Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:38
Static task
static1
General
-
Target
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe
-
Size
6.0MB
-
MD5
f279e7c3ffe12fa05f9d2272af342f15
-
SHA1
3263d06ea5a59011d9dc19a24a05df0872322c47
-
SHA256
b7e245fc19d71a5970363fde2bd8c7cc68444e8315b60b8816ddcc8559ec7fd2
-
SHA512
fff02a604e0428659b697376fd6af3cc10f23934580753a76ef98f86cc09fabd2b855ea5b17b977fca0c66d35a7f9dcffcfe181df04adf0975dd75736f67c189
-
SSDEEP
98304:h5u0O64Zx/nIq5j4EerYR4tCZdNh+mv5:0P47A4k1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4028 alg.exe 2064 DiagnosticsHub.StandardCollector.Service.exe 1196 elevation_service.exe 2812 elevation_service.exe 2328 maintenanceservice.exe 1640 OSE.EXE 3152 fxssvc.exe 1920 msdtc.exe 540 PerceptionSimulationService.exe 4944 perfhost.exe 3380 locator.exe 840 SensorDataService.exe 4804 snmptrap.exe 4368 spectrum.exe 4376 ssh-agent.exe 1524 TieringEngineService.exe 4460 AgentService.exe 2840 vds.exe 1764 vssvc.exe 2220 wbengine.exe 2548 WmiApSrv.exe 1276 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 28 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\locator.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c7baade9822cf6b9.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaws.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a21c9e54489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000983eae54489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2ce17e64489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f4ad0e54489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ce049e64489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d6d15e64489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a5740e64489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005870d7e54489da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b45902e64489da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exepid process 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exealg.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exedescription pid process Token: SeTakeOwnershipPrivilege 3624 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe Token: SeDebugPrivilege 4028 alg.exe Token: SeDebugPrivilege 4028 alg.exe Token: SeDebugPrivilege 4028 alg.exe Token: SeAuditPrivilege 3152 fxssvc.exe Token: SeRestorePrivilege 1524 TieringEngineService.exe Token: SeManageVolumePrivilege 1524 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4460 AgentService.exe Token: SeBackupPrivilege 1764 vssvc.exe Token: SeRestorePrivilege 1764 vssvc.exe Token: SeAuditPrivilege 1764 vssvc.exe Token: SeBackupPrivilege 2220 wbengine.exe Token: SeRestorePrivilege 2220 wbengine.exe Token: SeSecurityPrivilege 2220 wbengine.exe Token: 33 1276 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1276 SearchIndexer.exe Token: SeDebugPrivilege 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe Token: SeDebugPrivilege 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe Token: SeDebugPrivilege 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe Token: SeDebugPrivilege 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe Token: SeDebugPrivilege 3556 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exeSearchIndexer.exedescription pid process target process PID 3624 wrote to memory of 3556 3624 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe PID 3624 wrote to memory of 3556 3624 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe 2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe PID 1276 wrote to memory of 3200 1276 SearchIndexer.exe SearchProtocolHost.exe PID 1276 wrote to memory of 3200 1276 SearchIndexer.exe SearchProtocolHost.exe PID 1276 wrote to memory of 764 1276 SearchIndexer.exe SearchFilterHost.exe PID 1276 wrote to memory of 764 1276 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_f279e7c3ffe12fa05f9d2272af342f15_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x280,0x284,0x288,0x278,0x28c,0x14052e7f4,0x14052e800,0x14052e8102⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2064
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1196
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2812
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2328
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4524
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1920
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:540
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4944
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3380
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:840
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4804
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4368
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3796
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2840
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2548
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3200
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD583bb6a43ac92f5577c4764d31ec4ce17
SHA130b36f8035de9d7df1fb5055f7a10860eb67d540
SHA2569421a4bc5ce79af19cd0599977e75c4b4f292522f47359aa7ad9e5814d23e12c
SHA5125e43975c4019f1b0b037198d5f2e96beb2e457d901372d3e1511b6d62413033831fe08d3aa4b078b9ffffd88d8b51cf255432287a58181964b349e24f205f131
-
Filesize
1.4MB
MD5632e4361d21bea9bc6cfeea2340b9f6a
SHA182269dee10c99aa6c4cd82989fc84a93c90d9647
SHA2561f8166fde9c5847676a15315abe905a9f0846e58dc2d12212c9ab9111a03a7cc
SHA5129b4beb7e13cbe4daf382866df3cd5cab21090c84881a21a5bfef94980401f7f1b48db1ebc104b871f0269b472f4510a5bf626ebef5d514ec4cdda9c1f9509118
-
Filesize
1.7MB
MD59a571ec2b22f29fe32757ac7a206a1a4
SHA197cfa07e482beac188fed0628ce7c960dd9c0ccf
SHA256603b069a4d4ed0e2df4df405b36da98141c1943b3ad1b02ce2bd7dbc895e58d3
SHA512f464e5b3108fdd6e81a45df49c7ee7bda1c9162f0add2b0fb95053dab8b3c63f0c3b48605fc20e14ab5a66310b78efa190869376ee2a099f3e8316c488cbd692
-
Filesize
1.5MB
MD5d409685000f6039f96cc29232f2d09f7
SHA18c090b3cbba8132907459faece7f083908006eaa
SHA2565c76e96eba4d351a5687b43a9d119a0fff8f20c83e803be88e2d189bd2d33b48
SHA5129696268becdcafad4ad9bcd3dccccf90f0935fea710ded58a281272d041783d499c7d10ef498d7168c41e3c255e23e079d20631ee3f1a2b5baa6a222dea4d4bb
-
Filesize
1.2MB
MD53098cce3b77d0a282395027141800541
SHA179efd05e9addb2386c957394dda081c3b256fea7
SHA2565bcf8429c1967ff4a6368681dcd39cf5b758e3e4cc4f50c176eef953a942a308
SHA512eaa1ffda1c5ef1aece5cabb0e4f2c085e190adf1232c54f058e4754536a2e359c57396be966a4d953e87718385af9fa90cb2848182901177237c7946d5f9ce6f
-
Filesize
1.2MB
MD57af6d1bab06279927e055893e877d69f
SHA1da5c0110b5cbab3d72f40b5d7ed60c806aa9656c
SHA256e122ad786c4edc3061150897d80e0911c32f808ce72101075efdf02d76e783d0
SHA512a02773f2bc522df3dcaf65aba407dfb19bbed30921a9cd87761afb8961e3524ea6cb4b83ef587f91cd7839d3e3597f35e3a615367b6820b4e69eee14dc6481c5
-
Filesize
1.4MB
MD5de8ac65dc25acc10eb1de6342824b650
SHA17c874876edf615c690a6bbd030910d0727020c3c
SHA25600cb2bc8d3081a0c81e59e935d59e9ac5eaf0e88031de29c1f21c3cba6583193
SHA51263354c46ce4bc670ea550f5be4d8dfc0891b48f01f2ef010b658a5d162fa17a9cc836898af03721d394ded7c8d4bebc2c01ea36e2ed6b57b2652c45e36c163e5
-
Filesize
4.6MB
MD5faa8d248bbac91369252657690ffb0ad
SHA158aaba7e903dba7034c9e74b2eb997366e390666
SHA256c6074edc004632ab226099e9d6a0a7ccd8c0b16e98512efa6920a7e4b1223a41
SHA5127cd5995b5e0fd2758442a1bd9f39d1679a782dc941f83ff85f559dd8a4a4069010f436fd604495fc5626831bd623a343a519922592aede61e937561543cdee25
-
Filesize
1.5MB
MD581da53364e036c2a8a0b0cb230239867
SHA11d22940d2fba9e8f23abb667b10c00699deec937
SHA25695995ea5991d6bcb838b3fc57469f6d76d96270176d041310783e9f2a88845e2
SHA5122f3de53b7b92db012dbfaf5a377bc20501d7db95b14697d5688f7aebe09b1f1c128bd551444a8f78317588980525815bb542de6b9138e91073a4dca93fa4996e
-
Filesize
24.0MB
MD5a12e65efdda16a861f75b123e582dc79
SHA135b6a9692fcf08908ed73dc7838a0c91a52a0017
SHA256fb311f65643bac4ac61aea741751404ab2b1972d25561684eb0bd9a6b923a3c4
SHA512f8878dfe76e426365fa87a39c2c9f9e904cdcdcd93c3a63c7b6236221474463d7e04fb26e618239bbac30c069d6318b345fb53b50bcf2f34d63c067aee1a4481
-
Filesize
2.7MB
MD5a4e4fb36f43cd5a369bfd35c9c57c45a
SHA189426ee69d6a1481154597a8ad1eb0369a76d239
SHA2566194f4309396253fee30c7e22e306fe03a0118fb2867ae717544344b72b8fbdd
SHA512ad39ddcdfb766cf621bec1f206f5db9666257454ec1483a0795c9e5d8b3840d436208838f0d0a098bfcd114eeccbcdd4a3a67634f69c3f624627182a91059b01
-
Filesize
1.1MB
MD589670fbba94413f400de78b5c85e304a
SHA1cd4ed111b06e314d0b2f5c3eec249f13efc81e62
SHA256adf8096e186c9ff81cefe292d70e129cbff278d40900782e3686526cbe0e2059
SHA5124cc67d140c9035425b904383ee2190c3a5a735e14b56c93fb5da3d3e348345674f966217993015840378e1918e1467df4700363682051ee41dd883e1400ad8bb
-
Filesize
1.4MB
MD57f68db07dd1cb75caef299e2515a4ab1
SHA1ed3956fd5d83b0d3bd4db3d684a643f5dff38ad8
SHA2567e3fe5b49598e10bbfc74fe153864ee13130c31b6eff6d99a5b3ba75b887ec8c
SHA51250baebfef3f28d7573d6aa6ae8e7a8588a80879618ec6d7234c817714b7def5c5ff37f9a700148475ac352c764d5ad2c45ff8af943f351f8bdfb7f5f29b99e48
-
Filesize
1.3MB
MD538d6db4f7b3fd438b55d57e26f640e58
SHA12925fb60444bcf57b0682f180004436efcef8b9b
SHA25606ce2c628bd7102dd56ea3c7ac17f1c49f169ea45fba28d0f9b528b73ab78fdb
SHA5120006f6348924aecc04322a0fb913493ea45fb9666b151bcb0598fbc743c44315f5c12c8b50d5bf679d450d06c37ea3e3ac81f0f1cf19f14da29ef9e9edb1b655
-
Filesize
4.8MB
MD5dce66f844a36505e4365b30d6408b5d1
SHA1b9e0e9e012d216fb776c6fe1e07e5cd92496441f
SHA256551e1a74095908e2dc02eac7c0158e45483ad3a15717e6b33f3bf30a534977af
SHA51285f6bf0dd59da8af7eb5b52afeb1431529d57fe8b1672f7112e9b879de44a456cb45d0b4babf75cb17aaa5bf4a50a7ea6d3014048fede494859569faa9bddae8
-
Filesize
4.8MB
MD50a325f58e5e46e8d8139d83d086ead07
SHA1fe392c4e840474b175c6aa7cc5457694086014a3
SHA2561d11216d39a5c7781ff58d07d515ee20511eb7e0906087bf7eed67314256ee4f
SHA512fc515aa75740e48ce7475d21de601a17d4ddfcae72157d1d0c9ba10a50cdc65a3843903bde340eeee79184d1654bbd6c287056aa07614aaaa2f2c5de134e8381
-
Filesize
2.2MB
MD5eafd3f7c6a08e6ff21580c650586999b
SHA122d0420c4f7c1cb69d9713fc279daaabceac5e06
SHA256e587a99897904b40c95e43079de7ae6a4e45470b295ad1564694eb4d53d19beb
SHA5129042ba7376354335c1c878528222aa43f25b80901534d6677f68b43c8ba589fbc7abfee679e81c1e536ce1bb31dd44b60f2d3dfa37a39547ca76c1690e770a0f
-
Filesize
2.1MB
MD59dd3a20d9bd082a7e1cfb28e9bef171e
SHA13778ac193feccac77215e428fb679d968c3272b6
SHA25628931c2c4ca4a06e92a370917fb4cbe6943ddd347ba9eb4da9460b3cd71121bf
SHA5126a0bc3a6aad93f095e0555d14e5b792daa5122d0098db8a1da6cd1f031da18f26f7b81143d63c3be9d9e1ef32ddbe73a0f5a5fc69eaf7156023e94b0948e9afa
-
Filesize
1.8MB
MD5ca60e2e913cc1bc24659ee227ce28668
SHA12b77bb067263910778dd5b08df215a420a5cb8b1
SHA2561b21ff542e2f9462088c6a1cc4cd56b748593a5b200b73ff3691b5d5c922226f
SHA512db4fa29c3ec1a828b46ae20605dd45e4eebadfd2c3ab1316c4c12fc2165da7ebf4854eb2dfbe62e6732d4998d4eed3be7d594b847a619ac01220bd0bf901e5e7
-
Filesize
1.5MB
MD57db6c2506537ab7c2c67881fde1ff24f
SHA1de6f4d6014d8ae4dc35745e6b618093e7a0d3141
SHA2561a6bbdd367aa15569c9eed7b9744ba2dcbdce023459b602d8eaf697322d96672
SHA51229f5bde0c04da68740a51ae3f60664bc06c4c5126a4bb46cda75dd53b064f23225667eef7655a2d6a963215c42017724cf6d89ce96d9bdbdd7f53c9ce19e92ae
-
Filesize
1.2MB
MD568a04289ffeb8b3e1e8c87e6c8d751c6
SHA1e90a9e5ab0b410e6848f990462c09f0ae5f1ebe1
SHA2568b8a80373da63a4185b4e80ef70ad02249cee149d8e30f50dc3074811900b892
SHA5122cd554ff78a5581e4d17edbcbcdfa4c29954b20a25d87e015155181cdd9d43b321c3d2940203a8113e4ed815ab40c6df2a1fbea8fda9f4f173dc978833e268a4
-
Filesize
1.2MB
MD50b5957ca51561364c54e3b5da00965d5
SHA1e2a2a73c5de2cf8bdebed2288a9875c6a3d53c2b
SHA2562316c21b34694f9a71a599d45be229a4a6eba3c7ed68ad60cdf327378df256d1
SHA512da673272dec2b5a0e192e10bfd13a2a9d8fce082afbf803af969ea1dff53e3c01d2023ae637042198f861569ee8c76d7dbedaea850a10905bc37432c7054183f
-
Filesize
1.2MB
MD541383c86649caefc6734ff08dc9de032
SHA136369857a219c4fafa3b22b9cfe27855fe7f5d00
SHA256c626673be1ba70b1c2ed1a2a8b58e6c34436719927c4415f911aefc81e8b07cd
SHA512019880783bff4c6ce13e690b9b1f7795def4fa73989e9884447f4cdf8b081ccceda66d30faa16a87371bbe0bc4447119b49dbb5fc448defca78f97327af62ab4
-
Filesize
1.2MB
MD5881980ea6f8b372c4cc675c2618f6dfd
SHA1abd7745e5f6629330a8f36b216a477b00d442b3d
SHA25681f04cb1069a3d888cec02382845557d048f53a8b4a1641c8ccff7b424821fd1
SHA512b4fc67c956995c120d4490743578a0055bc8fdd3926763cb77ee3362582182e20860c9bfc9a5e666f21930b0d8da9fa26cf66ad5194b54ee70ea9d88223f443d
-
Filesize
1.2MB
MD522324d3dcca50e23e88acb6d176eb9dc
SHA13f4dece880a4da3525209d7a26c336bba58a66ae
SHA2564c62375ba061e398bf598912deaab6b4893d011f98b2234af2793fa559c74070
SHA5122401f3c8a315fcd7e28ef0393eb246abb5489a0af088582e83f05d5e098d27d0e3062133e3b88177cbced5f3340bf656f13bfec7bdce709647238ffa21fea839
-
Filesize
1.2MB
MD5bbd3c84ee2cea17dd6b166e859ef7970
SHA170db50f4609b438820f6cb0e42339ba85ab523e3
SHA256cf34b710417b924466754fb3443ce301706fd50dcae8e4a177d4c2887f2e4d31
SHA5121efb83a6ab2be219cfc0f14173f6f159522912a55d9676c2e41baf576321ba737bb5a06365616ff3eecdc050bc06b385089f18a56a1d014768edf74f1b372cf6
-
Filesize
1.2MB
MD595178a1ed65581d86cae8480539b43d1
SHA1f2e62ab4e496f97875c0433802304e096690cd88
SHA256b5b5fec7be9552d31f8d9a18a356f9a39561ae0158dd643b1d797800d84b6ce3
SHA5128c3736fd80fa05fd76812b9a5973dd94215d19c9fefc38bddddc51c30154ae0bd8a0bd0601cafd92cd1369f9c309f4856ee95f2f1fe744e31ef914f873bb471a
-
Filesize
1.4MB
MD5288e7d594a2a993a10d4cd790db6dc18
SHA1ae5813203b252aa266920bbf299f751acb23b4a6
SHA2567a0cbb70aa19503fae5c12b0455f5fdec597b7f5d38468c33070b24767d3a689
SHA512d8540f52474ae5840c81cc936c40d10bcc0bd0394dca74f0272c63ceca5942148f0d22c96b6e265a5d15777e0d69a6c74d54818715309244433f9faa9cb44e17
-
Filesize
1.2MB
MD5400c98aef0273b962f3d0313d85c32e2
SHA1ba0f714838d432a5bb570660f3ddec5ada35f3c0
SHA256575f4593067766f821bf2a247e86789c75390a9cc1c20aed53b5861539d287ca
SHA512c7bc5a628604c8a8ea5535a591317afe23cd5c671e49ade552de059284646c83e60a06ca7e7781328704603385288a01c30221867f45a57010c60baf3b373755
-
Filesize
1.2MB
MD5211df1e0e6ecf17ad0481baa741217f3
SHA198df01908e64df796fe754b1d910b2db51d080f5
SHA256bbd65f73f48837db17cf4d92cd3312dcd9d9fcfb69eb04b7d9645645953d1458
SHA512aea13e3db416f18a043481a07e28a57d012f5eea828907e52f49ee6280e494a422aae2cefbeec20b2272565ae9526f38bfddecc92eb4c461f141897bee0f9bd1
-
Filesize
1.3MB
MD5207700288c660f0b937ac6ddf8a8324a
SHA147a801fc6cd7e715700a48e65af67f2dc39d91ba
SHA256e0ea8ef558b2b013cdd93f3ac712986a0bac8718cf5d081cf4812c18a21f9e8c
SHA512e47e290cc0a6ca97e9fac032fa926d969a7c89012961f1386be16f7f8c361b775acc400f9414b70652c7adf89326eef91415c3839c677d74f82b2d925bc44df5
-
Filesize
1.2MB
MD505329a4ee0d4be467a8fa02f85eedb6c
SHA13bf708b0a6b285990f73770f5bd7f666ca1dd5c5
SHA256ff36ed60f5bc8accba97db6178bf517d3955a3ba9bb20d95e7206b984ee92529
SHA512d54824fbed509a9fe7fd260736254b20e659dc155b5b04da440dd0d30aa825b974fcedd3506c34bf90721c4af1ffedf4377341227d0f439375aabe51325fa8dc
-
Filesize
1.2MB
MD5b40b231d3332031817e481e5cedc1c75
SHA113e233b880bf23586a5483ce87eecc12a05352f4
SHA25697a13d05ceb3603ec81e5dbd214384fd5f7ce549811d4796f26cebacf6734487
SHA512a7445929c8496cb983f9ece009540951f332dda42fa377442c694fcf63fddf49d76a07fd298368b34e6d9474cadf2baf39f7632f0259799b588e01912ef88921
-
Filesize
1.3MB
MD5609392fd57a983319270ed67278f656e
SHA19fec15110d6698e7d5ae625aadf62f891c913f71
SHA256537585760612cd384b931b76c42f7337b3eafe4293aeab9e864895cf26d31721
SHA512ca6396056acfb3954188b6281e24bd40dba7ddd7af64831586b1159e242ec34f8723dbd3ed3a6caea87bb1f703b27470132278efa2656ac2f7357d0b0e6f6a03
-
Filesize
1.4MB
MD5f5b3dec529bc89ee28002ba39c57a839
SHA1c4f83c2f402da8be5ad6c94e61c1597add63660c
SHA2562567cddfc7c2cbad1f60ab470e9ce1e08706246f0c35d6b5a0fed21167284e2c
SHA512b97d352b956ec91b7269830b992812edc5a9ccb4725abb73d1774391aa9692dc1eece734f093371c1f5962f835f2fda2adee7023ea0354189bdc310baa9383cc
-
Filesize
1.6MB
MD5f3abe8a7f2ab6b80439a3a9987655cb2
SHA1748488221bbe41dea80c3bdf172a8f8689bcf579
SHA256c8ebd41cad2c4eed673ac0576e4d135b553f47baecdd1b64afebbc07df00c6ce
SHA5128cb1fbd6bb4db0e36d1a92a3adff841b4c850cb3d3c22611ad46327b4d088e4674da168932c4cfd677b59e83321134b704594f01ac45d8ccfa8d900e5b00e7ec
-
Filesize
1.2MB
MD58391001ebf47d8eb26dc5fc89c5d8ee7
SHA1adfc880ec76607fc7dfc64abc6327bd35707b3b1
SHA256ea475e86a19f6ff95f20ce8204fb7133169384deaa6cbe44ecb3c38a6c79948f
SHA512e0b618023747db313660261000d7336a1bdfb21d2e50b78b60f101716fe3235a5131c25be1c857ca504dfb1b4053db7128d2b112c6454649527db6d897189f57
-
Filesize
1.2MB
MD51d027463fee6c22be739367be062316b
SHA1c0befff63e61fbd5d2915476274b8462b5afe763
SHA2563f297c7dfc6279658521ab1a49a97f80de75242f7154d096ae4c952b7c5fd614
SHA51292f50ea2d6e434e7da770e83efdcc23e3b886de746ad84cf3d60c2161e131f30aac546742a9b2ce071026731fe035b54e78e160eb8c0cfebb802c7ceda8b0f34
-
Filesize
1.2MB
MD527fe372781ecb3e646ec68e87449a7ff
SHA10cdf24cd7a8af1748a5cd797569d1f7f34ae3a5b
SHA25672ef77eca870ad63cb6324df05571bc5e9dc31ce6e90c13d0e1812bc301b66e3
SHA5121309bea7d7fefac9b3fdb319cfc441358794ec4209659e31a60d7af07e5573604c2ddd4fff08070f07c61223fb2e2cb3c7137d01a32160e0851d99d39ce3c969
-
Filesize
1.2MB
MD5abe6b97c0e539118bd9078917a9802b1
SHA152b554bdaa249c7937826956f09658319507e6d3
SHA256be0420319696a799159b15099c2c5b6d2609e5b0f5548594e743b0ea349c7543
SHA5120c86fdc6de5255ed009f4f70682da9673bd310b027c66d291fe3410cdc2f2b901894204fb85ef82b151cb805d5297a2019f91a9f4819c68f52c10385b67aac86
-
Filesize
1.3MB
MD5afbe9ed0bd0b58c71306dfede8532a5f
SHA10fa1cccee69d3863af40948b117c9a4deba89745
SHA256c9108a836304550092a72965f525daeacecc00f979750abe5ad71ebfc8c1acb6
SHA512ded878e6d4df9aa9d2f5b6c1a49d66ba214bbfa8c8b243a24add8483d0e9f1617e2540fdda72632705e4d1e374ce9eea37eefc674ca49f181db4ef32d5a7ac5f
-
Filesize
12KB
MD5292e315b3f2478623b9666a9f2080a9d
SHA1122ca3a86b079d59db00ad767a0bfe61031af9b8
SHA25646bf10d29d5c42d24e4847d78328ee334f86e333a37eccc57daa328118924f52
SHA5126a6908ab9115e1edda6414c1d89fb004241f5f70db8aba17a1a12cc2dc6c5b92ea323827faea71aa82666e7789389675abf3acf1604c35c91bc64ba2109fcba2
-
Filesize
1.2MB
MD53be478d1914a422a0c7e91779f2541d1
SHA1b59bd2690a640390cff15fc1e52370ff2d023d12
SHA256fa1822e881f29a71e41067ae29e357cdc34c4de9bfffd2bd8332070b93eea5c4
SHA512b2c50d191aa8e6558a9fa385ee6484781373eaea6c93718477d912bff72a98abc5df5ae6ccb4093967ad15db78e1b5ea429851c42222292fc367de88709a6666
-
Filesize
1.7MB
MD57acf0ddd1e8778824a8c5cbee0862ca4
SHA1a2e3d4d5f0017796b892a005b5fd782d51f4a5d1
SHA256251b0292dba1db5a5932103a97fbf047d8d45aa2a99074c991e33fee1cf7eb74
SHA512ab0ea7189f97258c1b96a7fb7f9438f7e052634444b9a1c54922178b5a22e04d2d0360821a3645b3d778946b4a7c2862a7ba55f1e773c72941a538008ffc8d19
-
Filesize
1.3MB
MD54cb877410b00d589e25a99024983c3d4
SHA1f661b7253615e4ee48a57bf4070eacd240062e9e
SHA256dcc500d0812601f47a95c353ddd2b4563a0cba07eb027257d1ff0e70308dc046
SHA512dc8410712188c96d5d0c28d7cf2e6c1b757c78e6254eaecfed77b576cc607dcc6a586666c317217f9505d43fe57a21bfdf18a3e86e56960ab5c762939658758d
-
Filesize
1.2MB
MD520898a0437f1bc4b934122b2cc50d273
SHA1564cfca66810d94414c801a11d9b8a91cb6d1f0a
SHA2560050d848c88d31a880e44899179f93d6e3042db2d72d037d2a8c7a1933f092c6
SHA512e71f5a9e3d8ad23aee96983f4ebb307aab8967e5ebe5328aec2883f1bc6396509b35068416c0600371db55de94327317f5ab2c7cb23a380f6062e3a267092518
-
Filesize
1.2MB
MD57f68e5128d69dc3a0a6d9e2a5a50134f
SHA1f89332f1bd26d5c5bd83943310236c8a6b66d266
SHA2562b1379d7dcc3e80bf26ee3e6573b47f8482a172eb78c82fca0e653e71c10c25c
SHA512e8f4a8daa6e28d28a6c59801732a24925b364b35ec253cf898fd08139b04ef956d83e6589bb04a038b178b18325dd52bb69bc9b3d1020cdc75e220ccba76cd77
-
Filesize
1.5MB
MD562c1261e9a72c31552d09874b628cd72
SHA115a31e47473015ade27327529e21791643f68aa0
SHA25682c97f0bfd8648711472e5fd23364c4506712a6d665a3509b51cd7bf5167d5da
SHA512b43049b4b6ceed64276d898a369bd3a142d6f3552dbd317606395767c4f5f42c905f669d92f5fd10a0c2e70c268ca6f10ff0a637e34ff95a2e1f076f54e565b1
-
Filesize
1.3MB
MD588f3f59108ca41e8934bb8e8e4461d31
SHA1fb660794b1f7356c2871f8d9836ddb7ca389fdaf
SHA25617e0efa81e7fd46fb93918013c036cb67b2e9efabcde9ce4ee621ce3e9229238
SHA5123d525cf2eba19cff2065eef43b0504df0d5b2a9defb482ccff30b89777c781a5ef9cd0b696c06379a3bb1e097db79ba624cab07614d6f19c322f12568f808486
-
Filesize
1.4MB
MD55b038af9442f263fe20aa3511c092fe9
SHA187dc5b66d10432e38362b4f9d53b93b17d0fa2fb
SHA2563e69e4baf95e3d64f26b1697feb4e89df4b240ca3682851fa3bf82dd7c24f3b2
SHA5125adf9affd638186e1008923c151e23d7fa94df50ca7d9ed7c4e2fc0e9fe656a406c1ed0434d0399b630f0932882aec356b98cd314d2bee13c06ce0f5b16e6d0d
-
Filesize
1.8MB
MD5f7503e6099792d2b1b57e65a320759a9
SHA1c2c11c1e5ffb47352cb033063d89316ebea7d084
SHA256c47b7708f5e0545042667df23e1a7939975cab4be5f7b64e49b4aedf41ff1087
SHA512a252a3b8c2735ae16a265e782f0c70ae53c7d8f6aba5c8271b23c417f0735830a8fd8c2f1d267caef2a079e1cf827e7155e6479f403dffe6b2f4fe208e26dc7a
-
Filesize
1.4MB
MD592120a1f5fa2c3f3ec5be04a6420357a
SHA12fd0def78fdad4a99023874ef17180ebfa0f05c3
SHA2562ad8bce7f3df9a466a67c92b6899be94064bb0560e1436d9bc7a57e3eb83d903
SHA51238359035989f4ecdb383dbee99763b9ff1b153234fd49b86062130c62d6f4c3406c60fce2e3c155a045cb8007215d18c568656894762894148bd11cf2019ad83
-
Filesize
1.5MB
MD583ed707f3ffb742eb18ef03b00ef471b
SHA159f76278d371bc29037aa8e0795ea268bf2f0a98
SHA25629bc4398fdf360ef5595e938de8625d9df03aeddd9afcc043cb0a9742c044fed
SHA5121126cac7176f4dcf552b69583759e440c2360229b123a6d3b02a59844b2ed8caa01fd882f6f2bc41e7c7236d74c1c0413e72e528f769f47bc54a3240d2831609
-
Filesize
2.0MB
MD5643d372484116b855b50b038eca96b8a
SHA1136d0b06309b855554db453cae121460d61930ff
SHA2568b01497f4f6c871276356ff8271e22e7ca0d18431ae3c725b708beed67d67adc
SHA512bfd845fe64854de1f9b115adcc202697403a2e6ff3a894f97489be9937d04cd0577cbe377ac70a15eae390c05b6f97a992775ce68ef9e3714b0fafc2af7accad
-
Filesize
1.3MB
MD5e8b555bfccdc7e2b64a37bb3bb534604
SHA19ffe47929420c761ce28b82567c45dcd4dd90928
SHA2568ca3cdc437a4793c9c61a133ca8ddaf41bd22f9435e406eb92214f08ec380df4
SHA51293ab61b271b34a85461918c0789ac1cb0173ed2f8d8b776a933d96545ed4b12347bc3032fb17d60822f834ec9c1be0c4117ac25c9cf88703799e2ecd5ede126f
-
Filesize
1.3MB
MD58144fa27b8ca23d53bbbb38136eb0c4a
SHA1453acc858926ba05c20a54e3a7adb3513a167140
SHA2564c96294f60aa1a6d14b9550f6cb179c7edeca0e5c210ff7fc75021806399d666
SHA512f1a4d53c02b07ae2ed1069f8c920d6b178888d65584503ffb05461a4e011cfdf5380313a3fba73384013840d6c67124ae95028d53cae49a429ec5d8d8e902b48
-
Filesize
1.2MB
MD51d75b29741ae7f670ea3e82c5893154c
SHA14cd0326fd03271718ca56bca69272041a8a64e26
SHA256db21262ea46d19a1c7f1bc6549dd7cebd624be2c71085c3294ec73e0f6c835d4
SHA5124ff8e2e42197fa591f68b32dcdac9e16298a18269005b364a907e96745d12eb729b97f50b0f96388a51a83590ed0af849e56d2ac4c8e8397c5cff6201af17eb0
-
Filesize
1.3MB
MD52963c47942fa47018e77ca9c0c0529cd
SHA1488898494d281221d4e6863575750fa01ba5aa41
SHA256c7356910d2ef44e584d959e94dd93d502be938d200fa1866779d5ccc2310f369
SHA5125306a4f0582e2f10a60283675b5c1939ff61c260202d84d82089f47b89f609a1f1c01a620ae086582aceca913b749fdf4359b9aa48ca38354a2bdb012b5ed42b
-
Filesize
1.4MB
MD57513783f7dc11d7e44eaeaa34325803b
SHA13d63910c649e745851762e71b3958aab1ce53665
SHA256b26ee645d8b4b9d7ad5a2f93c7c5bae78edcc23e2b7e4b89bd21b3e27f96dc87
SHA512c6be106d5e034dcdb7e8fb038d6490fd435c154c7fc80d5f1cdc6be2c3f57dd671f9611d6955528b9229ec078a5a0c195392a0c583002bd7933c7e8f9459b0bf
-
Filesize
2.1MB
MD54756c5eab8d396515471f3606228560e
SHA1b7c5936ad180625c510636b3f9e8b1266af95050
SHA256728d4d4269375bac9973586ba39f90b23093c338be9c936221be110727b9f810
SHA5129fbdee5ba40303d59b9a8c69c658625e08d17337736f5ad9b7b12ed66569b6c648c2b3841afc22f63f09d1ccca540dbefd7d6214fee1dcc5ed749ac30b6f74a0
-
Filesize
1.3MB
MD538fd69be6d2a465937affde83ba3e451
SHA17fe89ff5fa70d6106d0d4fe46894ef3baf6fbad9
SHA256090883031bf1813919be66aaddb9f14df6e3f936f6e18efb49bfb8a9678de633
SHA5125cc1bfb014b0fb6674a23fa9d0c35e1d3ea92596ae2147f82d50fbb7dcfd35eb09e5bbd7d1b5397e16d55bc1b13cd5b771b7529ac3af4479b68065539818fb1a
-
Filesize
5.6MB
MD5066cd1ce2b5e2f248d9dbda3b88968e9
SHA19cf8563b4d546147647e0ef0fb619ed72f3e9130
SHA256a5246d26167f00c257cd101f6a94b2d9ca374949e632026ae40a8c4fa02f273b
SHA5120b52ad04599eafa0305fed16eb403b87d1a4482a0d5fed5f89d9672e6437ba2164d956b5bc6d812c04c182856c38f24f0ff62febbc262e48197a336289ad92a1