Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe
-
Size
2.2MB
-
MD5
68e9a4d08dfd3fe2ffc0fa3b6939968a
-
SHA1
4303a1200e222925e36eaca815c09bd26bec8c2b
-
SHA256
4a073a0199a6d94436a601abb048bab0175ab2500b23bccefe5a0f1495c9a860
-
SHA512
974e6c78c5dc69cb66ae97ec697b33d30375f0499a8f5cff438701e99567aa3cd879fb71bda59481f28152e4e8e794ccaabdb3450fc948bd4623a87a15919398
-
SSDEEP
24576:0OObVw4TaN1wdkukCba4oXtgLhU3wEdmh58IdCN/j2GLl3iFSE33b9:0OOh3aN4kuLbegmtGMN/j2U4FH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4896 alg.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 2896 fxssvc.exe 2908 elevation_service.exe 2804 elevation_service.exe 804 maintenanceservice.exe 4608 OSE.EXE 1352 msdtc.exe 3884 PerceptionSimulationService.exe 4808 perfhost.exe 2308 locator.exe 2172 SensorDataService.exe 1852 snmptrap.exe 1340 spectrum.exe 4296 ssh-agent.exe 1984 TieringEngineService.exe 2076 AgentService.exe 2496 vds.exe 3456 vssvc.exe 624 wbengine.exe 3996 WmiApSrv.exe 2460 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a58afd9675cb61b0.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a6db7bacecfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e36d98bacecfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064fc44bacecfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007733bbacecfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015e931bacecfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000427c08bbcecfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4024 DiagnosticsHub.StandardCollector.Service.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 4024 DiagnosticsHub.StandardCollector.Service.exe 2908 elevation_service.exe 2908 elevation_service.exe 2908 elevation_service.exe 2908 elevation_service.exe 2908 elevation_service.exe 2908 elevation_service.exe 2908 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3976 2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe Token: SeAuditPrivilege 2896 fxssvc.exe Token: SeDebugPrivilege 4024 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 2908 elevation_service.exe Token: SeRestorePrivilege 1984 TieringEngineService.exe Token: SeManageVolumePrivilege 1984 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2076 AgentService.exe Token: SeBackupPrivilege 3456 vssvc.exe Token: SeRestorePrivilege 3456 vssvc.exe Token: SeAuditPrivilege 3456 vssvc.exe Token: SeBackupPrivilege 624 wbengine.exe Token: SeRestorePrivilege 624 wbengine.exe Token: SeSecurityPrivilege 624 wbengine.exe Token: 33 2460 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2460 SearchIndexer.exe Token: SeDebugPrivilege 2908 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3060 2460 SearchIndexer.exe 117 PID 2460 wrote to memory of 3060 2460 SearchIndexer.exe 117 PID 2460 wrote to memory of 1796 2460 SearchIndexer.exe 118 PID 2460 wrote to memory of 1796 2460 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-06_68e9a4d08dfd3fe2ffc0fa3b6939968a_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1748
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2804
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:804
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1352
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3884
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4808
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2308
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2172
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1852
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1408
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3996
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3060
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b32db26329835356e9d88126f201b399
SHA1f1bc498c8f1e0fcf889e295298651a9ae91db74a
SHA25670b27270d67626b24caac55e11ea722ab78961da851007b729c2977e83fcadfb
SHA5125a78211824fafdc57affd659e1dba3c73ddc0b3b468a33f78db12bb914bf8c6a86ebc7ca3425d790bb1ef57c43da4cedfb6b11b968d24daad40e0c39722767fb
-
Filesize
797KB
MD52ac3470aa4832ed226ec250216843cff
SHA1bb059ba15dfabe3ecab19bfc6d6152ef522d0b32
SHA256b7c2061fc3dfa89e6913996f1fd0badcea3c82edace289d8652eeb8b1a06d8db
SHA512886350f127106fa6e7dd595a9ddf0b7704629ab2be5ca1d6d7998128fb801525bf230b55a34c05f2d8fa1d5b437b93271d0eb0ab0626d25292a25a725b777b71
-
Filesize
1.1MB
MD5bcb09db304b4e47b92284b6f278f80b2
SHA1b32a7aeaa170581b7b1a55e918257fa5581b4858
SHA256c7fbefdb6deb66562b9cd7f59bd0224e4714fdfc95c94292c2e387d3ae831b20
SHA5121745477d283aa4b32a3b3475c7c2cd71833832f86947ef291936d189ee865e68eb0d7bd179f0524cce6178fd4772e9cd127b9598611cb6b7bdc70f7363fb3f4d
-
Filesize
1.5MB
MD5ff08a8a3896703113e897885d20c9a29
SHA11f8cf2d76253e251ebd3a9a5e23ffccd2ae9fb08
SHA256b0f6799129f79c22372cd0ff570f1785d4883cbc5bac2be0faa1056684481554
SHA512de40ab6f0306e434e43a3a663162257e00431c7d0ae001f20e751d04666c63428e889ca94356e49ffb50c977020a11d453fca889afd282b606e8232f746a098a
-
Filesize
1.2MB
MD56e4b6c9602d1efbf6f888169515c06f8
SHA12e4dd3178a994b3d0e7afdea66ead07bd4b5a353
SHA25610efe1f4bff04d35da13acb072c141c388947f0973202abc516b6f95895a1862
SHA5120c35ba8160d7ba1e91e25845591655e77f5e2bdaeaf05547f4aff571ba6224521d5c38dd614cf260a403df9a9f3b4c3ba84c10f71f77d2cb175ab5d037703e2e
-
Filesize
582KB
MD595b80cc70b0c22bc43734f9be320b2cd
SHA1bbdaa5aa2978e99cc327e58ebe217dfea8335c4c
SHA25648e06146c3990b08b5188fbdc4734c976030e69c4cdc7168d91f3fab7c5a8a51
SHA512685b82a0166651ca45341333ec8a4a1b511186177a1987a4f758780f3ab958ac16fe2987095bf46d292917f7d8e0e289b72c210fc8acec8d839c35d5ae11daf7
-
Filesize
840KB
MD53beea82826a06587ebfc283c6e1e5954
SHA187f2fa28c1de169827d223f347fcdccb7ad93258
SHA256413d84978f050cc540c3f50d5a62f444e68934239608ca42fe9d5b801aa77688
SHA5129bbbba8e255b5df2e2e584c84cf112127fe7ad5808b461ebd041f31810e22266f82b3ddc342cc815886766b29e6406d668d43baa36a6d4b78f7c1d7d0e1a84b7
-
Filesize
4.6MB
MD5788fea8b1adabdbc0c22692be675bfce
SHA153b06f8989a45e282fc6dd19358a0a9084770c1a
SHA25685014dda58019686a6b9daf71de9b9bdef3f5b21baf2d6d7ce8c5831b3123ff5
SHA5129c2da58c279af803f9f47a022697526fc899dde284574a78b9fed34b21a12f807f9a3ea4b02ca46a6c669db171fa1ef0451eafa3f57e086d300cfb191cafe88f
-
Filesize
910KB
MD5201e20257e05a4309ee547fb177bf86a
SHA188db8f67fd86055040a685fdea6060c934bfa2e3
SHA2568ae6b1c4e3806436aac66974dc07455d95644e84e822fe89c239d82b4276294d
SHA512f815fadcc57f70c4c5542d40a5bd442fb5f7a17991603dfd5104e9785b5c7b4875b5ade8c0fb81010394b7115c70d5f703bf636648e9699a683e36c1397cf4df
-
Filesize
24.0MB
MD5cd31f8ecb9aab8b3578ac63fa2124c40
SHA12823198752d5d4d3315e7436e221663522d3a814
SHA25662d00f17d3810edf149739278a31ee80cdf3d7161faca7d065da4d2e7ed4049b
SHA512e8dce05adc7220e8d21e7dedf9e142a69b0f640a06bf87e2f8792aebbb0bdea7aab7d6d4989739ad0d19de58bd81812a704623c6c85c3e185f15b58472e626e6
-
Filesize
2.7MB
MD5d147f77e134dc74a35cebd68ce4ee012
SHA173ac707a611d3bf92c357a0f6bcfa75d5284eef6
SHA256d272f5f08b8479679f691b47b5810bcaf8f8d1abd37a731ed8e3a52ff1355565
SHA512e9c779c4e3891ba28d62d206a4b01b25f7c713387df2e2a576cb8491a3199cfdadac65dbc7bdabb3277076bdc283188633173b3b4260c426fb9c00dbd5db25dd
-
Filesize
1.1MB
MD5b734a186c60c8d6c1aaefa859f0f4439
SHA17451a7987ed60c4531c627af3d6ba8969614eb6d
SHA25645478bb228aa342a0ac0ad86cb3c6eaa9f931094c02874976497b17c8a21a4c5
SHA512814e7823b7192c4605d3f505f6db9289d11d30aa2d5855741a1456d99f188ad53ec53e6ba365ccbf2e7cfe3f3f63a5f4b7d8034fff84facf341136fd2be91351
-
Filesize
805KB
MD5fcb91fd9dbfc81bfdc7a5fae6bd189b0
SHA1c549e081d92b483924f79fd3931000b9d0ce33ef
SHA256dcd7e4a10ad1d079cd034342cfa36ece18440b886e1d2af4a9313ddbae5a6eed
SHA512f27c1a17d780aba219332424affbc8b02cb3ff087b67c8e4bc658c72e45b53d36bf68b2b5afbc161380c47baab3fbbc8f2b575a21ac776e7792a114dc33efac1
-
Filesize
656KB
MD5fbbb55b800f6546c1c7b0768005432ce
SHA17cdb96dd45d944d1111fd239f6a60701792cd66c
SHA256ef6fb2a9642c3a427302a9eab201516f2161cb8546f65664065bd16c8e26bbf1
SHA512c17429b976de8e487faccc5b13431f0a369e2c5d78eeb0427ad34c2e6ff0c9e82815099cbe923ec04f1f782e2238ebfad8d509a1c9787054483a58ec0c4cf607
-
Filesize
5.4MB
MD552f67d494191e63487e3bbc90cb4e166
SHA196b8cacac44cc85a2f4e4531b0a21b31050f4f14
SHA25672f9486bc2f6a7920ffc194fce6aedb00ba8d62e43d917b015bc23ddfd9d0c07
SHA5126ae49df244ccf318e6182460f7acc73cc99839add60abb888b200afb125334bdff85919618ddafa8d2d0afb79a7cc1dc63b4d7de43fbf6203d07c8bb65d5eb6b
-
Filesize
5.4MB
MD52218512ef65426bf72490354e1726e68
SHA1ea1f7e0dca561130c344975ffc76a62053f57360
SHA2562d545077c8f554cd3f6d1ce4e55d2b820bffdda68a5f35e444e95dad3df4adf8
SHA51205dbcb571e229523d3aaf86051541a27e227d0f85fe2334efa91e09d9b2aa10c748210b93fa3dc7c3b7dc49a852d816ecee060c34e4c034a1acab401ab5bf369
-
Filesize
2.0MB
MD502ab1e39c4fb3e9b67f38e0bd220ab35
SHA17b9b7a778596f09eccf77445de80702e0a6c7721
SHA2568e9e8b2acfa1e502eb4daca6e2917dc5ef7e2cfb246844193e569dd72dac3a9d
SHA512df058dd7aebff1503a8755f8ef9ffb90ac4f8d2f64bdc3a3b126eaf3019ce265dc46edceb9613302f9a8c64a19eafa5a466e291c2e5fce0192990e6f20ebcac0
-
Filesize
2.2MB
MD54b9a795049d5a0e0cf87b98345bfa118
SHA13af64abf8fbfbb3c299602c0cbcc69d1c829ad85
SHA25647d99a78ecfd277627f330396b976e3a603183b507199871745cdf714b1bd7a0
SHA51253a3ac742c90d67706ba5dd33ea9de13d590c16846e194177d31a41e0878966df811376dc53126a1c45fc9135966274e4517220b0ad887aa38506a2528c3edac
-
Filesize
1.8MB
MD573b7c60d35ed61f86bd199515d4bd31f
SHA1cda0c25cffc6f3a78af3522ad9e21a3db52b5553
SHA25663eff086a74f6b0c377ce5405f1251fbea2ee1175bfc2edc114a77465b88d8db
SHA51265c1d065c065ac9fd48f0ade5fde174711c52b80458967489c91c5f5d5ba23933693a04fe4880f4216112f90a62eeb33e93012719a376641f8e5886b1863ea4e
-
Filesize
1.7MB
MD5b385e69490046561bd7371598bacc266
SHA195955663430e5fe6e5a14fdca22c031f65185797
SHA256f0407f33bec2bef0d16b7cf9d01a95de574605922c34556081d5274810b94161
SHA5129ba41d949098850aa0c7a8646b7cdb01126694dc27e25f02c0edf889bd3255d230bd3ce4404598ba46fb60c3b05e399426abecae4b9c1a8d42610b08c1c8f6f0
-
Filesize
581KB
MD53aecbe5c2ba0235d53f5280fde50c444
SHA1338a5110b4f6962d4115a660435198ad456c079c
SHA256fe4547addf3d2cbd810af4e06ad64daa4b11ee4c74841c23a712da9c543fabc1
SHA5128c2e4e398b42f40d768ab7c45ef4564d8a6dd392fbfa1eb8cdecffb91366322cc681b9447b25ae4dc6d2262513e78daaf4d15601075c6f36b62e7e89921c928d
-
Filesize
581KB
MD5f6bb837402b2a0d309daa2e81b427084
SHA112aeac25b26afa454101548c21f3b3020d917d03
SHA256c85d2c3e14e327a1705d5364493cf4c8fe53cfc81f620bb0c3a2f690b1f76802
SHA5120a72e4130987ec3bed3f15f430efb7fc2bda89e909ed12cfe37f97319a792fa1d56eddf69b3faa197a37672715abab175b2260902bff804747703f0a72ab6739
-
Filesize
581KB
MD59c7509785f09f10127ff2dd641b2bca6
SHA10bc0e4fd8155e5f61b9e14f2bee00e7846f208e1
SHA256b0dbf1738e4dec94a68e32609f6cb844846cd73f0e3790f45f255a07f82dc699
SHA5124493ada47de282ceb80452be21615206c9eb4e9974647c31618d9ace80832cf670bb8938f7ebb22a457c21db39f1ea5bcece0814ceaa5f7361a54d3eca8df48e
-
Filesize
601KB
MD5c7d8e64fd936a8fd9de4db85e9104513
SHA18741ac22b31ed410488ed26fea79666495adaab6
SHA256086869836a5d946b0d37576357235ee21df984884b1d3833c1caa2f039f77527
SHA51267f76e1939f38160ff32adc27c441afbbb64a419d32f7746448148da8480cb2c39c923b84f18164f2315c0f7b7107bc220bb8d5eb33097b560a74c2871e03d4f
-
Filesize
581KB
MD5deab76c3d6ab59a752d7cc61d96b2e06
SHA14d216805dd22d20969c1e9facbaa8831df5dbae4
SHA25675d96962a6deecb1476384bb7ccffab7c62efb366d90a2648adf647089542ec5
SHA5127e43df511875a2a526a66d707c11689590817a7ea7536bbdb7c65397940bd34493bd61e2aa0cddeed625ee36cf44cc069fe261bd503635079ef17517aef4c2c4
-
Filesize
581KB
MD54afac8c5f528bf86edcaeb82c72e79a8
SHA12f466afe585060f88b757f80c6f254923661043f
SHA256232b262f2feebcdd185a61c25ddf11c5a226cccad18962f104c2e2b82c4e4643
SHA512593d6ed4f2956390c7cbd6038be1d6f679adb18876c45b58843b68361a88fde743aed1e304e2729bf3d90fee3ddfadebcfedcb612839512cffc73aa65fbc0108
-
Filesize
581KB
MD5838567db273a6bcb8b1a35662e55e0e9
SHA15fcb48850263d7c1ed91ad13107b5c0a5e4f7a6c
SHA25690a11bc870a1403ba4b61ecb49fe20e4ef06955d451f3d1190900b745dc42cbd
SHA512e31f577cccea12b1105d8e9df1091ab0d595191e6252ef54629585bd2e19cd2ff38ce1f753524f5f7a1d46d60b2c87052618c4a31208123a68d1d69d64877bfb
-
Filesize
841KB
MD5e44f1579d66d54ffce026aafe1ad64b6
SHA10419e464f313ccb0d2d4e9277e3f053c50759517
SHA256df55477dac1fae7ed5de5fd113bac960536bf90183340e8c24629a1043e3c14a
SHA5122f2517718909170348fa169ce2320d48f6011bce7e639e7c46cb62095e5c36d5a24f50d3365e824f896ce1dd5af9116d6a38ce32cdc6eaa09d6b85f46f130ef3
-
Filesize
581KB
MD5e074723d970bb04ed5059a544579a4cb
SHA18be55e326d22afa12bd9fa66d7c8274ad12ccc8e
SHA25673b2a122df36fea00e28b31a37973f30f4ce073529d7b3b645e2ccc214603135
SHA51266856404ed7d55bb649a2f2ce2e2c3bc875f2966d433cad9b019009bfea883d20b624536cfaff2578ee07d19811659ec257de44ce697fad791cf77eb01b984e1
-
Filesize
581KB
MD54b741841af26a80de55ec6192b671ed5
SHA1d084cefafb1ba46ee4f2f747f7a5d7b80e5cf74a
SHA25639f5913ce165ab23787ec5c63207acf0e86660f7ededa710841e763fc5e95260
SHA512b6502b15941118881ce5606a4f55ac40beaf2fabb7be3ceceb10aa2c552c6f06576eb8ec278c26412e00510646f22daf1779003685f89bf45845b03bf1c227e2
-
Filesize
581KB
MD5bc45b9e8ba2c2fac766ca905ea62adf1
SHA132686606d54cb1980ebb0aa204e02e8817bac726
SHA256f841f00339d36836f5ff7d49e5147da30aa6843c5e171f1cb39196d17d35efba
SHA5127c2a67673e3309143feb7b4c4e86f2a5b83adf514c62a1e3196c1696375ef7c32b37eeeb79e2a85d618761c72ce4c1caa6791312ef0ab17659de3e35940c9e40
-
Filesize
581KB
MD5d9375917faa7b0009cb8017e6c8b2fe8
SHA1439eedf69a85990c64fd369f4c5af64b9dbc21b6
SHA2569d445a157da34680c90c98c43a1c32027083c7345315e02e9506531384e48c69
SHA5128805ddff6232efcf06a70f2c02c7024588c5929044ba2121849c91b2fd9970932f683bc5846e5a392c95b24837d2be20deec4e9b634667e4429af46c87ef7a5c
-
Filesize
717KB
MD56826562f95530ff41bf7fb240e45ebe2
SHA1cabfb527ed3810285940a16fdccd33ed176efc91
SHA256c64503fbc1d6b31ff6efa902aefe2472af4d439199776597e16ce889dd6756e3
SHA512ad7d58c61f367ca4a9fd9f1ac2d0830e3f96ac4d5bb9de2583b2c820ffb87878242dd4989831f9ed801dbb9043a1e0a0b943ef4afcdeb3eb1dbdae2dd8064987
-
Filesize
841KB
MD5b06cab9842e58ec3a057f15a8b97f318
SHA124211089e9801f523dee3a167971397a1f8a249c
SHA256278dd32d4bac9b411431dc6bf5edbec8039087b38fb6e2b0439c0c15176f7c4b
SHA5128adf5872dd06fca4e7f8a3e38eb63e50180fb255a92ee43f9e0bfbedd5d0b0cc2520c4c9d13e8eae3c6c939eef4ad5eb55ec241ff07b39db6d20ad96d7bea895
-
Filesize
1020KB
MD5abb465e27772b11b445f3e18abd24e67
SHA17f69c424b94c81ee271d4aba4f48ede27830996b
SHA256b0506cbe9d5f3f0840fafd8282c34870457b2568c17834a7bd23da02d5ce8ac8
SHA512db9609413a9d2f0a6ae3fdb74f68f438fe5cb3527a6f7c60bc24a481c0a79f8e9ef9490800a141c507d1849b8ac0452b90cb104232187a3cb598a7a81c7233d1
-
Filesize
581KB
MD57faa9730590299caa048ac783eebf5c5
SHA199e70dfbfd91044adba02aa4b8bf1c2dafbf1a2a
SHA2564086ed3b6e3af4b1b07a1161074abe07c2a3a73a757d3e7ff3a52fd465b4054f
SHA51221365f9a077f492dc129430eaaf75492d539bd6b58ca0e995b3d6f3ba1f4986978c280c47547a33c83bb600d22b3e7141a1b3d93bcb990c4ae291d757a413474
-
Filesize
581KB
MD5cb710d1e4311f98c622f6fc712b715c4
SHA13ac4179df186532f4e2b325b4c1c72aaf390a0fb
SHA2564dbf80b7380f42830cd50f4e92b72fcf62664c708360136cd2bdf890536aa0da
SHA5127b731e73eb5e7ffba8f15adc596f842fbbab0e1eb50d6a0ae61d54bc5e599e67b5bab81da976c6efcd9712719ef292f08feb77c6b36fcf26c62bf933d73eb1ed
-
Filesize
581KB
MD59d3a6690602b206ab583d40b60471b93
SHA160c9f523faf933a1b68626f40f88afb76d424b1f
SHA256098e339af773677eb4308ef3cb7d04c59f4a59edd55caf4d8a3b13ce7390fb96
SHA512807ec1e65838b6c558d23d387d924fc9082d26ce2f0ab04ad2af0fc22b81c7c05af672608bb345d700a500ff307c0d9a12081ac8350444e9abff5d6e5abd8137
-
Filesize
581KB
MD5b8b140c897c79d8ceb0d01061e34e3cc
SHA17c284f1c599a00c7228237011f54938ad9a9d13c
SHA256d188d842add134700304d3b203e9a51e5552e2b972e81418dc0a74bab6d7688e
SHA5128d9a5f0c8ca6d22ff139442b8764677ac24a0d76367ab7a7c8579336041679a4526daeda5f73f13121e5e9dda9cb236a812124eff608861ae759d7cebf0fd69f
-
Filesize
581KB
MD5a361227d4aa6ce6eafa37e82d2cb1a30
SHA182b5b6fd38669d66f59d7e2b8c33807a92158878
SHA2569ad52454d020ecb0f20777055b97b05c2453b4bd96767758ee71afe02b22d5c0
SHA512f8307b4d83d857a66c8ed8553ea88eb81ba3c5762615610996480bf70a56fc53d765b589706410794737ec27db2b46544f1574e8390c4f0f41d9bda23ba090b5
-
Filesize
701KB
MD5a44255105f8c4759fd97bd215e008782
SHA11991d8b8234d9c061cf60801e28babdb9fe6f52f
SHA256795f47a855d2590051d0131a464f1a51947efdb4f55cfdfe785900a28d4ba492
SHA512d1cd26a5f3ac2a793d93eadb60e6beab9eac5abde79bb809e9d5a2c8be3b90fae293ce21b972c47ac52e3a218cd65925c4ee850e399109f3bf2a0a3a3af0b2e0
-
Filesize
588KB
MD5f9d4922602bbdc1341b43ac28990d2c2
SHA12820b422804c09471e1a16741fd36ce28d512c3c
SHA256f17e518ce1feffc5598010baf6d640f71d3c315605f640fc928f075ccba27dba
SHA5128fc89f01727ae01387be7804a6286e321f2c749a5586bbfe1109158a2bb507e7cb5b6728e9abdd2371ff8f9e08d34eed75b040e511572073b4a11a2dd6413fe2
-
Filesize
1.7MB
MD53346cacd92e41a50a9e1de096637738f
SHA167909c4aaca4df6a2bd6e340edebdbd0d66e9a65
SHA2568fde7a961c347a2d87750fe72cfabff9bfeac10f20eea0513a588f3548473656
SHA5121ff02c2620a03ba295e468435d3fc4b954740aca2d544516c0e1a8343d5284b3d756344c34740990087d02d0499275a744ae9f05464df49faeb373388f6ab1cd
-
Filesize
659KB
MD5cada61b94370cef478bbd1fd00761dcf
SHA19b6bbda1d9d0adf0f95d94df4b543c31f0859ab8
SHA2565ab85ff9ca45c78aa18db57774154e9bd4d8a8c82b58e980dfa5c26fa0a9dac2
SHA5124d9dd2cd3e18c5493db191c2ed6fabf23d48f40daecc6dd545149fb682f81e75a953963e1c62bbbf9e65b75df71dd89977c7be4dcfc8d5fa1aab56996d163573
-
Filesize
1.2MB
MD54e25a17b9a48693b77effe2aff983707
SHA1a55b2c1c09fae2af4c209c4def829c316b2bc035
SHA2562d2fe5b0b685287013ff92cdad60844f01981dfa58fd2a336aa48cc6bff1dc83
SHA5121857a1ddbe15fe16c3c76e3e38d4b5013393db2b0a84f3db4c412b17a238dc0de8c122ea0f6a03d2d688f060cdbafb7be502a85117b16c4ad4caf92f27e3de71
-
Filesize
578KB
MD534bbe57e6fc774f9e19aba8e72747550
SHA177bf05869860a666f0fab0418c05b6b640a2b0a5
SHA2568b1432391c27b80e2b34711bfb422d8f50f0ffc8210285d7576070b5e8cd5cbf
SHA51240d26e5aac8a4d41038c04128bf2c98e9fb5ebc0cc9c22b190f12f8b38d9190ad21f6324320229cfb6d9253c349a4560d50d461cb6f5b04beddf78e6eac024ae
-
Filesize
940KB
MD5b3a33cd73babc77299b80a499b90f876
SHA1860b143f4ac5e8d1950a6e5a9837b190223e833a
SHA2561673048cbf82874253ca0ff26b12eb5e4d7b7e64e2b5282be98d4702ee903dd3
SHA512209e58a7cc2e939bec79375723a7f6f44418ad910f650b714e15abce473411c25e7721e7d08d542f4b415ac72653d0e4a0a908e642cb45661878cfb0c60706cd
-
Filesize
671KB
MD5ce50711f58e1f1b6b5bf0c35a4b377dc
SHA19463540cdef6e5aed11f5ca96d5c14f228fd8f17
SHA25642604f74c4b6d0f77142da0046a61340c12305dc22b8e2c298ebc5d1f284b21a
SHA5129ccebc9a60324558e54f0619bf83dfe5f4be1cc9a0f294b9a963069a8db857d80d4f924dea4088706cb01366c3cb907dad6c1526fb344b1d25c9f335b59acbe1
-
Filesize
1.4MB
MD51ddc9948c12d8ea3437fb414f7c70709
SHA1d6128396bb8a029a419b4920e31ef02a4d794b59
SHA2566e33448a7cd2737499de7ae9b6b91000eb67a93b8a6994a0ac50ca24b7ea0e8b
SHA512aaa5fc4ec170ca4d7493f637a4a566df19b69744e4432dbe6ae4a81b18593531ef58f5e6bfafc9f7b2e2b93cfb2a92fca74dac9645720fbc932e69c1aece5ccc
-
Filesize
1.8MB
MD5304b9eb6ca1769dda69c966330d0ebef
SHA18c86adb050cb8de1f05b51ca7c163788e2684553
SHA256edde3ef36ed1c4367e13f0272221e45591355b88047ebc33375e71a141c490d1
SHA51284fd2ee9a8389f750f60ade290d158c9498a9dab11311867d360faefb88a57ec890aba60b47fb52b3bc1adf06f846fdac4988c6fb714a8fcdb0c5e55b84645a0
-
Filesize
1.4MB
MD53e8e7ccdf4d8b3c363b2c22737e91f85
SHA120b1fdc106d1053e871b7aed7de51a83bf992221
SHA2560a67cf727f089f9141f2b962023a0f14d3e229ae9afed1f59972b483d4697d5d
SHA51220ac5a3ff6853d5ee78624111f697cd69d297377b16b6f1c31e0d78f87f2eaea245aaf20cfe9f093b4f7e40eb2d0482759ea3729c16ae903fc1f625346df043e
-
Filesize
885KB
MD5d5095332f1f9f99a2b8af7fe8c2db621
SHA1e1e80d617b8e40ca979b24f5a960a76541bb6294
SHA256b90a88e3bc8f5e348b25a83568a7619d71493eff701ee1ff74e56bff75df4087
SHA5129bd9fee509cbe8a76b2e774845d5bb505c7b21c6702f1af5b7a119e4bbc77b6fb15033a6a47f3365d0a2a41a3c8f6ac058e5b34dc19a99358b33b3676a91bd60
-
Filesize
2.0MB
MD571ba46eab685628cab9959ada408e6b7
SHA10022a9d6a06b0703e3efcee8418dba7c73f4e9a6
SHA256fc9436b48cab716f9e823bd3d6cebc57fc3acc72b0a099b7473efca40c454121
SHA512612b74b50f4e37e2ff260ddccf7eec910b2a892fd1969f1c01f64305640f919926abc55c32efa607acf1066bba7229f0acbbc6d4c965ca5fea28b311a47f09e7
-
Filesize
661KB
MD546a132cd2dfa5efa8a3f1f35ee971aa7
SHA1a76306e1c95011d7d25205e9698e93362cec6f39
SHA256d2972d0dfad09e3a6a8308a43ed188e231fb349c7b4c5bcb619d7e59e268017c
SHA512c5d785fcd46b982c4880d944e1ad76af01062fa37773de1681efdda605ae422510fb6724ff7b4818c2d6e1db73872fc3b2034130a3f354f445ebc5b7d8a4ea07
-
Filesize
712KB
MD531f32296032fb53b2f590a97f17a1e0f
SHA1f81141f49329b89356db85197040b755ab831edd
SHA2564bf2afa836dfc2d0273a7b3e50373df853d36ce0dd2fae271c83a993f27ac6bb
SHA5122f44297b6da350effc0709f62a2d76caa07be25e23c5979b7fc4cd9a32c37b8e9ea5fb09c840853b92c80002453ae4acd49d9916da4f0cd09f55ab303d0c09ea
-
Filesize
584KB
MD563743b52093e130dc3b008fa7e34e399
SHA11ee7247304c75cece227b15a95788ada90d8dc9a
SHA256d06d2baa6f766c13920e083860bcf3b9c83cee6bd6fde8f52e44f81ae6c785e5
SHA5129a6dbb388e2030ee5f41b4832bfc13267184b00a4b7980fc0bacaa37656d088222da4954a425a91cb997e268be3008f5cfbb0b9361a67b48025e2ffe7ff915c2
-
Filesize
1.3MB
MD5f035560a56a9b568c2920b741e523b46
SHA1e42f0c6fd3ea6260ff3456ea04cf53d5d8aac5d1
SHA256b1d4fe1d0f78cc6cfbff040e7719c31e2993a3a909d762a064b9aa9fbb93cfe9
SHA5129902d80bdbbf2770ce441636670cc211ea62e6f2f6ca4e44b080623eef89272dd7fc0bec226c066b33271930c7b3cc52e5c56d37710a7d37ea40c5a1f8218ca4
-
Filesize
772KB
MD57a9558e4552c319cb9d29c29dff1fe2a
SHA1b4c922feb31fed9b2bad587532c313372ab60851
SHA2562489c62ad84115e6a73dcf19b820deef4c756bf4152a8f72161d8014ea7f433e
SHA512b80333199f802bc6cb271359ad7cf05894949e7d9014ad8cb416b49e8c9bba5d7ea791d858839b64f4f2c4545a90a5883c66150b213741a7ef02b1043ed9afa3
-
Filesize
2.1MB
MD57c99650e5e50fdc7f760ec2a3af996cc
SHA1f6d76eeb6f77ecdaeefb3eb2134c12bfa9579874
SHA256d107850f29cacc7cc6c26eb3ebf1553b3f4c8f1b120e8ab961d679cb92aa1781
SHA51248e66b935fc27bd66e960d79f97ae67a73d45ccfee0a4cf101730f818b7bcc9b2fa013786333b329d53b068a191e14831aa9000a781b12cc85b97b5bbb4521f3
-
Filesize
1.3MB
MD5384d959e8989a9d93783b31e580693cf
SHA1495dca60c9799b19da1624391e3a0f4fbab993f6
SHA256f9a521d492a9dbb32e5b5027374512d9aba0c526576808d1b3d84f811c8076aa
SHA512935aa58d444fa15176e88be6fc886f105b2175d8c38e5768e70988e2e79bc8000d2777f4130c0173366871403e405317bef1712af089478f2c9e21cf1881b695