Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe
-
Size
1.1MB
-
MD5
cc80340e5995894bb3bf098749d24554
-
SHA1
dc6802600303eb85ed7be3e3d940084545b51e90
-
SHA256
2c5efd40f91b936744760c49d720b6ce680e86418f0f883f151b1706426b913e
-
SHA512
c2235abdedfd23136f33f45381372a4f0c91b66b8ad36e7d852357e1052314fd4473aae2ca0d446a2819fdf607205a7102c34ef1137bfa6b9e8a3daa2d583cf3
-
SSDEEP
24576:cSi1SoCU5qJSr1eWPSCsP0MugC6eT6t/sBlDqgZQd6XKtiMJYiPU:US7PLjeTA/snji6attJM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3604 alg.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 1984 fxssvc.exe 5088 elevation_service.exe 3680 elevation_service.exe 3456 maintenanceservice.exe 5028 msdtc.exe 1728 OSE.EXE 2396 PerceptionSimulationService.exe 4064 perfhost.exe 2736 locator.exe 3732 SensorDataService.exe 3664 snmptrap.exe 1776 spectrum.exe 2952 ssh-agent.exe 2500 TieringEngineService.exe 2908 AgentService.exe 3560 vds.exe 1616 vssvc.exe 1408 wbengine.exe 2780 WmiApSrv.exe 3672 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\638ebf57b4b1389a.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003056ee7cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddd1687cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008033d7dfda5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000981f967cfda5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000020ba27cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff3eb7cfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021db547dfda5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe 2876 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4044 2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe Token: SeAuditPrivilege 1984 fxssvc.exe Token: SeRestorePrivilege 2500 TieringEngineService.exe Token: SeManageVolumePrivilege 2500 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2908 AgentService.exe Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe Token: SeBackupPrivilege 1408 wbengine.exe Token: SeRestorePrivilege 1408 wbengine.exe Token: SeSecurityPrivilege 1408 wbengine.exe Token: 33 3672 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3672 SearchIndexer.exe Token: SeDebugPrivilege 3604 alg.exe Token: SeDebugPrivilege 3604 alg.exe Token: SeDebugPrivilege 3604 alg.exe Token: SeDebugPrivilege 2876 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3672 wrote to memory of 1508 3672 SearchIndexer.exe 111 PID 3672 wrote to memory of 1508 3672 SearchIndexer.exe 111 PID 3672 wrote to memory of 5016 3672 SearchIndexer.exe 112 PID 3672 wrote to memory of 5016 3672 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-14_cc80340e5995894bb3bf098749d24554_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:956
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5088
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3680
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3456
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1728
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2396
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4064
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2736
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3732
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3664
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1776
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3052
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2780
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1508
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f421e13a89b3ffb841f76f58cbd734a0
SHA116a7768188f3a5b077a7069464a002ee2820cb80
SHA2561716b52d8c245e1898d72a21c7ac78949446952a55c6359cf2734152ca509044
SHA512bb2859140e0d217d316088972cb1aa0a97d764e6b2e1305fec20d157afe8e7944146766a80444254f03462f2d1454d924b02df321642e555ce4413c48bfcb710
-
Filesize
797KB
MD5f62b542e89e683ad83c22cf9f27a959d
SHA1d29581d382ee80f5b893d840f0a3b13f736dde37
SHA2561584c0385fe367792989990246c6140cfe32a09694b92423751dfe513690eed8
SHA512cf84d68c9ef9fb2d69872550e0fda55b038c66ef327920ccb880e6c701a9b815474cbba7634645cd2f41fda5b9538f0f5cf425ce763bf6f49870d39969c66b72
-
Filesize
1.1MB
MD5bd58bf2b23b83f748fa655ca841b2623
SHA155e2c1ba65634272348c481a72303f34f2053d77
SHA256e140ca0b4f5477d37c2981feae838a9e789e8734415b68c3e1cc2d14d144f729
SHA512a9a0d5cca30b5906669b9ee44c0fc85e27e3a3a1f980bbedb8dc30ce9ff801f9737832e2abbc5fa59280f788fde8cc1458c72cc6eab3a2e03073ee4cc198f919
-
Filesize
1.5MB
MD58ea2de82e4778c101cd223778c59afa2
SHA13300b0fdc62bd5135f48bf4c2079de42df893d5f
SHA256ebf724b37a0751c8b99413444f2db29212d3519f47d2ae92e16a320c833730cd
SHA5120fe5677ebf80d92fc760d2aeb851786f06d918112314eeddc316f661e59cf73042ceaeedd880abbdb5eb9970b1b86af69fd34cc80cef84daafa27c0dcce175d7
-
Filesize
1.2MB
MD52023ef482f01158778e0843d90e054f0
SHA1b4a0d64a1b03f506fda27de8856a3f820c050c6c
SHA2560a894c1c9dcd08e468f2d8de39f696d02b27a0eb5a3ff2fcdbf1ff943f6f676c
SHA5124b031e617c8232a41e69e7d306595742ce51045c8ce542b3759f8e453210844a31cce771813045d4c20c4df9dd6077dd0c46ee619bc4ccce4d86f44666238e60
-
Filesize
582KB
MD5f5e12c52b27f36d2846832f795496964
SHA1d045bf8af78baf44f06b30b19071faf522b8953c
SHA2566e67feb225e46cd94927767a6fd9dd9024943d1cc725ad2e6394c176e49fe38b
SHA512f257173dd2050bf6bab9afbaf2769a424a8b3f13b26b248088077c4893f3bf28848e79af9dd468dd4a5f9282b54367c8de05c98d6916288c02dbec75e6ae851c
-
Filesize
840KB
MD5a519b7cf26949e635483cc183ffde1b7
SHA1d9647b3d513dfbc316f40b21203722ec04bbc389
SHA25640de23b4165e680f51f9ee612786f4b84da2e1888b23aba6211b8e90960e32c4
SHA5122dc9b68a29d91d3e1c13972a73bfbd6e1cb7aeb9db520f8fca988932cd855fa3601c93ec75d89421bc0f86b7f6b5a2fbc24dcc9276886a3b373f78627d084b83
-
Filesize
4.6MB
MD57e2dd0f2c74ac2bd455829e7212505b2
SHA1dde4cab69d5b65bab24bc8e56ae27868fe1e3845
SHA256a508b03e775449409f8d4f8b621aa9a9d81bbd70212d95f3661279d3ae000dcc
SHA512e22cf30dc8ec58eb7e0b601236f8cbb13fe03fab37b953087961197471cd155789cfc632f37bf30c6a6b540be3db0f174931cc6419f7a0e64ba716130c41fdbc
-
Filesize
910KB
MD5e9fdee82e96445f571fd85aa4d512d5e
SHA1b74a38035d947a50f5cc9ef01c3a9b2feeab8505
SHA2560a582365a0e496a6704991b75bf90e7957263cc3b0b15e84c7b83d46c10fbb48
SHA5124dcccd8d903c7fb6153219d8377f3f34198f06ad7f6f4b6d18237ab15ebdb4db32bc823a78bd0f8860220c1410001a5c4af10e61f2d8c0b8480b27b4c13ddee2
-
Filesize
24.0MB
MD5693d6f0c95861df5089e93380110e000
SHA15c46eaa99332883392af20845ee5a94f0faba651
SHA256b66c1f7d05bfc3518b260b1886ee71396f6e42b46f0405d50db2ab682550b0ff
SHA51295d46c9590d6a6e1f0b209797330f914465e95c388a9c9c81cbca005b4c41c8255a9b9c8e19433c1e690c583a239c93bdb9a152c34949918419c5cf202a5c803
-
Filesize
2.7MB
MD503f9de1436aeb335874d1e48372f1230
SHA1d5e9f01f41f8de5475a58b3e1b45e99132de4acc
SHA25637747569a7731c49a930e1dbceb8f6ca02231564d717884b8f607d5c1df11fb5
SHA5124dbbf06dd42bca9d3b7e455fc25dd13fcf18796743a10ba46463e687d2419a661021b6e25a45184aed31cb1cda1667cf1eba3c6291f29f33ca93013ffbf6a9cd
-
Filesize
1.1MB
MD5a651432d740874c45af1350605165b5e
SHA14175f418f233e89dc2782dd3b381539626844552
SHA256cdae09e2594487a27c4699a7e4006957aae4689a0bd50cd8571f9aa2049b638a
SHA51218926affcf8917c30936800adbe26636caafefaf41de48a0a7eee530a935d2aebe8619f094b96b051529f190bffe4a034f22c15db9bdffb66e18a7631706a3e5
-
Filesize
805KB
MD51ce98a0ef5995ac16074aa9793e902cd
SHA157803612c4fa08faacb6ca0d766759574c0fd09e
SHA25682433d4f74c58dee7992a9b54eb55d8414fdcec91b0f3b2d41adc52dfc30e5bd
SHA5127be8b93275a2d87655b8a187588290dd0f85319a4e44a8ecdeb49347f26251127f4198b2e724b3d9aa2d3cc543fa10941cefcdb414b39ab0b25b39d3416f169f
-
Filesize
656KB
MD58404143ea991eac46eb07a3870c4cb8d
SHA1b05e6e0bb7d961b26b71d79c93262b4daecd462e
SHA2567f17afbb3ff1fb3168cb56707284877a9e95cf8bc7090dffd607eab8c6ba5d18
SHA5123905ee2a7cca78fd5d0448e262209a31632622b8ad51d13d2b8275c3306162a982bbfaa1fdba4f514578bc6361e3c620699e9d61f3e89249f29bc80ee8aa9bdd
-
Filesize
5.4MB
MD5f7e3f2a77eee92e19f2862d32a17f7cf
SHA1b0fa4e3bdf2a8a835664db41c7eb6b631c572039
SHA2563bd8b49b56f426a7e1bf1de938aaad07a9edfb0c3157199c2390b65861510e80
SHA5125180ccf6415196d6f60ee8f7da48c42996956b8704a33b4664c4c393c9108c8644e7af27a2fcdc342b7db802b13e246e12577f0eb2adad29929e82369e80243d
-
Filesize
5.4MB
MD546dca7e15be2da9dfd63cbed1c450e42
SHA1b7a167fcc3cc2f73da006eeaf1bf337ef308f447
SHA256c9da213d9005625cbb5dbf189c1d9afcf94a40134d8617d0e7cf0c1279b32e8d
SHA512eb40eb830fe4e378b5522e6cc7eab7dd4f61ff6309c828124455c2884c0500f6be4f837123d1e1e8b8cc37323d12a3be17b62f1d2d7fc8f28dad5d870c9c1733
-
Filesize
2.0MB
MD5463226ebc79ade94ed447926b3d5b6f5
SHA1fb026dae1f19d78bf4001c41214fddcf46112bbc
SHA256fc48d365d88889b8456131889c3d24803d0c8f47d5bc0bbcdeef9542e6a4690b
SHA5128d771f9d34c5d8b82ea5399206237b25627f1557257663df1b4371251dc8baf7f72fee9f354cae5e24a14c2f9bc0449576f4c4d8f6fe5780fa0674c99daddd72
-
Filesize
2.2MB
MD5cd28bd214925d75da8557fa1fdde8517
SHA1dac6cb7014ba08055dadf6e73cefad375fd7799b
SHA256f18b9ec38ec834199f7b7b03d2dffa1567f82f895d1de8987d7b8314f5ace06f
SHA512690f475cb93e5bd9a6fb85b87314356ec295bd6914697737b2154e50ee36ae45d0a6b4155c1c9fec4d4fe241bf2d4164d81265f4df43274855d1da79168cddd9
-
Filesize
1.8MB
MD50a69527937f6a5345d257bfe6fd536c1
SHA13d99a5339a1262b5c202644fd1bbbef308d2071d
SHA256541a1ef68303d40751d60778bd4c7aec81432e1ba412c2da8790d13a66eef03c
SHA5120de155b79ffead6abf76a8b27278f8b3ab7c0d56e6f4a2010d88c00429036184969e72baccb5a73048071c5505e16ecfe664fe11b0914780f1fc1fb393ceab05
-
Filesize
1.7MB
MD5ce02389bac0bba1abbef30c2be0cf6f7
SHA1ea5a11b6e75177973428529c8a3a259b3716ec89
SHA256a45485ab0fc1174878a0ed70a32509316b4e702cb715c0979f558f1e71a550e8
SHA51224eefbe5c121c46a4efc4d85a8a966e60b195ae910ce9f3601447df8dac592aea15c7d7724a4bbbcf12d6566d5a279c37ab8887ee3eeaf5c5d2189d06ae1d0ef
-
Filesize
581KB
MD5ac3c421e2e23c1cc53e6c6451137cd3c
SHA1d6c402aff7c260c5bbe221752daf0e7fc771b7b9
SHA256d2e9b46d480a867966a5b19361261816e86ead007b274b7af1ce0c3306fcb4e1
SHA51289b16afe0245248536d8a008c955824bfcb22d2dd56419bdb691dcf9a53a749700fa843736fd7ade23a7b361d95a56cd0b42cf4e70430d030af1b9fa39dd20d0
-
Filesize
581KB
MD51294d567ca8352d5ee847e1b4030edaf
SHA1cbbf884c470404062be0b108ed2458ca4be635cb
SHA2569d59262707f57fdeba8606418c7d5452130c89af7dc3609686f388a2df5ecabe
SHA512c2278ce6f8a91bc43c2274c2de69789e21fb8641cba239b31e8e1dc3cbd3691c65744a96399be460dcc2bceea6a179c595c01e9cf0f16243ff2ef2fc255f3bd0
-
Filesize
581KB
MD56dc76d75aed9bd7125d21db3213b088d
SHA16b1cdc2b37674075747a6be83861b0897557e19e
SHA256b3a16416785f77ae159245c39ec238c67703665298652c8043c00cb0f48d7de7
SHA512c3c5a6ca2fc95cb7e126dfa3a627e628648db03752d00826f3fab2c1922de5cb8a9035f5986dfc2a2b0f0db1b389e43886b069ec816549935f3051f7ed4b65ab
-
Filesize
601KB
MD53e2146b425a3ec3bd75806b1648c4275
SHA159a008abdb39c07f0d57da91a19bf9115e96f121
SHA256dac30c5aaaedc54811c5ce7c6c10cb71e57656df8a2dbece15def1fe223b2a1e
SHA5127c5dc5970a6ce7b5a1c43ab766f7c8ffd994571699467626f71fbc1dd734c89ef1248e5f4dff27229c3cf588f83a57c392dfc8d481e78672a055c20866e8d8d0
-
Filesize
581KB
MD5010079e9ef1dfbd90321b9219f9be36c
SHA1d40ceb61703f1c55e6407ec53501e344209dfe59
SHA25608079ceb5d676ab2689ec47f56d6682dc9885bcf5c7efbe16daace3e1f276979
SHA5122cc47b51e2c61c0a6cdc0f1baaa73000c1ace7388c4f5c68b3f07bd737b0cb32e35a5f4c3f916b7e83878210202448ce85c959da75634deaa09d2d5e827431d8
-
Filesize
581KB
MD5122cc7aea8795199e4f5ee9a8f8fa351
SHA1f25cf0b1f36341e96de3b8512209e5b0495d78a6
SHA25617edbb7890bc913315455d7a54f82a2e41f2aadb84ae9828e372f8a8fc0a779d
SHA5128dac7dc9ff09b8ab6186c9859b224ea062b6d2d17c5ea900570e3dfc2ec2f3c81c72ef1b465fad96a89849d5c27b5c70d172872e6bf0634aa9d39bcc6fc05143
-
Filesize
581KB
MD594229c763e948e25e3c90d38606a7f78
SHA13e74341b97d79cba3172c374adae6b802168c41c
SHA2568f8d017448337628284fb77ef10af29d029c02143566cdf4573dc0c9a56cf06b
SHA512d7111da4bc28d34c025844f44d48bdec7019d3b8881457dca93ef72730a407d147116b825be1ef10d878efc79ee87825b23493d1758b47cce78fce613aaca426
-
Filesize
841KB
MD591d291b51da5519c13dab5f82d725cbf
SHA1e350cf4ea9cf07d35db6708985676abb34881294
SHA2564d86d0afb7462644b0186c7490ac471567e6c58eb19e9f34895a26a59ab02e67
SHA51209f87ac2737f7c53701ff8aed38cf37aec2fcb93ef2a1df59d766f389bf223824e5c37dca65b7ea60bc9f9a0adbb7c39e789f756c226f1e6235125dff5d1a89e
-
Filesize
581KB
MD5ca80c6aba09fad88c4eb1a227e4c4570
SHA1569e44d1ed8589bb7629768c538804102a41af38
SHA256d81422c2b007f039b9baf92357cfcebd977eb2b3ecfa799d54a4c8b02ea81fe9
SHA51205a25cb5ec96c55c892031966d4033459dea476c062b7967c5494945e16a4e7b55af387431e5078f35a47c5b66fcc15f758eb5974289817f4de304a2c98fbc73
-
Filesize
581KB
MD5e01ebcbaa914df7106e5e6fe8a10f274
SHA1b529a00614cb5d5b762000eb6b5ba75426ee5bc6
SHA2566ed3e9e47a03d79192db052c81f60c77ae29275e4547b767d4c386b35ce18d28
SHA51211e5a11aaac4261bd2abfc970319e395ef39391b9b095a3145dd5568c39b6d3e33eaa860852e7d533b8a3053910e2956ae60bb3f9f6acd89e285d7dbff7fcd36
-
Filesize
717KB
MD59e651fa92573b57377011457a3903086
SHA18fe55fe7a278e31f65e1390459b1fac7e27d7b4d
SHA256da16c8c5b6d419f81c3e355b1c0574539659c6f18d192a5cf762d9dae557b2ca
SHA512ed7c0ddf8259e6866c1f77c579a00da6752dcf9a4f0487b3c19cfe67d35eaae8ddba4be21c38caf63f39510f0cbd795222631b5b35f0f9ce20c7791bcb235fc2
-
Filesize
581KB
MD5ec6010980344993d936a71bec88cdbd2
SHA193c391e5cf8efd88d5bf4957738b04c59562bbfc
SHA256de8d17845c0f92dddd3be1c1fa2bb755c6ddf6ef8488f9498b48491eef9a7de1
SHA5121071ecb10a20ee7f8200aaf8f76031671aaf866a10fcbe8ba79dade7dfb77e6d6122a70cabaed17ed1e2b4e2ccd0f67ae088f24ce4f6fa8b1df47bfb4ac17986
-
Filesize
581KB
MD567dffcd6963e668b9c76e7d29a9c056b
SHA11e35f4f9858c242564fb40e2fb399288da97a9ea
SHA2569acc10afbc855ce89b67bd411486161dc0df7c1a822c72cbb5593973ee44509b
SHA51224525867f605205c5a7068326d59778482ee6ed70684082f11a4f15196dc7cc9a8eb1752ac87b63314f05cacb31afd67af7d34b20c87be0b77ed2dead5476899
-
Filesize
717KB
MD575e127e8e9897583e9ef7280c49bbcce
SHA1e98888cadbb41b336ea136d3e29d794f0544e183
SHA256c55d70c1cbb1392c288a3f15dbd9a18156237c30b500de30afeda2ea0f1b3eeb
SHA5123a5967dbad223e250af3bc5d674d2b5c4692ae17d3bb400402f320bc35607f7c80abbb9bd7f1b47d1a81f746f57f94995aa149738cb9694def9cf81b01671169
-
Filesize
841KB
MD59ccc2cb78a5864ee933d3e82df00856e
SHA132c5e40b7ff2040a6385aeaeabe0644c6cfd82a6
SHA256e781ae5132bd8c9c98189571ec4cad159fb85186cf9abb74df30c2acd05b0ffc
SHA5122b76d4c28f551104ef447cf47d9f6197ff5bfa912d093315bc33067d2ab91bcabbdb7d787ce9fceda4dd6c369c0c923f33897a945f1ba3549fce31c7a3eee298
-
Filesize
1020KB
MD580018050f23ec19cc76b2281f4094f27
SHA1e41c6772d6a40a258ce3a12d44515cad193caa61
SHA2561ead10def3a4320689413875fb36bab469d2cf6ddf6013430203845751740132
SHA512cdaf915343cbd187a72ef669e1c7553ba64135e9623e9386c8e2519850ef4a9017f7a1732aae962a2749db80fe4f4d11efa3e98cef3f040612e5930e693f0212
-
Filesize
581KB
MD58ceee6311824dbf38fc7f63d84f1c009
SHA123b17c716327ebba00484f66d52e2380206d8840
SHA256cbb173089a83c4edf25307d8a21ac03892c9b7e6e53013b5ed73e9ddbed4102c
SHA5121412a47061947e47ec59a4189d73e2e3c6415b22c8a0d63825a2787e1b46ea840a37042ee9d8365310789cc45ceacfdb6256886813c4010ef90372a1548d5dea
-
Filesize
1.5MB
MD5efc0c06021e4a0c98dfcdf98de61a62b
SHA1d7e87ebf93922b9e2b8934dc38a609f58920585f
SHA2564264dce4d4fcca118eb73bea9c6a5f2b5456f8fd67d62ab37c324a108e1d1053
SHA512086fb1bcd2de8fec6cbc99d72e715aeaf41bddab95f00d10c83bc19731c78d4df81543d5595b518878d9cb79dc63d8af383c900edb1724c4b1d11460f4a7ff0d
-
Filesize
701KB
MD57c03cb74b11d3cec5b1be7c3333e86d3
SHA15fdcd9bb31496316d7998eb644c88cb138d0d8ed
SHA2569781c18651060f678ba71e5c239436939b474430f0ac54c8ac88409eae0bbb65
SHA512879796785deedbf5a2ec7822db30b6910fda62261d82d66c8d2a7424cc5d8d5fb8e86a1ecfcddb9a00db832a5e8f5252d5b3b0d444fb40c4cc28c12ec5073951
-
Filesize
588KB
MD50790596a6e9a522f1e9a6e0caae0a5f2
SHA16c0930e3647ecaa929a344aace1dcb7d7862d885
SHA256318ff35d8029694c08361741b1f13848061f14db2ee19ad3baf4e91f669ecc78
SHA5124122113c3c7be52f5faee2107af8e906b560aeb7f4c2f4106e79aa10261ae1aca7b0470ee672d4738f351006fc7dcbd032d620a7914c0605cee44de258d016e8
-
Filesize
1.7MB
MD51ed4f3561f60e8147e5496657fc0ca92
SHA1f21cf58fb469bdb9c18932e6bc81b3fc48d41cfe
SHA256c8d28058810b241e391125c659231e5bd6c77e1f5013d2409bcdac91f8d7c503
SHA5128c01b32f7178334a69ca49707900a58be9457257d36ca4df1e60727a43e0f3a651e16a6eb56a9372d956a1b0218b0b488251ebac3024e79f7356a781f106b3c3
-
Filesize
659KB
MD57cf1ebb56264d33e9f970e83472576d9
SHA155cdb6c95b0f2abdb22e9974f449c5264f9c058a
SHA256ebbcf7a6e7c97c8f2076f4b06eebe2c0be8b44e64239887ce3a5ecbe71bbc1d3
SHA51272a54ff849d7eb0ec1ef26143fe5c61e9e37273f96b2f415165b88f721d011ddcf30d3a107c8b45a6089679701ed4d3d14f07d2631185dc86068e059076dce15
-
Filesize
1.2MB
MD5f13e841670890494c45c10dfa029430f
SHA1ecdd5212b3c02707ee77faeba503c49ab0847cfe
SHA25674b9bb1d2eb77894cdf432ae9cf3ec6492130fbef7ffe4e5fa47c7327709b28f
SHA51262e5866dd79f46ccb2e308749178106f9bc5b09bd16ee6abfb77694ea23fe56016001853569daf7c5087afd3c7c535a927dc87e8996c811d81280416b0c7cf52
-
Filesize
578KB
MD5adf0ff5bc674f120a3c59e79aea1db0c
SHA19c2f08f663b18f67ab6888ad9f1240b018121247
SHA2562de7bac0df4e0f8972dfbcef9c585e12e389a9b4e081c8d7c46595fd1534b153
SHA51282825884cd19227be16859052fc4a0be81ab441a40281d51bfb85796d365a390e146afb254969bae5b5f9206e378bceb95eb38a668c85f88e3d2ed02081d4293
-
Filesize
940KB
MD5118d18e067a209bad8351020758a6c31
SHA139fa90c796b7862c3ab91a2433f03f08461f71e4
SHA2568f04da90d4428b531fea9419316b5dd4e41da18afe8c28f9040ff489ca6f70c3
SHA512ffb52f74d2b32f8f02efbccdc34433d7d13f1632ad72a40d3b6af46325693a1aca1ea377cb7caf76b82de9053bfce130d92e96249e2c0a4a60279dfaf0d7059e
-
Filesize
671KB
MD5e5bc8505bb3e21f82d7e7398c3fe7941
SHA1d20571f62d887bfc1950e01c05178b07e9e91b2a
SHA25667762703d3be07f5c297a399bb2b34c17ee746976b1c6689b7a11c1f281279e2
SHA512685b011a6f5c14ee6631c95d2fa2c06439c09aea306c5c8e1a00d95417c4cf893582d330805672b02bde000fe2f4f862ec5326878c007a278b517e5642a8f435
-
Filesize
1.4MB
MD5515dbb0475770c7a6f25d2ea1aaa8aa7
SHA1b1a99449bcfa99e9e9ecb353459064b11ef9cd0d
SHA2565989b5e257c6cd9f6f96a29f2d7adef1bff41e369b4f212cbfd73ef7a3dd25b8
SHA512ed33b5f8a7206fe1e4665aaea7893177f09d47e10c38231196212998a33919f55e0ffffc632f05baa7f15453723c18ce6011fe82b0407fec69ccf6589c53aa0b
-
Filesize
1.8MB
MD51b7bde37ae56fe13a6f8d61cd1520e14
SHA141334957e386fa36247a2b17fb2ce351a9bcc745
SHA256ea739970d8a0239a5cc4109b366763f75b9d16803f7a6fb7068ed8b7f0b83693
SHA5123ab7d3be5332b43eff1c1380ef36895f311c7f3ff4e9f7bb0050453c4815018b348b9bb9d2c331fff30209c8409f5fa56d4df4e6b546696781bcdfd2be4fab31
-
Filesize
1.4MB
MD589bf64e6c49f806af45adca1fdc82600
SHA1145fb8f6019dcfdababc5c20b99ced98c89403ce
SHA256aadfe11d8bf18767b2a7c2bbd21a9667c12a3dbdd3c51092347f0c3e415663fb
SHA5127ceccbdcc221f14d3d3d0f2c4f2c05380095c62f3a7fec8be727076a2987ec78998c66442b88997853256254cf1868c9369d7b9d4e80063de09f5a83484ade49
-
Filesize
885KB
MD5f8020787e54fb6dc1097b6fcd0fa81e8
SHA1c68737d3d6ee114d0ff28b01262b73cc7010c408
SHA256016b092c0398f8a913f7dacbe8456a96cf2230693bf52de45693b84f0c5860c0
SHA51296805669005ab70f218cec6726455a510c24b86c4a76afcd6a5c8ccb28dbb886e26bcc72a6282658a930b64b720eb0f733ea53be035b70cdbed4e72a05a06e8f
-
Filesize
2.0MB
MD595bf9d1644c5e87660aeec480d056559
SHA1c6cde63673cdf9dd34c6b805f9e260ff02ae05a8
SHA256a95a40824c61ead64fe1711ee2112f46857087d9b5eaa21c82b55d418b487611
SHA512b1770574deb3af0e3d227a2b5dcc1d6ad67ecdb8f5eccac6a13412be08131d43e5f83f08a61a9ee7cf55a7c45ff6bbb6ad5b9fa6c6c2e1a4c63920d040a80149
-
Filesize
661KB
MD58f6279f39158849c11c0c087242ea6a3
SHA11b0ddff97070c39406e49e91b4e02898f2f52a7f
SHA256ff5ef014594591e141de088b0e9fcf4f76c9eb981ed0cd2a8261a5fff08ab049
SHA5124559bb51c499b10e838b61b18a2e56c01083174a5327934d9555854f053c41ba6888047329e3538601ba071e06f9ae95188f8c24ac3c7d2f9d7ec125c107fcee
-
Filesize
712KB
MD51d430c7574607246ace2edaba467e9c5
SHA17ec9fe076a7288664cbc4cadd71f930c9f455573
SHA25602e1ecc94ddcde5b359311176a0c4d06b64044bd5bdcb201e38fbc0f7589fd5a
SHA512d5eaf511f6cb40f964d88fba20a5fd8a330ce6e6c999857cfa2b1591f392428bcae13f78ff4e88cceeab596bfab2c4509db6569e463259364a5a6c40c194ea5e
-
Filesize
584KB
MD5162866c158d8ed52979abd843c68a759
SHA1bcfc79f48ec4423423ae600a6fbc7a809bcd40e4
SHA256e7dd53f244cf84431d90e826d0aa5f5aca83291dfafab3d0ab05348b79eaed6f
SHA512025cd48c040b94810d08026ef8b05bc5dec01825d1385c1702a05894f7926c4102ff518ff34fe59b3d30391c5068bcf3f648fc1bd3daadf1efa5ad4b599e425d
-
Filesize
1.3MB
MD5eb20fc73bb4f0ae37023344a8e891e10
SHA15256405bebbab45ef100795a407a92304d546021
SHA256e344437e944d47f47b77264b1fffb8bee085ef4e27e15dc5921015cc97db6f6b
SHA512ff7bffddf374d37a3bf9d15882db24e52c09c2d917f46a332d9d99eeb5c049c96b327284a7367523e50461d7e28995810ae9f7e88ba5b690d1f000435e979879
-
Filesize
772KB
MD5a856c628381d0280cd0027707fa45dcc
SHA10de313a64882aeae95c19b4afd006a64b860897f
SHA2562fd67ba958d330a6efa2da3022e0631336622bd12abedadcd39059c6b457b357
SHA5122e5d4b8a7bc5e72008b34663c68bbfdc4fd84dd4fc70680e8c427217bdd580e0226f2183cf5c506beae53ecce3e56efa8b1817aba1a45424ef9150b399a1626c
-
Filesize
2.1MB
MD521eaa6e57ed95319f3d816aaac489185
SHA1ad0c08f56592512fe514cb6be984be005bbc8f5a
SHA256d20319750d7445292b99bcf6fa4244c122261bd49c1490b7adaa78f135cdab8b
SHA512f0257f994fa043142c53cb0e4b5daca695e508eaaa78e1a54ead6718363951c61091288cbe539b0ba53acc0cfe7ab3e23064778a8064c94ed2ed89e2a662e9ab
-
Filesize
1.3MB
MD54d3a6d0423ccad5019770d3f49fd6dc4
SHA1ebefd6bd7d2bbcfba72ea64a2585e5bae104f30c
SHA25635857d30b85f1813e2b4ffb1ef8710b4bc021e84acf9c1cf2617961a42211a81
SHA51277c2f14e089e8e3fba9bc41cfb98d1bb20dbf0896de748d1440745ea685e993245aa405aa5c48f1fe4279006cfb3e516de7187ab072dfb6ed4ecad38800b8340
-
Filesize
877KB
MD5b0b11437cd273a3c57e78e3cd476dca0
SHA14c7ae9a53cb8dd1394c7134bb679f9d115602c6f
SHA256cd776e2abbcab264b19a4d2e7ae2bee93c619822942f4c258fd15398246eaafc
SHA512b13639fa970041e9bc8d3a5d89ff3458285e0be1849410cfe25399b109a803ce51b6d4370e8ad0ed8e4c25fbec35d8cd06ba1105cd44bdbe504535edaff71d24
-
Filesize
635KB
MD5bd4cd5c5358f905b744d54bc0e227f0b
SHA1a0fe74f50d23d50ee746c20adc82e53233b88d2a
SHA25653cf95ca58aaf1a042ded973ce80e222abe850782ad90a36036c0a26b8de9cac
SHA5126cdf521e0ce66a093bfb876f0a6497558d6b6e892cec4d20326a1e2ae5692cf880f57ce6a5a719113d2f8034bc9d462dd64fea3ac50b001805dc02871a6ab60c