Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
Resource
win7-20240611-en
General
-
Target
2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe
-
Size
2.2MB
-
MD5
4635d60504a9834d1c5be933a92b46aa
-
SHA1
646c456f6af9d82742177d931459b0f329ccd0c9
-
SHA256
352abefc3e194c046f5d1f2ed9c7ce1f99c2627436867db0f17610537ae8e67d
-
SHA512
d1790e7dcd0bdd3202f5a22f00c6f8dcb5b760f6c88b3f9fdec3b2dbd6f3e5a32403824e3cae5e9de6922fa4a4602962eb7ac3442457e55c1263a2955f9b9a51
-
SSDEEP
49152:7OOh3aN4kuLbegmtGIMT8aYDp7JhN83T3g4:LU4ku/ctPMIBJhN83bX
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4052 alg.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3196 elevation_service.exe 4020 fxssvc.exe 460 elevation_service.exe 4292 maintenanceservice.exe 2512 OSE.EXE 3600 msdtc.exe 3384 PerceptionSimulationService.exe 2300 perfhost.exe 4340 locator.exe 4936 SensorDataService.exe 640 snmptrap.exe 2896 spectrum.exe 748 ssh-agent.exe 3448 TieringEngineService.exe 4216 AgentService.exe 3612 vds.exe 3116 vssvc.exe 1528 wbengine.exe 4420 WmiApSrv.exe 4588 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c1bb9d764bebce60.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3a10702fdbfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8b3202fdbfda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faec5302fdbfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b7a0002fdbfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008def1502fdbfda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db36bf02fdbfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9d4bc02fdbfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf9c6402fdbfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3616 DiagnosticsHub.StandardCollector.Service.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3616 DiagnosticsHub.StandardCollector.Service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe 3196 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4100 2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe Token: SeAuditPrivilege 4020 fxssvc.exe Token: SeDebugPrivilege 3616 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3196 elevation_service.exe Token: SeRestorePrivilege 3448 TieringEngineService.exe Token: SeManageVolumePrivilege 3448 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4216 AgentService.exe Token: SeBackupPrivilege 3116 vssvc.exe Token: SeRestorePrivilege 3116 vssvc.exe Token: SeAuditPrivilege 3116 vssvc.exe Token: SeBackupPrivilege 1528 wbengine.exe Token: SeRestorePrivilege 1528 wbengine.exe Token: SeSecurityPrivilege 1528 wbengine.exe Token: 33 4588 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4588 SearchIndexer.exe Token: SeDebugPrivilege 3196 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4588 wrote to memory of 2920 4588 SearchIndexer.exe 118 PID 4588 wrote to memory of 2920 4588 SearchIndexer.exe 118 PID 4588 wrote to memory of 2412 4588 SearchIndexer.exe 119 PID 4588 wrote to memory of 2412 4588 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-16_4635d60504a9834d1c5be933a92b46aa_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4052
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:540
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:460
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4292
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2512
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3600
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3384
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2300
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4340
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4936
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:640
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2896
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3172
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3612
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4420
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2920
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57ce892e9c7a378c9af54c968b6edcac7
SHA1a5a1f81d30a8e5a2860048ce81e9555dfc0501d6
SHA256436495a8e76632cc1f766f837f123c75ea1694a443dbb54f0a27d8af687db751
SHA512c41037b31c22a1d8c799878c2ce950a9ed4df37854c0087b24b487848feac4cec38c76030806d3da25dfc08f8723d1c0b78a81f7c2d741155bd3cb2c14a60f96
-
Filesize
797KB
MD5330bc2e53ae7d7133a6c0259bd71df1f
SHA12ad5621127aec92226858c04f8c06988a9232570
SHA2564bac9bae36a857b3c315a9a644f7fb3f536bd6f2117d6da16ef77f67d55a0dec
SHA5124e6bd8ecc1c80944b08dd3fde1038d6ae4a2b59cc850af64548065e1a143ad3d8aeb2bdeb1c319127c577370e0ee526c031cbf254255d015bc9f573e767f620b
-
Filesize
1.1MB
MD5756cf9af14524c302d5cc559341e496f
SHA1eed6fe4eb6d1b34342600fba95d6768a063f79f2
SHA2560a8df42de205c5e47c0bad96ee20def3e45419ccbdc4b9652dd53823a36bdbd6
SHA512b579f0c3c0cac6ef987632cb9293368414bb1206f50cb622e95262d592e34fab2d0739509ce6192f7c780fb8d4db4fa235830b5083d4ee5a322afc2c2fe7612a
-
Filesize
1.5MB
MD5a779c9405060b2b466e314f0f39a4d69
SHA1db85e32c3abf09e4d52eedc5568cb1b9eb5bbc70
SHA256843809a3e957f9bca8b151f8485114fb5c7c445afe2d2343761a8142de4b554e
SHA512c0d63117db2f616becd60b2c96cd76aba4545c6c05ac4f6fa74d83ad1386dc0567b2f24c1462b31e9a907c7511f77f333848f9de2e7b1dc5805c7409d5f8d7de
-
Filesize
1.2MB
MD544b6bd1e7f25c2b9ee3cdd2922ddcc94
SHA177636ea4fa7b41e79dd422df54d538c56ea7b1aa
SHA2562177d96cd609b9d8b1573a5bfb251265047f6742847e042784ef015ba8a5bf35
SHA512b2e7b3ca2168426492ac84fabf38536aeb64d90b5c0e99a37678e0690189b9a4a5e88a6c7bfe24d19afb6ffa8c5dbeb68540409d67510009ea17f4c18da74770
-
Filesize
582KB
MD57be3df26d390a3ce68ea34742d85a571
SHA1981ddbea19303065b90d0d3e8ba8fa46e86412fd
SHA25627a26a03b70fa42a66be5bba77701aa90f79d4937b11ecda7ef6e32876309c67
SHA5129926bc7cfb32199886c68312939bebe8706da542abeccd27d15ac14393450c023613498f0e461519fe464cdd4d673635cda800cb61973acbf5168d369003c0c9
-
Filesize
840KB
MD51058839f3bf995b3ac6434e4e6578c58
SHA161801a82090c2f1d290b53f61d9b97a96ad7d71a
SHA256546d1fb669cab26e1add640e1b7a769ecfc3c95251b24029c42ddc55b6763762
SHA512fef26aaae8a938cdb9f2d222fba304e0fac5f212d7017e206371851135f40c2e1ba332e77842d15374ec8c81c6fffe05968942b6ae5875bd1e70e03fe80726f5
-
Filesize
4.6MB
MD58168a5d6b9fc13b0139b3ad7484cd902
SHA1af646b47430b358c0d9ed04c127645d6185c915a
SHA256e34f004b215c7a4410412f7a00d16d4c07f0665ea64f1e3e10bdf668a7638025
SHA512d428a853cd22edfba78583cd047b9336c4d9a7cff3191a24fdd1b6ed30ef1df5e18b3101e278c287e53c29b5c7899441fff8f80adfa4c014eefae8d0dea8e444
-
Filesize
910KB
MD56ba3e43063e712bed3524780dde9ce33
SHA15a0ed95a15e464488eb3c06303d8bd3d4b24690e
SHA256cc8a857639c4f813c1c1b5fe9bd05c19ff47bf35fcb82afe4eab1e2af2d9349b
SHA5128ccde835d808faf45cbd52dc7f032df7ab583d669ab7c960bddb6cff9cf65185e9b7818d3ca58680a0286c25c3d40073fdb01649ded3413b787f5e3ea9033edc
-
Filesize
24.0MB
MD532819dcc06134eaa1ddac27d8fb8af37
SHA1a0bde320ee2fb8d722cd6cf26ccb20f0442b91f8
SHA2568e1e17a970edfe2c0c33cb83dae385d30290ad1cba9aa04a96e4734b2600a867
SHA5120adcba4e30b55c05c5f61c0a670938d3966b5f34e6b2df5cc0e42971024fb55077189bdcce5ab38a4adbe25a9287796c28bf8ad3fd4056a7509bb9aaaeadedfa
-
Filesize
2.7MB
MD585b9b44e03701c5e5b0b0e599c0d9a02
SHA1f4475e93c0a4b92f9427974e5e0d13f0559af52f
SHA256250e86cbfc53c3d1dcc0d557f0846fc0014471a72f730c131b28c4d352abb03b
SHA512a055da1328a81dfe937c76489167bdbcf0a3ab74dad0bca74b83d7d61e092e64eac0de4c2ead965bcb2df5ea9bf764ae09c4a65ce56674fd9c4af323ac071d2a
-
Filesize
1.1MB
MD59f09b89f3b19ee7943592bcfc16c15f2
SHA15dd8a069453e5dac46c37e53992d46b73c20e179
SHA256481aed8e4735677af2cb2cf4326399e222aeb8fe2b68370561da1d3c603d504a
SHA512ddb52ea621d5c71b37ead28a799d4e0c8e83c896870f7f146e0e646574ee7bba549aedb6abc5b9e2b230e38d5cc495ed6196ef6d261c93ae0c3cf879d3a376de
-
Filesize
805KB
MD580c177f015d665971f7c8a9e38efa44b
SHA1aafe9c9768ebf50574bcc0af423cab78ec79990c
SHA2560b540118cd01361dfcb1459c3a269e2d8c33d761f9590e78a6c746eeff991a51
SHA51247a85a235b68ecb54907f7e1825f5ca547234816b508861269c1478592252172eb1eb5ca9bd9264536dcadff361e03d2ba214468b74f22e6dab6c8ab2d2dbdd3
-
Filesize
656KB
MD5e38f9e12c976686fc5e9f1b27a2352ee
SHA18ebe71f0297ad656841d189647343238b1daeb25
SHA25633415e0eb006b97b774501fbd0574a0d80ab3da323f5b4f33c23fdae9332588a
SHA5123fd9291a2677c47cb2b2cabdf0120bfa5ab213406ef57e6b902e948dc1b53b37b940e159a8ad86d6a776d96b067a25b1c6724ae063aafad23bdc2c32c9960754
-
Filesize
5.4MB
MD54ffcc41cb2cb3a4479e0b21da80abc40
SHA16c9607ddc0c7e89ec07542253e6dc6fc84d1fa68
SHA256fb0fbcefd79e3bc7630f0581ff4996bd02a2e4796ad819ca2d05f1689a851715
SHA51290a04023637397a5fa58a3441069613a0a37d170c4abbc567e7e0be1038e5d322ac77cbe1477c2dbfab3688c5ba29d3505e39723d33b48f05646d677ec8d932e
-
Filesize
5.4MB
MD53ad2c7dc1b2689dee59727b7588bd531
SHA1b5d9c5be913b48283adcb49771fdea8f7fd58bca
SHA256af2c1c911d24ce3fa4a58dc920149a878e3f0d23404bb42de5fc103a0f31e9b6
SHA512f511f61c465aba1b764fab4ed276d24cbd1ed6d0af19a21f2b6eee0c188823769e8d03c382447f4f8c12d39dfff0e5bb0817b98a960f14d3785e5972d3e6f621
-
Filesize
2.0MB
MD5ccbe6e01d82bfe2baa6e10139dfc6e15
SHA179edb4a1bc3e73fbcaf4a19818317cf29538e067
SHA25651258d3f32ff820a40cf7f0f4f98ab9f2430b381ad4461934656526ae34483af
SHA512c142d65b19cd7f75dad9bb4b248a76e43db1d045bdcdf2ed02f1deb26d3219983270cfe442584dfa5e1102a4e8467b2843927b337aeb3755c871f6b48f20551e
-
Filesize
2.2MB
MD54a8f2f669d157de94a2f7a3d1670fbe1
SHA1d0f907a92a023b06ba10ce774885595156b2888a
SHA25669932ce5acdd9cb1e025966cbcce78dfe820d7c2cd4a8220cab5361ad02cca3e
SHA51247b9cf0d580b2174e9f4aaaa8c96c1207d9d075c4a4f37f9fd230cfc7b3e5621546fcafe72cfd644e7db2b594a3e49fc421ff048a34bbc857cc5bdea293fea4f
-
Filesize
1.8MB
MD5a5a1a11d1388456a4fabd631ca058d5c
SHA19e50d8230746085471bce8bc529f2734d9bfbb64
SHA256ca8f65cc0582f7f1b90db196566b5ff757adfb4fc3058b9d040436561659a71a
SHA512c57f215b8c026a7af31cf81e84796df15aae3148c24cc5fb010b02b82fd39eb6e8d89e2b665d0c63b61faaf6e89e93648313ae27c4fab14c4c79d7be8aa8e14b
-
Filesize
1.7MB
MD56f268332fc4318e71657b04cd60f96ae
SHA17c05571396fa7eaaef0b9ebe15eb03516134fce7
SHA25623c77147f03bd25c8f50327582906cfc60e2bdaf470a13c38cd6fa4139939edc
SHA512b550861ba7b8a24ddce63f0f01641e44f7db043797cf6a50fd71f6504dae76c4b6d35d7880791a804fd49b432d2ca0e3b743239750d9312052f7f01743bcf1fc
-
Filesize
581KB
MD5ddb168c41a0b23bff8960646a708cd3c
SHA1628393e10256262f0048c29cb5b239ff50056101
SHA256ed9a7ecb2e0d2bd44c3966a20d4d4a5b0b87d8e6e4a0fc0fa4af15e068627562
SHA512027f79354078f91329113e0846d4c2cff12d80b6da28c244ed6cf55b59e3c114767ef99b3ac9281caf3928d315f6ed9201b35f184490cce9e8be5bbce40e525a
-
Filesize
581KB
MD5bd5ba19bf8dff98853c333b2b1dfe8eb
SHA1dc9798ce98fbee261cb468fcf0db0bdff73209cc
SHA256141f58de5bde4e22f5aba59e2c50ae81759c5ef8366263e561ee96256c3acbf0
SHA512b3a810ab1635e57656fa1d8eb52391dc2a78e2506cd1020332217ad0c24916a338bd77bab6cfd4da8b8511e5ec0518c1b264970084ad867be5a6b2d267870f96
-
Filesize
581KB
MD579492e298fc344fdfa1daa3ca79d497c
SHA1d135b386f1909a326b1775dfc7091bc6faf4a829
SHA25612b0265cfd9af2075be9207c080e8bab73bf1d1fda90cbbaffd41eff0025950c
SHA512d80d3d6f45cf8ca0aa273d578bbf967889ed33c46f242d2dec2ea29c3c1a1f0c39641cadb867ff143bd62e2e6129b3c1c4d0182262daccbea386a35c7ed44e93
-
Filesize
601KB
MD5c5937f671f53b765679f3c88e567e9d0
SHA1c1ee37271756a621b000e359dcf06683c63bddba
SHA256a5a8df59f4871b707b62e8f03914fe6051ce44efe5c915bf758214e959ceb7f5
SHA5123ad54b013505ba05f4d9698a5c5bb77d25f8899dcaeafc3706667d1b3f3f91ea8bfc2b62adcdac115d3a4f6388cd2ca08af9d96d1918d07ca2b456cd8b50d539
-
Filesize
581KB
MD5b187a8c90c76b597d5c2b7efa89aa24d
SHA1a57a24304cc8491ffd7de24d047099a82182237c
SHA256b3078e25aca19f1d966f5b2e628a3a8cacb6a4a75516b6608a4e15094900201a
SHA51275375236000cc41644507e833c421e2366852abe1d396ca2a44cc35aa2e429eb681ba3ab5f8017692480f4381790189b721a789c929fb2fde5850c01a3cd9e62
-
Filesize
581KB
MD59a5728badbc4415d0f743322352c6d31
SHA13f47c0908f2662ea17707495060ce3c67638f33b
SHA256ed1d2ab1fd4e2c0d5138e98a1c677358cc6e3597fb044bd436c962a1a41fb5fb
SHA512c5ea6cfbec1f014785c5b86423142c1edb6a8e43ae1796d6784b91439537454227eff21e05976845152f8d14ffa218c58ef6707d6537858eba32ebfc4e2d1a48
-
Filesize
581KB
MD547998e6da9776f53450b8e62fe10d33a
SHA12e964baaaffc547d1fe195293b542854e0d7a1dd
SHA2569e1d4b1c4371fde4a58a32bc9e7c9e5d5abd9b1d89d2acd9814cc9382b755c52
SHA512ca3f36e3b6c1faec797877ea4a053761a198ff17c840d790a3032410733e21384d60cb9dbe9422bb3e087fd06600d1e2f869393f04f52bb4b58007f30883bb97
-
Filesize
841KB
MD59044b82397563766d36988bfe252aee6
SHA1e7eb9fee58b75620be10a466b624afc0605aa171
SHA25601e62f8c4ad36dc8271753a8b88d0048a2aed28cc23f68a15b2e18d6eb4e15fa
SHA512f3fc291584595f40e66af465ac4eec9703da390bd5aaef8f228e4994a10ae6006b7fad4faba4818b6c90e5fd43fa408bb0a88cb571049f38b7c41e0e5d35f887
-
Filesize
581KB
MD5a0d4bb10871c90048356221d916b054e
SHA1009e8a59b577d9e77754aa6f4796e4591d4c2764
SHA25614c878f8cbcdbbc9705cd68b36712aee2da02c4c70b7fb98bb7f971a0004070a
SHA51212d27ce2b946860af9c07b17409236525b6dc85f9395d9fdea2a78ac9549d6b84bcadb46c707ee8e0badb672982f3ef0e85b625a1fed31b5e42d5819dbb40ba5
-
Filesize
581KB
MD56bf8424aa8f03a92a3e55643b220cc4b
SHA158f96234d0039ce379b422a0947d8444384cc5f4
SHA2562f73414d2d72117ecb0684e0ab19322773cfdec1b3745adc76aff5e51c9e1187
SHA51201a05141898a0b12e55c18882d2d48f791410239f330bf11dd1a4b4c52894fa60769ab2bdb7e655a43428833da17caf1d5501808dd44dadd1c225e9b5be5325f
-
Filesize
717KB
MD5e69c8253fecfe3f3b6d08b5f18afc2e9
SHA13a0c33c41e2619addf1de1314d000a3427dc9827
SHA256bd3dcc4e3fd48959ed7805b1ace5c14702680d54748e3ebefb6f0b000d751bfa
SHA512fc9d34b72213397e0b0804111c222fe1ab68958df42aa518f244b4892917d3e428144c3a9700daa5ef753a9efd46cd82afc58828a60f70f84af6184c1f011298
-
Filesize
581KB
MD5df9731d579b5b341b82e5c09024f7dd3
SHA1fbe8043bd4325c44cda553059cd82e092f82ce05
SHA2561573730794aa998b74fbd0d1600bda7ff95d56566272f3ef6f4b5f6de5530363
SHA5128f6c1b604c4f60aff7336b5b8481896f74ccdfa17078083180a64159f44884b5f3d46e97d1bb6bfea051631157fbd1dc8eb8f1e9329da39ed00fdad11a0d76fc
-
Filesize
581KB
MD59e1fb1edc890ca8cf77c29b3db201768
SHA14997bf629d0811592d6e1fc1761f626262bc3f72
SHA256db48d7cbab5dbfae4c29967ef7e899ba7b6eda0dd711de9cfee88107307bafe6
SHA5126b1af66b1a8455d6ad13052aaa56ce00ac65137e5354009ccf542558234e517ee8d15c3ed912dc85c8efe85e8617ee63709a9de9dc4954e14285ab358f9472b9
-
Filesize
717KB
MD55ac4771a2265c9d5a35006c6b831bc72
SHA17fc0dd79f5b4615d28ed2b6a64eb4cdfad9d87f5
SHA2567be03e16aeb1270ceffe63d4213d2bb24563e7210f34b58cdc8888e308d72381
SHA5123a379d6f18b6eab055c7c844a29b7c17cb28e6f0024c7fa77d5fa4c92e456c23e1d644293b694d851e20cf485dca8e1c2a9b63597fd78727c46cdfd109520ea2
-
Filesize
841KB
MD5ebcf0fe10a2ad424db8287f7bd20b518
SHA1e20c7c0eac65032f8634c2ea851bc7935ba10bfd
SHA256737aa299c9ecebf5fe492d90f650542acd84b672f909d89295ae5cbf5bbdf10b
SHA5125eda01ad97720b1ccc52ff75016facb9e8740596aebe6cdcaa1d9142a9619be352edfae9c641292ecb786a685aaf08c75df6e28b565e8240bc6a52f8efd84625
-
Filesize
1020KB
MD56d56d62673d013cfdd7393c3530d8205
SHA110b7ecc7f4561bcc1ce6a1d514b99efce155ce8b
SHA256a948ce56bc65127f90ca50e170185ce188cd70ff64a8836d148cc12718e78c90
SHA5123cbdd31f043b1b54277cc2b1ac5d0f8796ea46b2c0d05710e3051dc6e49bf5ff689353176706523842c72648059c803f44e0f3eef0e15230767713d0ee79de54
-
Filesize
581KB
MD59ffdc5a7af471ceec2a4374522e7d5a2
SHA1569bc417770f9a2e21448c309ab0b7f7f18e46b3
SHA2564859427a9cb092854bc475693138e8dce5c6196da6180abf164568645d027318
SHA512fc85e67ebb32430bdfecd1e084b5ccd80e5f2f3246c65041221b44c4b1bfab191b87ad7a086744b5662a466696dc216c49fa66e342721eb61a9760bc58cd8d36
-
Filesize
581KB
MD5ed70401e359ca0d85d5d2ae7253d11ef
SHA149895e3bfbae9b7f2ecf69afa666ac67157878c3
SHA2565767854b97aaeb4aee146e319756e023d300c27a13422f01910bfc8daee7d49c
SHA5120b3faf29be0268984f1f945566c814e07b732244d7f4a016e26a8d5f3fd4aa6fba08f8328c141973f8ba7a65145f519f6f6be382cce11e65524be74f0f8b87eb
-
Filesize
581KB
MD5a32f103b088ce804c433da9d2cbb6dd8
SHA11da132a095a22fe9ea3648bf581f15f98fe120cc
SHA256ff4540577fe2df75904e7ff2170e9ced80d0bae3fa8f05df3e2651093988955b
SHA512397e63cd4010f6ff32b1e4313d850495e901537b5dab9abbc671da89ed113068a19c334a28a6b1ea286f88a2f7643bbc12ecbc34568764a62b094f6b214ad1ad
-
Filesize
581KB
MD5bc33926cbbaadc8193389e03241277fa
SHA1a31a637517716c6fd0853309ab210558e8b2df54
SHA256080ffcf487d871d602e747ebc6a1e06619e1a9ebfcb60ddabcef170c702b3401
SHA51235a7afab431c91ea3bf63904ccd11695bfe29232ab162042d0a35b449d2add2f761aced73938aa45c74907728dfebc1dc809df5746e0d6174df2acf22c44beda
-
Filesize
581KB
MD586d2b6a65e2991ccbe2ca359044bb94c
SHA1a0f3503ef859dbcd6a4a9225a008d87a0142b03e
SHA25697fb1059c6fa6bdde6c7e48a7d4383f1cc614135f24e382bd50067ac3d2d5dd9
SHA512ff3fa6980fa1414ab7c075d0dbc1851c08ce126886c4e9840e60ce0450468a76f4c4a6994a2034b42bd360597348638638f0bbcbac5dc997007aaaebbeaed00c
-
Filesize
701KB
MD5148387f274e0a2c44f194b21d6ee7350
SHA1803ba1383387f15ac5911044c524262e4c57188b
SHA256e9d8f89760b06252478e0a74255196ff7bf8370a14fc1fbcd136d5a204477e30
SHA51258349afe40d2d2cccd906e0628cf26141799616cefadfb9185518c1efa05cd49b4c504d860653edbfe2a054e3784d43aaeb0ff578f8e2a7544fe62714e46ebc6
-
Filesize
588KB
MD5454886cf83615dabc2953194fb1bc727
SHA1628de8aa32147dbefe795045214f91ae0219ddd0
SHA25630839f82deda45fbdf45724e89c4c1ccb4236b59b3dafdd28bfd9d7220921f83
SHA5122f908da9426f58813bb9d2c43929ddb36a94e36b1585db9552c03d8e7d75e81254e6d61e51c286ba94c2504156f9dfe734a3d667ffef9af829a08bf6f9d801f9
-
Filesize
1.7MB
MD588f6a2cd8c05f7cf438fa47f6532df97
SHA1b324d36cb4f1768578dd2c6f6a84f30d1f562b9f
SHA2569ac07f0ee98438757517752e851e836692379998729ac3df00f05e350a72a37f
SHA512a5414ada378616ad2cae7c009cb62956afb5d3deb5f6af26082a7e71190ee28f1ed5dabd38d707a75e4575cf74821c17d08572f694434047f8424992173e248f
-
Filesize
659KB
MD520076d15520aee4fa46b8124649ceab0
SHA15406db6e4752a689cb8955bc560ee69129325cd0
SHA25636f31ec8a60a42230a300bcca2666b2c9138fc832b2a2328a6717569f28b4b7e
SHA512988afbfdeb099a628a7132570ebb5f2e535223233d546ac44d3e838a30da5081ee925282d8f957d367645f60e9b1bb9ed28be8d708e207619d19e7014558c541
-
Filesize
578KB
MD5b3016b3e507c22357c61c6d5c6925f38
SHA181fd1f5a2279abb797e35018b1a65a70eafac545
SHA25618ecc7d348560cdecd2ed5e40945044c59b96af8e96d4783e7766c0f162d12a6
SHA51249348f94002117135c04ed6a8026b0e6aa592745aa767eac8e30caa0123bc236752fd30b13015671a811ee308cf237ced2994ecd92fa3595cd789633419f88b9
-
Filesize
940KB
MD55696dfe1f89c90a7c46b35f6104abb7b
SHA1ddf22e1d0b4e1489de0cab674389616225411747
SHA2560eaed9e3cb1556f0884b50b3ae0f89d5b32c1dfbd81da0b9fe7b7cd9508042ba
SHA512544a2952bd9c5e1e27e03074575ae24b783c5b256495994c7cdef0c10b769ba4bdcba88089cf710e48dde2c4364c748f12cc3e915ac3e9cea818b4da49c15202
-
Filesize
671KB
MD527fc5f9fe7f50a4741db853ae5fc5c7f
SHA1fe0274fd27c816d2e0f9559094c2d52e7a67f044
SHA2560d161977872208307bee8f6b10b44ac2b423ee42976fe650b9f1591d40360330
SHA512656ecaef4c1fb3f248ee892e43374adcab9258f679cb1e997a66ea0365b2eb914479940d280197908cce33818b0e59f19beb365c292b0ece58396dd35f904579
-
Filesize
1.4MB
MD577e9b02d48866d1f289d301d52e81474
SHA1e3030688a6b30d516118e899d7b20077f5b8e949
SHA25680e06d2e73dde0a541dceb7d3dd7792f559af63c4d3d4ae8f1ea189e3be0e080
SHA51240f967020f78dfbd4e0b7c1f587859b3262553d30064b92ed736fbae7412edaa4741866b5ab44d72cc48b8ed4c654e17921fd9ed54e6b1c220b77f5c549bd059
-
Filesize
1.8MB
MD5f3e95d47bea799031e1fa20782937949
SHA1da2786f2b32faa791dd424ec7f5941888932b2b5
SHA256a91bfe124fdefa74e2b11b16ee661beeb6c20fde658058c81d1247b5ac7ccb28
SHA512820a764b2ba9a3b156e8ad569bac0616f8376362751d2b3c015625f62f473d5f8ab78c4f469d9a19c502e5d180cd3580bed04e1ea0baeb3bfbcfc29c0a67c297
-
Filesize
1.4MB
MD5b9e6bb12609bd497a5f758b5096b3425
SHA1009397ad12bceef0380130bece6045e4ae53d5f3
SHA2566f8f2ab3a4cf4ff703ea8d79f22b540572c3b60c3ef00b6d6a6d1e0e9af25102
SHA5121a5ac18a44491063f68d52094142856f41f60343b6b4158c60b5268a1b752d5b0ac8bac624a5b11d28758e5a73ecf6d2473d9dedddcfba7929efbea132c909d5
-
Filesize
885KB
MD5e1f875b039e9191edf51a4598f5801d1
SHA14c59939f1120dc100e874104835839cfce256386
SHA256890feb1121139f230b105c3f88e312d612957f005443b71b8556df6ded58a2d3
SHA51286b7c934d785838a600482a96f3b00420897f49ed171457de1c087f6ad89399a2fb88fdb2ecb71d3dc02e5a403003dbddea13512014fd00f5f2c04876cef7a5e
-
Filesize
2.0MB
MD5309f1ec07f4a6e84958ac219e2d0dab9
SHA1ff895c456d06d685c11d8c9969b80bb6b5ebe61f
SHA2568110c214d46c4cf15df8ac8a0965c31c6a62e7f7bede63d1b091f4ae829cbf62
SHA512b29ae84b29644b6dd7b5b1d0cc769da3c4d2b95b7c1aa4cfa4538fe1f361dc8be5fd06d0129ddfcdcb47dff7a8a127e235f0ff0c796ea1793a9875a30aae4f86
-
Filesize
661KB
MD505b9fb7a827e55df4f15393043eacc63
SHA132682a7fb426e52d6ec03ba8ca0f1d685ecde634
SHA256f2272eecfccf445c55f8dd08c1b0dbf7499d5f5cfdd8e047573a8d5b35fb441d
SHA5126e4bb27c9c09829e8ca1d2b570d4955439faf915767634dd6df1fa198676c3bc87a042c86c23debefe17dab94295e15da3764f35f7ff05c3a44a4ce33c13b401
-
Filesize
712KB
MD56b1ebd66c675570e5e73443bcecb2f1a
SHA1dc6fabebebbfe1bd4543da9ce5034512ace785f4
SHA256275406bc796baa84e7887b40797ac7057178735e67207e65e2426a07462cdd8f
SHA512ea93793cc53fbd8928c7829a014c0bae4ebb93a35d81f6b8185b8cef9590c0ef9d8b89d6c537b6ca7c7f4db2bd3663c54c0774720c7539a1d8e1499c02940b70
-
Filesize
584KB
MD56a00b9c450188b5139c56ec4f1bbb0c7
SHA1e16183469dfafe663ca2e7050609998058916a11
SHA256a606b4d21cca17d534437efc9c48155bbe41094527df3e49947aee03def6a16d
SHA512dffcf861439bd41b7be8b238941f58fd6c7256970835ba0c7580cca9c83c5084fb70371894059b2bd2b9df06a73386346f9b746ca8d5f0799527d6e610f061fa
-
Filesize
1.3MB
MD5a738ee69a01362f8abd2ff800a60462f
SHA11f768cc3f8e9744acc03fb03a2a32cd8b6e6acf4
SHA2560bd02ac0b710eba40b04ec3bab6b444b062cf420b4af5b54a003fb2832d47085
SHA512edd65db2740505ffb753210a36110c316904fbcb110f54fa0f13593d37cdc7a3939cfdb6511354bfbdb4a4eb7d279fc5d22daf547c2e14afcafea1c636cb1784
-
Filesize
772KB
MD54bfe3e971f9a6fdf3615b80957e48d3c
SHA1a30d6cf96d80317f9d4bce92265ef78b771fa2f1
SHA256e126cf70e8c384d32c702762cb2158c1112c2fd7a33a5cd72785e30ee588a017
SHA5124df37cf7f132cfed9c162ffe70eb2c32ea809ef1c954a95090c8cc506ba50e94a9081c2db25a12e2b9851b608e5fac2b4f9dd4fe853d5048897f2f5f9fc5c4f3
-
Filesize
2.1MB
MD5cb56ad002f8e77edc906c4555b0b232e
SHA1bc7f156a0a218ef1f290dc388924f66597dd4598
SHA256330993ca33ed3fce2d845339298b4ab7c192d93a51d5ed3b839a9e477757afb4
SHA512831b4ca224c1a5615f053fc9f74de0967c649d99caec21215c298672faea65f16be1e902cb056b06d1424b30d51b885f91b787ce8957146a97b88d73a070869a
-
Filesize
1.3MB
MD590a6d41929fdb55628609fba6956fd12
SHA1a7bc5fa1b1f0137c8d077f7c88c1672704dd4a56
SHA25684daa5fa09d11dc8405def850596ea6a1695374fbd60027feecf8fd56b59aa35
SHA51220fce8ab55d867480174152f26b49df8c403ae1d934918fab79e13231bbd5f92a740cc786d7d1ef78879eadddada2cb5c4c886936833332a435d9f96a0510989
-
Filesize
1.2MB
MD58bef3c4167bb091cb4d557eba4e0bb1e
SHA176f613526797bcc97e921f94cb4bbaaa14a2faee
SHA256c28b27f5df4871fd080f8d65b2992d7754f7413bda3ffa0391161714ba3f6ac5
SHA512c118ff48aefe3a3a94b050e80fee75d1f664a3a1424e1a647a99ddd6543f8b3e0f8362086daf4549ecbfa3c07f83f9810177c5d7374a6915ad2036b28ce4003f