Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe
-
Size
2.2MB
-
MD5
7e5b3ad9f45e4991d770b52250fb1c78
-
SHA1
0dde3d27166c5e8def18f55ddef43cfbbdadad7f
-
SHA256
29fa49903d56817804fc895b0ead30c1380f966d6ce58c70a4562cc4b2fb0b0c
-
SHA512
73e3c0c565ba7567e03b333539be9a928f1205357a20d7da6ee790b9c191b0bb6ebbb34721a7e3e7d29b6c19fdd5ada7bfbf7ca89c41f571913387b4706c2e3b
-
SSDEEP
24576:iOObVw4TaN1wdkukCba4oXtgLhU3wEdmh58zBgDmq3CYCLd6cwH4n00n8HsoyO:iOOh3aN4kuLbegmtGyeDF2dOYn0uPO
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3116 alg.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4232 fxssvc.exe 1212 elevation_service.exe 1360 elevation_service.exe 2468 maintenanceservice.exe 1316 OSE.EXE 1724 msdtc.exe 2980 PerceptionSimulationService.exe 3488 perfhost.exe 3624 locator.exe 2044 SensorDataService.exe 2228 snmptrap.exe 2264 spectrum.exe 2608 ssh-agent.exe 3716 TieringEngineService.exe 3444 AgentService.exe 3680 vds.exe 5016 vssvc.exe 3360 wbengine.exe 2400 WmiApSrv.exe 1472 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 29 IoCs
Processes:
elevation_service.exemsdtc.exe2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5333bf3212d07ad8.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exedescription ioc Process File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
Processes:
msdtc.exeelevation_service.exedescription ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000129fd7cc5389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c6d22cc5389da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6caa0cc5389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f5712ce5389da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070fd55cd5389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a051e8cc5389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fcf24cc5389da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exeelevation_service.exepid Process 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 4512 DiagnosticsHub.StandardCollector.Service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe 1212 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 2148 2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe Token: SeAuditPrivilege 4232 fxssvc.exe Token: SeDebugPrivilege 4512 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 1212 elevation_service.exe Token: SeRestorePrivilege 3716 TieringEngineService.exe Token: SeManageVolumePrivilege 3716 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3444 AgentService.exe Token: SeBackupPrivilege 5016 vssvc.exe Token: SeRestorePrivilege 5016 vssvc.exe Token: SeAuditPrivilege 5016 vssvc.exe Token: SeBackupPrivilege 3360 wbengine.exe Token: SeRestorePrivilege 3360 wbengine.exe Token: SeSecurityPrivilege 3360 wbengine.exe Token: 33 1472 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1472 SearchIndexer.exe Token: SeDebugPrivilege 1212 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 1472 wrote to memory of 3100 1472 SearchIndexer.exe 124 PID 1472 wrote to memory of 3100 1472 SearchIndexer.exe 124 PID 1472 wrote to memory of 3008 1472 SearchIndexer.exe 125 PID 1472 wrote to memory of 3008 1472 SearchIndexer.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_7e5b3ad9f45e4991d770b52250fb1c78_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3116
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:952
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1360
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2468
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1316
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1724
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2980
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3488
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3624
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2044
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2228
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2264
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4348
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3680
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2400
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3100
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5768090a23f960723813e076537daa92c
SHA1389d9f40247af8743dcb2282426801617769ac6c
SHA256678324a5894146792a645de40dbffc0da51324be9376eb731fb7f9d97cc136a8
SHA512d9815a7358568390e1e4f31b182372120b4f7ab52029363612f6695dbd1982a8f1e6be03d4ff8cfcf92e4826998e18777919282ed7f9d18554bfb6aedf75f701
-
Filesize
781KB
MD53ed98a8d5c19b17998fece3b3246f9dc
SHA134b078ddb89a691d3d3c16c02c76afb3890b98e7
SHA256db8130afac90b3ba9e391e0fbb2e61494dc171ed71fd23ae78b6720968780d75
SHA512a8c80497861840537f785df7a1b310f1e10256b16e1d90eb2bed7d3099c99c8906f55461b8cbb31a184fc5c7c98d033ce2e2a457e5cf262bfcc562ee7f80cc93
-
Filesize
1.1MB
MD59c3eb8e90d81a1b480f39fff4dcc974a
SHA15eea063946843e2c32de705a689e09808ea25f80
SHA2565881c2a3d77ab743f6f8ecf975064839ae1cf12a37511cf7fed904b0f07003fe
SHA512dd14454b7e2a80b814290df2b78e9656f588109098d6a32a66911c651c392f14b4f5249e78be88a8f23f5188ffe72812691ad1b9e2bc90ab29959706ecd3d7f8
-
Filesize
1.5MB
MD5d790c7d8dd7ff93d4fe9dadcbb52ff00
SHA14f8ca47644f0005e3381b1d97b1616485805b8d3
SHA256849e54954d7a2fa4ea7fca1fd58c8ac51350bf8c889a3db3650758ba9286a9ca
SHA512a8d2b08c8c637360d4a79a89f815ae30fa671804111875d0bf3919df16ea9525f662fbac9c5497c4c44c2faddc52d19cfa2b0ffd86f3e53339c45a8442339292
-
Filesize
1.2MB
MD51f388acdf1f24c7ee70db6d51b4a02d2
SHA187bb975e6a127d066b8332e61a8ea320c6fc185c
SHA2566d085d0d5bb0126fe6c4f59d4a923f1a86dd5effe41450f173cb54140ca96946
SHA512ed0887b081afd743bc9387c1c3a29dffdd0c4899181e1f27dc6d5a9985aebd8f0bf3a40b436164c8c23802999acc2347d904414d8c733761e22658ad743af3b0
-
Filesize
582KB
MD5dab7210c87e11a3fa1cc1623c215ca9a
SHA13f22602f417600731a7f384d57e309791f89a644
SHA256e737b4174751c45f50a02b7e63194ec724df0a0b5c603e60bab376612c79172f
SHA512d537ca11375e5e2b8b7fa5a005819bc634054cfa12209c35341ceaa6386c6cc95dc13bad24504787e850659a6adcfac47d971153bb0ea39919dc148a2d20631a
-
Filesize
840KB
MD5d21e7606063cbcbdda4179fbdb1bf1ca
SHA17a2d63767598fed6f90abed2d2042c8ac380e7b5
SHA256c61c477c217fd8192d64dd48ce41c666be3f610edee3b569ff5a9c58779d2c03
SHA512ced8c770eb29fc386bdfd8d384662fc63602800f8adcc8eb3210e31f07c37b2cd11e5d7a597f0f999f217207dc53ed62b39be00d24310cd264267c80d3899c04
-
Filesize
4.6MB
MD59b70432bacbaef594e1d5e1b20753fec
SHA1d479557f5dfbcac1101796b6e08fdaae746c49f5
SHA2569b714d2fdee42f4ffcc46c2736f8613be0e354c6f2211b4144f6e15e81aa22d0
SHA512691cc4f181d328b54749df56607e0c0dddf66784d2dc8799ad62caea51df8bb96cd75aefd4343304c6c738580f5b29f47fc28c57f80a2b56365c08622e0596cd
-
Filesize
910KB
MD5785ef6b7552e30d70bae0276d15e6277
SHA13f6470e60ebe323803df1f31cf9c73daed6fe590
SHA256eb13d7cd49840cfc236a209a886caf29d9894abd17e43bf530c46984046b5c0e
SHA5120f4477420af5cc9a1c5fd5b68c7e095bffe02bf3cb02dfbdc02af7401912e05ef2462ce02417e98c2a9c587e36efe969483399e77d9e35eaaa94c744aa59cbef
-
Filesize
24.0MB
MD59a31b2cd0a0fbcbe009d9f9cc8ad3e12
SHA15a17f51c68bb1f1bacdc9431ccca56c32208435c
SHA2567f52ae20bb3a7982d0bbdc2e96d43b34bbc0ec41f5d2df9e887f64d5b94bc0e2
SHA512201eeb12078528b2d62bde8a91a67690ea8daf154398d62714e0b236e17d64a0d201258d5878e832a644d0f43edd74cac8b02e63668017305bd984b89871076f
-
Filesize
2.7MB
MD585a32a8a08b897c106162f539d63140d
SHA1f20b20d3094a6885d65fc6d06aa9734e3e811d1e
SHA2565d2f8f929277443424b3da2e1cd1ed6d622bd95a2a1a5a2f4c8367ea6e028587
SHA5124c5ff0bbabedae469eb7b57924d21922ca5c5151421ea6cc89986e455ca9579d532865ec8603c6aa7c300b5178daba341451a9f3a074f258da87b954cbe081e1
-
Filesize
1.1MB
MD5055b0e4a2b0fbe9ae1b48f5729fd5ffc
SHA19092a3fccc67d4624271ac28479fcd26e3c62efb
SHA256724dee80fd462e64cc5e98425c788995caf8d22a5fcfb5fa9b26562db6afa890
SHA5123f088e295ee2977cade2d5987b155c068253e4c3d0176e22436d29e7e2ccc3f2756af4ac784230dcf2bb9d07791573457ce9e96c9cbc94db0389c45b16328986
-
Filesize
805KB
MD5e14af062a06a9cc511bd3a5ea4257b23
SHA1a7b1824390be2fa2f4e3a17c6350eaf2b9c55636
SHA256290ffc41121df57a389b4ff38582063a2a10246079bf086608d145e61f1b4d53
SHA512c7d4ee64e504e53c0dbfd335b0ea56cf68eed29bfcda9199b796de140e20e46aa10f4fb02d38f39879c0fe841b83a89b8a6b0f2aa681be17cb7313c3ab31c764
-
Filesize
656KB
MD52b1ec19967be3e2b4109d6c06c57d5fb
SHA1773c8d3207995f0dbd9b7914eb0fc0c0b29f6ac2
SHA256bff9857a3d25dcd3f7bbe12dedecc28b9da1ea612c623ec6ea34a23a7150b77e
SHA5127714d4345ab704a7fb9110bdaa2ea62107b6df3de236832eeaef5e97468a16001e8b146991e9525e35d9bc10dae6934ebfd30de29ca7704192486e773d76382d
-
Filesize
4.8MB
MD5674d42f99b022caf25eaf123356c6979
SHA183bc1cf99d52a6b294f2d7d0b2808b5e117f5ce8
SHA2566fe99348296093f26a497bd1b49376bb6ea982da3166e765201d0ab375f3cafe
SHA5123359e84ab578f054181216843628e3f979132c0552cbadf903d2ce20e8eae6b8cb286ff8c4836640cf60384cb6e2f7c09086225b57c1b3fc0c55a50c0bf873f8
-
Filesize
4.8MB
MD542e3027d18259fa9ebeb0b4a470cf21f
SHA1568a6fad9c523a59394b438870428392ea6909ed
SHA2568c2415697f67b6ec7e4a0dafc719b69d1b303e352e537ff6d457fb2d8be6564d
SHA51219c823cd68ee147e0eb367372ad42702dd69e8ca112ea2cdb97e81910c4b12914044e35e48424a3c51a93d0eee545ef70dacf2739fa0a2c4d72586079052a270
-
Filesize
2.2MB
MD5414977e8fa3d7065c9d7242439752cdd
SHA1076db7df3d45b7405935a457b6d717464c734c01
SHA2561dcec659a78564107712762722fdf4d53c24ed87e7be4fd70aa9322fd2d75260
SHA5120e6595cdd272ada5cbe8a8238dde0f708b6cd5745c967d5441221dbd532dda6b0258b269c276b7ac6f28e7748891526537814d484a524d3cc2b545dff923243d
-
Filesize
2.1MB
MD5f96651dd590a984164ef212244b03fb5
SHA1d9f8858fa167b3d91fcee2498642f9afaa0268d3
SHA2564c1e4369de87a767a2c8b50e86eaddcafb967aeb5541d09fa7926b74cb1346f7
SHA51228ec4b24ad0ec7963d6995a24014a8997db4f236105be2bed703579ae94488753fdebeaa0eccb8341d142bcf8abb831b31763640ef3eea44bf2d5d43beda9d2a
-
Filesize
1.8MB
MD511207fd5a7149f1aadbdc093b9b502ed
SHA102dd9153ca4c7c9d0e891f8bcc59a51b2db36827
SHA2565fffc501fe795cfccf5ff2adc2cd97e827eea0fca8a3c39ce5a3a2ed7a011317
SHA51207da4e4a045abbcfa926abe511365925a42ba869027dc4f2425efa32f0f0612896266a4f5c8c7ac5119f2661b3ab365d5c0c7f924a843499931a98ce01fc4852
-
Filesize
1.5MB
MD5eb4b66f0bcafd66c5b62edc67e881f87
SHA1b8804c33b758c84770f868f75fd34e17518d3a66
SHA2565d43cb65a72932e90c9e677714abb5c324d99a6a9072324595d22c5ba7ac8dce
SHA512969bd522ea21522532ffb8358667c5664d2ed3668971bbc19f0820e4c6692fc4349a1707e181f3c2369ca5072e2e4969a4f864821d574154ce3c5798731906ff
-
Filesize
581KB
MD572dea0cb7203dcb4f521b1c7ea8fdbd5
SHA1879e3a8582ce853c605521599cfc106f0183dce7
SHA256e51d74eb57c3eccc63e83fa9a7bffb3f91576124bbc8887c271c45f03ba864ec
SHA5124519aed104dc37ff1e23e8dc700e0a1b512429979320c7b34999e9cbaf73fe3fb8e2e10d9df3bbb11b72d0dd9a14feff68a2163acaa3b3e25b2dd3fc6294b89c
-
Filesize
581KB
MD54c883fdca460180afa4a47d9a4f759da
SHA16423787be352080ec6b196e0c0ec5ef605619301
SHA256be3eee3fc74a16b3011fae12842139ea0ebb542c1c555907cd55169a000b5b9b
SHA5123be093dd0d571ab247d064fa0f7052cacec7d24cf1308a35e2c571a2cce0e3b514c6074d5543dcc83f12175fdf4d7de05d867dc2b9cc467fb60895f55e14fc33
-
Filesize
581KB
MD5ff01bfa4464fceb083773465698d46c4
SHA1aae08fe19230c6eccdf4179faa4ee0774da1acd1
SHA256b3c884f2a0a83d62e32c3fa774896824d74928bc9dc8375e8aca275a2618b247
SHA512fe790a910cdc784f0643c1212bf9928a306e26e4122fabf3f07acc315aa629496e7f9194d3d6f9b50afa5817a853415ab064fdf2a95d27146ccefb6bce77f3f4
-
Filesize
601KB
MD54e2299083a57de11b73d487e4d3d46ea
SHA1d7a9667dda96f7493eb2e57bf3af07b4596ed781
SHA256e85c81da74318f75de60a33835a8dd31fa94bfca2c15fd5cf4f29b82956a1eb0
SHA512433a83a21e60c1d61afe2de3650a75c76a1606f6ad28c14aac8f1e4117e9c5bc086eb54c67a950402a9633ded3ab6526ab1415db7d0bb5e7aaf2d3b621815ec2
-
Filesize
581KB
MD5b63607eafe194f30d958f348984cbe30
SHA1040c343dd42c456d17c5372bbe64620effb8c201
SHA2561d980a5451e385af818e6aa6cf7f929e8c853f9a1d77500a91c000ee0c1268c9
SHA51251e2412a9440b42ffc24830750d8f62fed9df0e8cc940f723e87b74f4d55b5fc3fd9fe7b0a31cbdf7109db2874dda595ccc736982e35546e4e5c56fb734c96f8
-
Filesize
581KB
MD5c7a499f825ada018679b3eec5fd53ea6
SHA10517a387aa8c8ac7043b68caff49ecd58b811afe
SHA2563504031c0ac8ed3ce482ccd094f98bf891c8ef7d0d083d4388d75946e15e274e
SHA51280369cc2f90b36ba062adb175e6e58a53691892f883ae7de30ede24f7ea3f6a288dad1b5309a676bf1495792090de8c2eb7f04bc369ac2e780fb5a82b41fde75
-
Filesize
581KB
MD58ddb16af3748477b0f2f25cbf52d9808
SHA115872a0c1f58cae55fdf0993de2edde3cd97e4a9
SHA25662cac5af27437c7909ecc375f716c6dbe673ab5ddd18a3626e8aad7c828cf2df
SHA51260bf1befa5a03c07e0ec290a7c8466089f1c432bd3806e4ce5371fa31366d88404a774048d5ab6ed023910c2eabf6cf583e4c64bab44f5bff0dc2c9784911370
-
Filesize
841KB
MD5b308ba08d0349b5c0a97aeec0c3cdf73
SHA15517865835fbb45e84177a6ae286207888f733cf
SHA256aacf91fb18e810e361f3ec18c7d703a9c1e9d5dbab55bb4ee3b7c81f7312fdc7
SHA51215832ec85dcbfa06dbcbd219747a527f8fcaeb5a172835c6a22af97f3dfa5d0b2e196b413c6d3d58bf347fc743efd2c3274f645e87445eecab61f571f02322f4
-
Filesize
581KB
MD503cc23ea46af5c57f81fe9adc2252e1c
SHA1b83469f8b48af05cc67e08952854623d07c56ec1
SHA25646784402babe0b336c92a51821bed53cd4b64c9e970f71e5126d9088770d396e
SHA51261cdd5a5179f73e977bc2a6635b90accebf87fb74191587be0bf899d105bd14349a13707272b822bddfc99a70ddd5abe147327a0c4251998c6e9cd85377b8fa0
-
Filesize
581KB
MD5e207042811e923a157b4b3432384762a
SHA196d5a1efb1a9f128307f4e50b1e3c22d0beb0932
SHA25647aa799df32ec537222b8a07937979b1e8ae10ac3787a93c1c093a3e54725b15
SHA512cfbef5343a9cc8550426cc203272f5e90e4e357fb289e5ad4e26d4f30aab0712c1846c454aa714793991dbcddc7bf4ca0d81a5150eb4ecb85a65e84fdd43b335
-
Filesize
717KB
MD586cc1ea67655623155a80dd73efafe9d
SHA116323f885bcb279fe9d66ac2517d733f5a12478e
SHA256affc6278b7fd74b0d84a68d1d28eda2f6777d59f75cc6628d8098d1659f28bfa
SHA512c3252c42e42aad1dc335145a92c5caa20fd3d1bd5d4e07958449ae049708e84a0c64c24a3d23074bd3593fa55f2e50ea0e0c357278ed74dc3947f7e30c5c691f
-
Filesize
581KB
MD59ab8cb0a21ce4d2fbf494ce9f5b3043a
SHA1549138b76574825cbc23d70ac2bfbafa59d3d99e
SHA2568bb39b35b66ab5ede7d9e8a26b4c51e3cfca26692714f07b8e6cde9a9505d818
SHA512b046f2d3e4645b2d3df8d04752d26b2478bcf83d1c4e82a2366cac081bb084c73730d42ba872c665386f2e9d2bf185a7f5610b5d2474ed0e4c250b9c621aeb42
-
Filesize
581KB
MD572e5f776238a7821ee694d5c6ac04c0f
SHA19a8a071dba4132517e9284de4695c5bc69719066
SHA2567ef82ab77b501248c84632631a460fedea66a09737803a9ef2f9768dd39a2829
SHA5123482a378ff6de09f775700ba45749ce11f9122122998699557b6eac4bf382778ab930c26aa1fbcc33f164a53f71bb2b205e282b83de98beb3febecd2a99283e1
-
Filesize
717KB
MD5705e051633446386a190d85530e89167
SHA1f3563a3237d1f8c22f4db66e26ad90895020c9b9
SHA256e42834df5e8e87b60b1b98dd8f7fe808fc6962c01e15a499369634e8a9653d9a
SHA512ad8635960d4c07dd21df24dc7ef7c94680317f06da021403c22e38a62136e548a22d95a1bda89324e800f9240baa758976765ad77ec8a8c631864e11d0141d03
-
Filesize
841KB
MD58d2e31c7b1d0bbdc3477d649242cb7c6
SHA10e7dc93394999bec19864fca0489f37f7efc9646
SHA25642c964d14adcfa14ce35741cc31c21492fb6a82a333f937e15ed0b837f63d0f6
SHA512ef450e6d7d8eb319ac2ebed69b16aceea5b933705eec682a773de5b67f93755696e1d233052df4c4d61defe5b4483b2ee746fe90b7dd38452eddc1f4067465af
-
Filesize
1020KB
MD59197abf222082266c46771c60f4a7773
SHA18dd94b264d6a9bf6052b0ec6b7ee764e4c6f9c89
SHA256bb1a47a8cdc869a2964eb362c2f213d6c3f92f032590d5ce60553388cc85d54c
SHA51264330b2fafcc0f126251263e57150eda17becc408e4775de50eef878b5aedf8f72cb66d5786525255fb33318c3321702b633cc147c70b82a0320539771a5213d
-
Filesize
581KB
MD598ccfab6b129222636ffced1f81fe55f
SHA1295b944d65c9c7555e5b5e91cdb84227a370a85c
SHA256260538f71a3dba1089f3c0dbf3efbef962922061c1440bb7b4cf1e0f2342ea09
SHA512887fd0d19cdf314f1f76b3f2070601e7066829ce99b2daff069ffd9f1cae62537ef41efd8bce17032e2b352ea6ddf1d0d27696323a77452f44147060f510edc0
-
Filesize
581KB
MD548a01e53957ae3f27965fb6c1ff5c377
SHA1f428176484f500d7ace818fb79eb46798de26fe7
SHA25693b69b3225878ca2232c3659d7e3caa7d9e3c5c6ddb1a898a4d21d49059f0308
SHA51254e06c31f3a5fbceb2f5dabbde23953f72d1dbb54d60b6dffac9e815a2dae194f4bd38cd4ec5b1ad5c774ce607baeeef8f0c59dbbeb35a36f085b3283f432ceb
-
Filesize
581KB
MD5b7f66f0b77abd757d0029d2002c0247d
SHA1ab4b6e9f233fd9d47586f6b7d69187197072ab24
SHA2564773f5772835941c4478915a704c66795f9213fedabe84dd3cf2540ca4df4ff7
SHA5121c2412fff4e567930a669d8b6d02adc463aa64888fce200bc97cf17b48fafb3c6c816ca2be3e0fd71e0763c5f48b564eb0e930b90ac6a59e08a60dc14eddc757
-
Filesize
581KB
MD585764ea39334149fe018757505f0193e
SHA15c6c131782412307b624f229aa8c6e49e8c154ec
SHA2561fee0992bd3a97ddc442270aab6369d2a4f9c3a503496252a7738f59880229e4
SHA512416d8946149800b371ee0fea1eb408d4d226ae7d4d4afe89c04e164a3a18f6d3a99ac6ecf61fe779413d5ce7e068a75d32906ee89a6c02454613b49c546f7914
-
Filesize
696KB
MD50c0bbb9d9602187400b1e21bb82cd640
SHA1e63242b703fcadbd826ab995e06bca1bbd111e7f
SHA2561825923f0fa9cb706c0150b2157311e5109b9e53fe13c240addcd1bbafba87dc
SHA5120240a3d958360ab3daddbbbcff1ff956d640091332747df63deba9dd6f9ec188e241a7f415d943271342208916f051b5f5b09d9ca07be8fe7541f0445df9b8d6
-
Filesize
588KB
MD55258af42ec503e2af7ccce458bccf8ca
SHA1634353cab126a4b5bedd7bda43170bc5e8088a88
SHA256b602f4fb7553ab4288b97a52616ce7f158227b02cd1107c3ed4d0568fd21ca04
SHA51201097df76004f817f60205f0623472839d59f22e9bd71d2a43c7f859ddd2ed7314eff8bb7cb831a39d78c5f1be8946400331750723a62f9aa1759466d9f6fba0
-
Filesize
1.7MB
MD523a254c5b02e6e5a2e679a8499e5846a
SHA1864c342b4d0db644f58951101eddd469acd559c3
SHA25692db7b7544658300e1b8bccfb8b53ccc3087d92da2526122c14cced90ad651f2
SHA51264059160913b8aff0bbce3dcbbd4c3143ffb503a5d42529917af82a29a8f7cdb862a3fd0057126715a95d6e23ffac43c6ed63ab21017125443c11247cb55b9d5
-
Filesize
659KB
MD5175c739fb0b5075629c7ea7a1cc8323a
SHA1d2d3e09a743aed140094ecdc7a056e69f9edbfa0
SHA256abec9cba87907c2c3c0fe29c72c3113205e7b7215079b443ea4646f91c7a6ba8
SHA512ea6b0df19ce841eaa79df96e0461291bc4b8eda4d181adab3a6ed9c57e1a2d6cabb622cc24c838f4061a88873f3b6dd5efac4be417c5827a4985b9c04273fb06
-
Filesize
1.2MB
MD53757b786bec00ce43d191e79edbbfef5
SHA17ac13f360820fc3ef104b1d52fbef2f5e721a9d5
SHA2561d01d5b5cc7985751257f39c278ec6ca2b2987f7f5b0085e608e706b404e202a
SHA512a4077b69ee140b0514fb4e3aa4498f15b6e2a049ea60c122d00f0f18706a25cd919c99bc8585ce439582062944ce6296d4a01153b046869ca1d4dd87221f98de
-
Filesize
578KB
MD5663121a880629509ca66c79a609d7c12
SHA12a1dc8c08006b4d9577309ff21499f2d51c9d774
SHA256e8d94e9d2fddaccd494c240ab63915e0dc788b52ebd34de7205402e111493fbb
SHA512bb7efa6776a40a9b1da1ae9c82891109f22316119e0a034841329d85ace3a97648dee4b84e1e7b99a593f897e7ac113d4e20f6ee4abccad6eb7abe80521e2843
-
Filesize
940KB
MD5e1de264e3feba6aac6ffb5ecce1f8017
SHA16ad647294e497fbe1157e2bcabdee31e2ba2f5d7
SHA25689158edca28d65ccf84e373688d646fc05c735c207f02bd82ab167cd36b8d0ec
SHA51205dc04d1f5b77a7cc60796e75e6ce0e57e209896fe206e94e9f2aebf2cd37de6d318812f85c2ae64251bb25e2c9c38f89e39141b8715b0f38620e089a72819c4
-
Filesize
671KB
MD52a50c928757b8b90f8033a7d622a03a3
SHA1dc21970ac524ac11b59bdf51afe269569ff5ff89
SHA2568ce02394f650e6b29106b755487f0dca60a1e58f8388f6365ebb3634367fbf5e
SHA512c4e884093703ce6cc0c39955bd088409e50edb2d922b6fd45236777c352fe7a08bd2429ae6688f40f523affc130a45a41d3943a72162c13dabdea388663908c7
-
Filesize
1.4MB
MD5b2f0e98eb65953e4fc5288580f90fa9f
SHA10c903b6d20fc5740ec05b133a81b0430a7c45db5
SHA25647a9b8de92645461d059ff72e8187be8eb963e4b5a40ab03ff276c61edb6edfd
SHA51209d494c3e87b3f1885ff7279ae81c93b6c6f1762988624378f50c1a31e16719d140e930fc3f537306aa1d1ae3dd5518e2d41fc6956082b0ba4f10ff984afb6df
-
Filesize
1.8MB
MD56c9bfde08af427a612d4c2459551d490
SHA19f43981baa2878d89090d6d3ccdbb7464a3b2f14
SHA2561672e00e202377183844c0b8db6439ee076e59c3c23714dba0714bc47996cac0
SHA51280580ea0db75758c111a87c0e60ee518f9b9f790b2122b989ac01b70a8a0c846a3ba242930a9ed431fab567cb09b2b31aa0783846a7c243028b23622f52e0b4e
-
Filesize
1.4MB
MD502456f19c8697e26f7edc1747812942e
SHA174fc0deace0dc4925308716a716df23f1beefed2
SHA256fb28fc9af99097b09c8e3aec770afc832ce75e814699e577d60cc6a7f31cbc2f
SHA512b01adaa92eaab3a08f722a04b23e97def056790c319bf138c5fcfb5ca2679a55f0cc68e9eab72d493e0b016b2026eea4f8bd6929465bb3eb8b4bd7f4f53fe798
-
Filesize
885KB
MD5391353e6d1cc4de9c20715bc7b774047
SHA1845accd510d8daa4ec69a9f3e922578f5e6f3c88
SHA256b09e4efc327bdd8d4271bd5bf0a07e5a4f63703715d342df1e6259235d146e83
SHA512b87c725eece39c2b2fdb5f05e69b2653cb412cf92d9b7bdcac703058bc422e56ee2c4c202920cfa989a5bfdffa4613f8a2aa6d1ec5cea39433a6f74076822ce1
-
Filesize
2.0MB
MD5c2f7f1b0fcfed04cdb004c47d653e01c
SHA118ef2ecd4404fc001f8bd2c5d64e3df558847519
SHA256609da844a9b19a912cfc79f882d71623c92fb68329cc677511d2b5cb33d71e55
SHA5127eb91b0190ec6b61967675be4d45863b3dd8d3de89570c11b4000b18b711f37048e126d889fb50d17d10b90cc94c0a678f00d91583b9f653ad7a1e7985b03112
-
Filesize
661KB
MD59ab24018b36d8aaff086bd8906a19f72
SHA1e2f73c5f189ae89c768be76413d740cb979dc376
SHA256ac587ff62a5a6f0333681b76931c9293f59967995af23a3a2ed7df2044efc78a
SHA512524f8fe87ae3c8b762b9e695b7a6f7b912166cf244e7f0977e6be6909a21c8774a053e0a2ddc670e742e1751c4700acf6f40c74c31bb4c386c3059d01ae4aaba
-
Filesize
712KB
MD5efafb8da67b608f93eef68e97e1afaa5
SHA1e2f75ff4723a0db5cc739c4625c2424f0d2cf0d3
SHA256ecf6d2d40736bea459d782658ebc9e0929057d3e56a6d4b0543604671237d7a1
SHA5129db07ff7b54b84c06419f479fd9827c163c0c639f2b91dd89a5b421f0a46211d2705c6ec5ce7954c2f74c3f861fd9612b702a09734e2e1fe4399dd6acce26e78
-
Filesize
584KB
MD5af07655e978ba347d26a128b906052f0
SHA101085e4c5c2a95aa77a71f318c159bd882161530
SHA25680fcc84777fb0dcf23c085bdf03f7368a4bd0ba4e1daf79643e42ed89f3a6f04
SHA512cbf8ac4817da4f726039e8737a28b1dc932bf011f601289c0804028e820685457850e79be6b64689cffab71839fa934bdac0669b0f78ad95f1fd3caa3044f070
-
Filesize
1.3MB
MD57fcf92002f0ea99ba616b23f7d46406c
SHA1a76c1d74a10daf382f5dee2c47b4776f79647485
SHA25645fd43802da87c81fcbfee1f37cbc8a8bf201174edb79be9adef1c7b71ea7c14
SHA512abd7182bd946472b0a5dd024fe88afcff67b21a742d8d229b2c5605231b449ab60fbd241d017b3f29ce9478c954d9025f5a700ec8e00eb367ab3e55f244915e8
-
Filesize
772KB
MD546fa23e29d462b937fc98e3209bfb288
SHA12b2c373e57f3163bab63208f3f0503196a9dd8f5
SHA2569fe20481045a11c926b4f919c50708ff79d8184144a9be0e85744d27b7e052d9
SHA5122b89884d09f432841f63794876351efb29c7d676ef30e4c012b28978e3ff62309214e8e12f03ef3373c56a4258ba238e18ee1bc153b29a557bfd9a501ceb7f9c
-
Filesize
2.1MB
MD58d26bd11194ea9695c48d6bba63043d0
SHA16db869f41ba5af11cc999c62049fdfa64f020f67
SHA256ca84e3475763fb593fe3f9753fa2b3a6d7c8c61d39c43e0775237a3319c276fa
SHA512ee47b580ed9dab5e0c5c13b2978e9e7a7fb4be9cc563b1dc698fdbd483377240be6386ac944f807e1c0506a90eb1f24e5ea1f7b9f89bd2a72280d698cbe947f7
-
Filesize
1.3MB
MD57b986adc374b9701b2022149133681f9
SHA13fd806ad38fd4f710f07ac1c51e9c13bb2a83cb7
SHA256804386f1b93514c0e2ffe9e61bad333127c6dc5a8d3080d48714eb952de3672c
SHA512bb816bbd94ac8193cded0d3a02c7fa4cd2db603970b859c92075c4b04ecbf45e95a9c0bf08649b10e4316092c3f5d20567eae2a478eb0e91b2892844c18601e9
-
Filesize
5.6MB
MD5a282f18da97b184697851769b63ec54f
SHA14e91b743cfa29c42765d2ff63bda0532148c1138
SHA256e208ebc31e4776e017463872b63e8c2d420b45e0617b7465c26dee318911c06d
SHA51218f3cd0b80c35bce8ab30ce4fb91fa88b9406171b0bed32e1f60193d5a073f7c76014f4c8be4d970859ece9162532523a005572710e824379b50ba8fbe8d3f9a