d426c7cb3f6d8c0415a55f6514a425ede
SHA2567caaafb2a51ac9e66e303610b787be7089f5884dcc60c5514148261e0143ecb3
SHA5120e23e9b986a5abb00c483e68edb3aef3e964c005a487d6d79a8658ec37a3468d7a02aa6b8d4c8910ff6f3a8a64a69c0ace01da7805af6167be00b62726f36d5c
-
Filesize
173KB
MD52667da0325a8203a6d4d2e0ef8d4787f
SHA18c2f7f3d93e1869ebd4a537ce735f5dbe61b1921
SHA2566b77bf7902c8e1a269c1abb4783f3da89441d2ad2566e67e4acaa57d766d136e
SHA512ea681a573f88007c36e687a15cea1c99625c21b3b5856eb1243f3ffb62eaac5654a8344097ff5bdd75670d22328df09e77b26503224a5bbfeb50a19e58a0805d
-
Filesize
119KB
MD5da59d719d7b2735ce99d34af93d1c5ba
SHA112c102f45084b6c7db1baa7547b9f34fba85c5b8
SHA256afc46f65fa2fadf9eee31b9276ccd813c0674f3da1e293c1d17fb2adf21ee455
SHA5126e89ae09232ab355eab91c75c785b47c3064f2e57ee87467e487602bd0bc9836487a0363927fd9b0a3f1a0fd0e187222fc41c972298d0d054635fe7045a4fba5
-
Filesize
15KB
MD5805a9ab6797e8be3778b8fbb91e3f31b
SHA1a1f826d684c127167dde17611370e8c0a5b9cf9b
SHA2568b5cf70c51310a6d7b692f39bbcbed67e9eea22901d3ef2c1951386b1f264c7f
SHA512191d8f4d7dfb9af4809878cd955f8a889ff28de160a79446a9b275b6593dea7bdcbc429fe3b67e73c8885f70f00017fcb0d744cb97f29e3fdb669fbb2f406896
-
Filesize
86KB
MD5185c4674c7b1f1692fb6e4c9b060edac
SHA1c953f6f37011f1d382bbe9553b8670d9642cdab6
SHA25670d1b653fb20b522892c3363878ad437d0b4a1f9138d8eff87a182789c7843e0
SHA512506055daa7ea6ebe9633a6fd0d90e662157e248c493db317bec07e2ae20e72155faa77529ce6ce45073aabce2f9b702e60b77dfc5f1168dd6d43375f190cdd54
-
Filesize
108KB
MD5507db047d95998f25bd050f5e6490d65
SHA184977d1ab2d7694cf6d824acd4a69ad0c77aa54c
SHA256604f0ff6bc547c66401dd5364006487cfa8dbef97c0af1dea3242fa51eeb0614
SHA512e9bc32d174878325ce490fbdd886fe44d21a25a00a731e0d2ea7d0051fe7e863c3efb22b890c88691d88fbd78188160305bbcd3eeff009b7f99ccfd8de1f2a53
-
Filesize
132KB
MD50f4e5da4d95946ec21a60282ff1d24c6
SHA153af3e26cfddfd5d5d57f7ad017a300b538d0a94
SHA256ad1bd733071e7d015be7f984fb850bef22f790c7e7fa9d6a0f49edc1951ff974
SHA51230660c1dc29d34669f3a76b2e39f272a78ece97b0a8bde3a48ef7c532cb076500ae2d8ba3fb093f9f41d7b8b1106ffb85e84350912b75f375b1fac349479c814
-
Filesize
36KB
MD51ad8bf1fd78c12f43f296e168ad6e651
SHA128ea2632f6272ef38ace206b450ab09e08e2d490
SHA256c74c0553cac5499cd16e55e3776abc6d9ec2063cdb76071018965b5c22993d4d
SHA5128bec7ae5aa489585ffe61275a383bed10f7380cb2e85dafe75b3ca0ed6d5a99239ef8537b7265a9b7fd53ada7fbc67521ede794d14a046c14afc1ede9fea6730
-
Filesize
175KB
MD5f1c28241673372f47c4dbc6116151942
SHA10acd9727de2b181b5303d5c21f76000ef2512bfb
SHA256c8bfd8a7facc1d1ba4dc70a3c295c0cfa8df7d46c274b243b85ca73f89a681b5
SHA512309beadde815b67bab02ad9b2ee6f0b36f0a5e060bbb7cc85e18475fa60b82648a9a3976cf7beaf19fffc946883ef59f194d59425ffecf516e185aec9ec6ee35
-
Filesize
100KB
MD5abd4d330ff0d924f7f79947a53ae2130
SHA1e012ad4cdcbd4077746a639158fb9fa88e0afcfc
SHA2569acc4c589e4394bd3a04e0c4c53fcbc3816a88af66337e2e5bdbfeb419211e00
SHA51231c8eb6c5a07c492b7a7f5e0fc28a503de19c2f81d4a84c31200364c7d2818d75892d7129a5c76dfee3047b369944b3f9bda41bf5ee6efc578035379ed8bd25f
-
Filesize
89KB
MD570aa326daf1efe718ad12058aab24275
SHA11fc39bcbfd4e2e5068105b723a4be7439dbde42f
SHA256921996c3ae8eba15b9abd197e6927a8128c491027314b679b7a17c6700739431
SHA512786bc0e4da99ef01f0bfd0843197e7a086933541a7d98d6e90fd22318128cec54ac6563df4f1eda0a6ab65f337809714f76b5ea9115bb475171f35dc72ce8dca
-
Filesize
84KB
MD5bbe76ac8fa3a56f43ca7b8cf746f1e8f
SHA176999bab9b04741007c06d63f01d330e8050e2f7
SHA25600d2c1563de275a7beda35ebf802e7eb00c80fe6ac28a618fe09f529e623e020
SHA5127731f8a2226c721a8231c808ac2e15f04d46d6aaa26bf417ac8e117fef7a5c5cdba8de8b9f57914a5e4c16f48c1e5e212d028da4b1f09357296144df144209ed
-
Filesize
59KB
MD5e41554da952b6e102b8d6608985fb279
SHA1cb28dec5f5a00c6afd697b286878520844ff3718
SHA2567060fce85e67036b69fc938e3433bf1b2cf5ee8404bdb711f9212c2d64a055d3
SHA512be0451cd033bf602e9e15382d0e02dc8a645bec8bf64e4626a7f78d4af6fd4cb453c1baf1359d5e6d4ad014f590e8ed987e1c3e36434184b9ddd20e68de8b1c6
-
Filesize
80KB
MD5f81c31ac663c8324c672e520fb60096c
SHA1e21eb48dfa4fb1e9800c118768d891cc9b75dd50
SHA2566cf2d32981a1a4b21eba571ecba2269e5fc686006ef9b5793e92c7c024059e14
SHA5120bb2c69b93488f06e7af5b771cd77e9092020fb51547e3d75bf49a2043c770a1d3ef4e1e8d18c264be88b185984cb56a1b3e2b7b844cc605f4d7cd951b607b2a
-
Filesize
588KB
MD5b982526baf9bd71326d00ae64f934818
SHA1355e93b547a3edb1d3d629ee479d95721af47bb7
SHA2567a36f443af56f08152889c59397372b7a2c60f67831d289aaf76836819e5d8ab
SHA512e660fe7664b22671c4d4e5c627e450904f88f1543d312262d3f04245765a42e4d640314ef9836caaeda6f25e9b7df19a8df17bae2f4133e108e5b5da162d42b4
-
Filesize
417KB
MD584bf4d8bec78fa8d344fc1e079186ba4
SHA11fb7f6ccf0147f6140b41a9569b429c6077d1c77
SHA256561dce3386d88b2cefe0bb053f3b9b6b08f6eb20fbaba1f4902b4e249ed1deaf
SHA5125ffaddfedcb33e0058bbde1144f2fe925695f76656619ffb23ee7b324771adc19410b7bb0f6959d4acee971850f7c0388a7dd8d8531643e4e07ef3ac1bae8d35
-
Filesize
125KB
MD5d7cceb92755e6c6a77dc82805e7f7885
SHA1bfaf433adaf00b634482b488889f106ccc304df5
SHA2563b24a1f539e35c3935c36d34b5505c2f5c2d4982b086ffac62214330ec00f9df
SHA51251f5f958596c98f4cbb09e88f6080aa73de62c3f81a8e74eeabd08c74c2eedc928ff5a46ee79d77155caf7e7690ba9fe111df35d79b870331dd02eb72ac16d20
-
Filesize
250KB
MD53058ac1abe8cdab6a631c92f233869e9
SHA1f653a6b8848727728217afe6228c74b13781ee0c
SHA256bce0375c0093364d2566cf1cca87002e37a886ccd35d8c69053b07574917babf
SHA5128d0084e523b785673fee2d3b524027f31c97318357f0b33cc8c8bd392194eb088dffd4424e23600fb580122a169ebb0ccc1647e4ba295e82da8c143cdef15b7c
-
Filesize
489KB
MD5b49e10069161981b6c9e6e18a1b1f1b0
SHA1236ac37fc7e04250f0bb7f1fbd9353ecaba68762
SHA2568c38b9f9d70839ebbc4e72062893e12fcfea4ae62bb366867659f92d3e7ae47a
SHA5121fafdccea9dcdede976ec2dd6a47e0c12e1679979bec3411de3f1ebe91bcda21f7c7e6105e8da117e16e24e57cecfd85f6382df90e836a26e08f5e6cfe254d1c
-
Filesize
222KB
MD5518f768a9cc92a68e1b5ea6ec9089953
SHA101668188ba86ff853ff7cacf9269cdc218d10af3
SHA256dbd44041e6de8e572028296fd32a8d7d17efa7e121eda1144d2f115d05f2cf64
SHA5122fbc77ef769b3086962d67eeb200d0218c0628a8e3edd433325df78ef49bcc175b0fc0d6689eb2502ef4a16dea18441a8427dd8c327b509367fa4ee8b2d2d5c5
-
Filesize
372KB
MD5d4558ca97d900e12ebdf6a123bf8a6e0
SHA17caab808ed965ce32faf346ef5c84457e8cfde43
SHA256f58576941e233ab1fc6ab510c9acce6f1b65f06b403b0ee03571417ea5aa25f7
SHA512a4c3bd74267455b2ed236bc8811dad7909ef1294a056bd07b229b45cbde08d9b3e6b84ee14a1282b2e7ebd77bd971115f6551303ced7defc9b23902a217f0081
-
Filesize
671KB
MD5cbb2dfc715cd3d16c552471523c85a7d
SHA1f65a05381f87ec786b8115a969cef62e6cdd492d
SHA2566b31e746b80c1f205ebb34d68689593f3054bf3f30008d7c400ed271783e4727
SHA5128254f83675b37bfe280ea4969b8ead71db1e9d16b280e2c16801b26348b72d94674b2e90033d74451ddd93f16a53f3335eb7276e6dc860f772e690cbaf68c47e
-
Filesize
285KB
MD5225565ec8255f00ba98dbdfc5cae6f23
SHA11c2002fc9f65d1ba15927ba48447ccbdc19577cd
SHA2565f0bd59e6b69387def9fb239fc10def01e3d5b1e80a39bd619dc2a314e0f2da3
SHA5128080eef12e6069583e2b1fbf1b27a13bc6e5151578cc60afde7c5abbaf41fdb593a3d0ee14105b7aa445c0dcb8f0adb4e615f4304969b31363a3bacfef206d4a
-
Filesize
704KB
MD5bdce35990ce56eab71b1d82f3e84a66b
SHA1bec5333c3f09ffc21db7d6f710a7c6debb66b973
SHA2569086cce1cf341eb3612a87a2908657ce7d4f500905a42e07436664a3af0d3cbb
SHA5126e19d660bd5e37595aaa5c3589a70d49ba77e4fcc95327ea97f2e632dad06208154019089b112e7b352bce1e2ef13686545f425f43c40f72cf8a49b11edb4dec
-
Filesize
424KB
MD55af1356c3afa5521226ef74481ba6430
SHA1ec9e54f9d77b8837d8da7e947f69a15c64793e5a
SHA2564c9350f42128f6afe5dabb470d134da4ac5931fc29966f69b08bd019d8652f2f
SHA5129b02d3c1e9c084a1d095fb553396547896c7471cb64bd5c76e5c5d1a50b223fb2369c9e5344cf19f6c433a13c6c18eda6d88ac4c39113665a54266d1f452d4ca
-
Filesize
446KB
MD5e8257840e040c2fc26a649d6bd8ee64f
SHA1246af2269546631f73236af6629e583e6f1ef524
SHA25677afd736ed3c6d9b89ace84b9dd01f729c4d25bba71aec1ab990232c015917a3
SHA512927cb1be561729a57e278d18433eb30fbd8f7fd5a3819de3273f86896403d7ae03dc74f6678f61b7fe1f60beeb912f08a1d8334d05e09a6d4fbeeb818d0ffca3
-
Filesize
224KB
MD5cc6ac7f18be4f34bfb248cd29e770fa7
SHA19bd929ce0d45aed32ba7d6646e84bb32a0c4414a
SHA256f0ba5414801f168b3c0fa12cfbb4ab9f1d383cc8daf957d611206c5dc2d5555e
SHA512da42a12f31da58886fe6b91c09a57539d7ff6694cdcdf5f1502653fcfe549debc5af8aae9a84a65af5a147b8eec142ac0e7f4ad18b51385b0f70a421c8263a03
-
Filesize
149KB
MD55fcbe4f9845293fd78a83b2879758f59
SHA1b6275be90642fbe1f7b0d2717e6503e843bf748e
SHA25640982937b438e5f242e408474e3ef5b61e04d47df4217a1f5e9592d888f4949c
SHA5121e6347de1fc869b8d7e9772e4ccefe958823b9f5f94f712a4c34867962bd92d5c25954c59feeb2b971f380fed0f95ced119a9fc0f6577364c7a8419fd2f8330a
-
Filesize
712KB
MD5dc82c47b19585371961808aa527852ba
SHA12c63815957fa5df3c03dc13f2a768c650bde4f05
SHA2560a7c0ad40f38c7a82cf82b21b80357cd6906265aca6821bdd6c501bda281ca18
SHA5127dbb9a0aaa59b49c7ac27eb882e659f14963f2826349bbc714332fbabd46f51880c3e196f45b682f63529db7c98a3500829104fcdd794a3f3bacfcdf526f7b09
-
Filesize
448KB
MD5c953e61f51c9d628672c1e2a9737a0d4
SHA1126def2f48ae87898545b860bd513a3f5d6291e3
SHA256e6ad64f357cc75efc03c5855353a3e5ad65d63908a19df6d1c8335e0c6241ee8
SHA512675db364170198f1e5a45cbada9db4ec957583424763787182b47d113cf39ece65632de981051fff4cbfadd9a4e54d9b09108d6c3af92b8efb1edc8697654f22
-
Filesize
252KB
MD52eb91e77ba153e9579b90b0d2508e783
SHA11dfc6c55ea8744c35951b9136abd0641ab2c1f3f
SHA256c8790e7f7e5f395a647c9be0b3cacaf4cb8f6f4f9f5f8a7b98f7f5144b2ec6cd
SHA512e0ee5859a74e203c449b9d6bbf74222f1b749f1f7937ee4f225f9f1c33cf6b5d7fd94f7351f4010496b465870a1ead13d33d770983f6f87bcd04d9f8a504271c
-
Filesize
249KB
MD5a4e2e6d75a72d1c141a7a407cccc6064
SHA1eceb83796287c5f1845033a588d24d62cab70418
SHA25657bd5ae7a1c6dea42c12315f136aa57c99f359bfe5d826e968cd266d61df0737
SHA51245a6e09ff634039bb470a6202c35e42e8247cbf330b8b478cdaee80e74f05171e640fc70750dc641e72fb21f34c3e3b1727aa48f215ad1d472c57a738565fded
-
Filesize
149KB
MD5e524cd4a5ff73613e4ec0442b117bbbe
SHA1d2fe199bd7853a282bb160b1e48fda0f75c7fdc4
SHA256ec3b79f22e5bb33f0d08a096692fe93d1df53465e06ad9e1f0375cdabc00d3c9
SHA5121b558e2e583f10450cc55fae89e5a17d5020c3208acfd07bf00be50da2208cb36fb68cd80676c18fadff5fe0f7710d83f858a5c96dacb50377d172e8af3f1939
-
Filesize
99KB
MD56c076eb8575762ade8bfe9188304beaa
SHA1c997492c09389e494796533abdf6452628accf92
SHA256ac3b7e8411fe09fe7ab563894d941263656c23fc5ebbf1b8fd188ff63d9d16e5
SHA51279e3cca1fc316885b38a4b0708813d283ee08015f61538d838f656e8d051607ef937a045b4ce5b43ea117ce550ccb9754d4ba642d702f06d88a73e8d554af095
-
Filesize
120KB
MD5ef3023c4d1d07091d5c343fda73e00c6
SHA1199758e2742eca769b2fc97ac160399652ebf41f
SHA2561c97cb947741fcd2ab9229e336405971857b5a7dc59de7c89e9e0122a26de8df
SHA512106811f690c642ebf97aabd44b7ecd19b6bac8a912fcce262be6927af663814c3d57d441ef5db6a26622f3fa267aed17d439c1219dfbe0053cc5e24906624a03
-
Filesize
77KB
MD5062506caa04f1e7bee0715810c3b7429
SHA106a8bdb20677e566eacdf8f563fc2632a8eaed3c
SHA2569b2a5c09adffe06d93d7266da9022e46b91afb461877805d17965d43a17f80a7
SHA51269cb5fa2f17031a36b427077ad76fb0ef65dd2889e2341b6ef02b1e2f38daa577ac4eafec7abfa4a195a2245c89f34f27836f23b5a7e24da193c69e0ae8470cf