Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe
-
Size
1.1MB
-
MD5
064af795f6d8f4eac1b2bb878b355c55
-
SHA1
867de91292f2532ed272a561edc986d0b1391314
-
SHA256
5e46d744c2d12c9af1857ebc203c39c9e76a20151397381975be1f0a050a66de
-
SHA512
c19aabc640dc959cd9ec82f7ad8d35f007b1437e4a7dd2bd0f9833ec8d4a982c9896e760d77e90a8b7362d71d4250d09bf6b19385b9ab276e61589e2e39685fe
-
SSDEEP
24576:/Si1SoCU5qJSr1eWPSCsP0MugC6eTdt/sBlDqgZQd6XKtiMJYiPU:3S7PLjeTv/snji6attJM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3752 alg.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2348 fxssvc.exe 4892 elevation_service.exe 4240 elevation_service.exe 412 maintenanceservice.exe 2240 msdtc.exe 1960 OSE.EXE 2952 PerceptionSimulationService.exe 2236 perfhost.exe 5020 locator.exe 5048 SensorDataService.exe 1652 snmptrap.exe 4056 spectrum.exe 1288 ssh-agent.exe 2040 TieringEngineService.exe 2796 AgentService.exe 4008 vds.exe 3804 vssvc.exe 1484 wbengine.exe 232 WmiApSrv.exe 404 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exedescription ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\38e81ab492be0f3e.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061c25a3cf2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa9a533cf2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3d8b63df2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d253e3cf2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2752d3cf2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f836163ef2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa734c3cf2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000380e883cf2b3da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe 2000 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 3784 2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe Token: SeAuditPrivilege 2348 fxssvc.exe Token: SeRestorePrivilege 2040 TieringEngineService.exe Token: SeManageVolumePrivilege 2040 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2796 AgentService.exe Token: SeBackupPrivilege 3804 vssvc.exe Token: SeRestorePrivilege 3804 vssvc.exe Token: SeAuditPrivilege 3804 vssvc.exe Token: SeBackupPrivilege 1484 wbengine.exe Token: SeRestorePrivilege 1484 wbengine.exe Token: SeSecurityPrivilege 1484 wbengine.exe Token: 33 404 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 404 SearchIndexer.exe Token: SeDebugPrivilege 3752 alg.exe Token: SeDebugPrivilege 3752 alg.exe Token: SeDebugPrivilege 3752 alg.exe Token: SeDebugPrivilege 2000 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 404 wrote to memory of 3064 404 SearchIndexer.exe 110 PID 404 wrote to memory of 3064 404 SearchIndexer.exe 110 PID 404 wrote to memory of 4724 404 SearchIndexer.exe 111 PID 404 wrote to memory of 4724 404 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_064af795f6d8f4eac1b2bb878b355c55_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4600
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4240
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:412
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2240
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1960
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2952
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2236
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1652
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3760
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3064
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5cfced6c2bf3bbfe7e6b933775997a19d
SHA1e9b5cc3064f3b9526ea290cc6552facd0b317459
SHA2561a2c8ae07d8cf68531a2d35e2344d80112085bd8d220e85182994db88151e44e
SHA512e0401fb02e12dd7abe677a9458c01b2a179b24be98e1f03010c744c509db65e661dc14563a2218d36fcdc4d2dd38f1c70d4a2bc6b9d60dd3d9708a4366b22d61
-
Filesize
797KB
MD5b46d0a9c43f3dc9c3880fa50fec73ec1
SHA1ba1b1f0e101054536bb9efea5b6f904742bd87ac
SHA256ae980425ba9c9af79196c44865a0b90c329a7d3f7d065c0394316b5cf30c5f1c
SHA512e6029e24effd621ee0bf8dcd6b794ab69a74648db5f10d1b6dab909584effe6361022616a5405612468de02bbab4409db893f9a7c970777ba8756675ba82c4f6
-
Filesize
1.1MB
MD5afa1e1180db83f2b39b821064cf677b7
SHA19461cc33d5dd13d425a69291ae2ace92f89fae48
SHA25603418e081a089db624078552056643a922aebaaee8742f93ade494db37d4b5c8
SHA5124b53368cdbf3850ccbd24595ed786ab6c2a860cd03d85a1786ab2ce82b660e723e5de215ba470bf5c558dae610d85042eab8c8fb4d288d8ac29e02fc3e512fa3
-
Filesize
1.5MB
MD55ab91d4356ea5f7dfafae060f17f81e6
SHA1dbe97fccd1d13d4f83c184b3d40cd20a5aba3b4f
SHA256f0c19d67dd9e8f0d2b93402db6ee8856fd8ce56882a238f3311797b8d438acdd
SHA5124787ddefb355e4c6103fc29cb47018d952ded9a18167f469bf07869dd391fba8d80947639570011e52de454516f992895c40695082e53eb7576a58e8759788c7
-
Filesize
1.2MB
MD5f61695395d9b723c6547e6ae6ba8a967
SHA159c3589effa55aa0079ec3f39b5d30c0a9532d14
SHA2564b27cc7f1edacd9e0f3cc55f42f446cd0533a20575581148a35ae7d60f098ec0
SHA512d9faaa6f76caf02142f705456518038616496a98604a1b7aafe51a973ed6becbe2a97b6b2e927bf5822d01b37e9335bfa37c0f289d531fd389a5ca1e600762c6
-
Filesize
582KB
MD5d0a8e82ee2b6d43c4a30a3fc5cbac728
SHA1bb36f1441f978adae90bd3a73219a7b5576bb47f
SHA25645fb63d6bbb53bf4f7778749696fd803838e0d87ae1220b0d1a79e074b5188b3
SHA512baee554b69542eba52d905e668d3ec25fe5d6146a6fc5209f0fbedfefd4e1748291a6b801c049fd69353bb3fc3ab0438067eb10c0609b39bdd9755c168504f9a
-
Filesize
840KB
MD5901f2c24c9f8d44c8097dc27020bd63d
SHA10dcd77c07221889672027c84453b3125040850d6
SHA2568da6b193583d0712185fc7535d0b0b06a9a53b43400f3ec04d30422e323d7c3c
SHA5126fb0e67a7739ad45cf6e870c6e65a1a985b12e4a355bdbd5628a6fe978289ce3995192f0a9cb2a49a0888cfaff793174aff025be1836c3f5249b5aa315a29182
-
Filesize
4.6MB
MD566e18affdb1948a0071c1c4fb7c66795
SHA14c4f53807b741802e134b91cb27bbe2d768ae7c3
SHA256d0e7ccb87e2e226de3f6d79d976834bff3372fc6f22bd9d606ebe0afaf2e25cf
SHA51234161c2ac4b53f8d6d99628d58bf078db1b912a076485f158d4594a3e382d33d3066f645c4d69c31f8f0a6b31d39432bb094c390a24de3f07c8604aabc0c7301
-
Filesize
910KB
MD5e162217afc746f4b21da3a0f728de218
SHA1b85794a578ef2c9ffddb47cd4f47ec7d6307f642
SHA256546e88d02b4f4df1e45b35b1fa0e21354766abf70135a5e81d340cf521b81ab9
SHA5125b57dd91dcae749ea96c7807d0433bbaeb1cefc7222f6893b5688c2366039923408098557bda703e3ff1c695ce05e17451f07204d40889d55157972e539dc2af
-
Filesize
24.0MB
MD5cff08d4f054a8f5ffeb4b1fad894cf13
SHA12f934941cf70f1bbc9d4ccd2a637186b00470b1e
SHA256352025fd993a5ef783b01f8d8d0f7260095f1d3757950ced27fa58e1742e03e2
SHA5120d9da27b80b76646d71e175b6e3bc094691d3a44ec91c362e37eb5d066be64c1cbf3ed22f777d4c1f84233d3d02035392d38f84747727ea5da7acf0e2e55cbfa
-
Filesize
2.7MB
MD5d98a7a918687a4a1f9cb4fdddb6710a9
SHA19cbc52f5ac1344fd328b11f06f07086029363199
SHA256a4cef348e898f8326cafa89982619894d2021b9866e05fac85bb0229a0566855
SHA512c46ca0818d6e869fb57666ad11928ec31bdbfba6dc2ffbfafd7e89919a12219cfe85cbb84584535e99cc6d39a5aa7b557833415732d0b906e13eecde296e76cb
-
Filesize
1.1MB
MD5e0baed82ecec001831a026a6e545e5ec
SHA14b7cfe581e6290d8396b7ab94b75ffa3447ee3dd
SHA25603a49b791e032e95a444ba6e3a5c5ac6222c66f1113d3490c91b1638a3492bfa
SHA512bc9b2b06976aff35c5f552d89485f4dd7c98a3b130c53a3d0835445452596bfc3625c7b796e476c188624b351e8be61f19601f3d8a68a43f5fc8633015305d8d
-
Filesize
805KB
MD5f74c4fb8c9f85efcc11525b127bac38c
SHA14868708e6b08a50b6bdf216e408ad7ee03cf867d
SHA256eba05c7ba57dd9f7b7f07dd4c230d5faaf9e75819a403961b16d6b66e382b59d
SHA5125a515198434ffea61307ed6200941ade7f4b4b19ace9cdaa201fa7b3673832c59812c992a03ca170504755e74265989c8dbe616a42ed1cfc5b601d646ea9859e
-
Filesize
656KB
MD5e329097a18a86ca63a8112dc5e84b4a8
SHA191a0642e5a116c6e82f6d335b2b76ee70ce08e35
SHA25620d1592696cdbcce5053403d348e80692105165cca5c2c0fde7332a18847431b
SHA512e186605e24d563eea71463c7dbcbe81933b06d3c2421a6afd08163a2a10f8694a9f2e079f9a046a602e74d1293a4bd85850af1175f6e8b60875dd43b01532dab
-
Filesize
5.4MB
MD5886ad25a2f643d0172c46e9148327616
SHA16ed326d7b41bf53f2d527a1561aa0ca4c4514e20
SHA2565f9c63087a4a8392d701fc370754570a1c81248c12de375e27d01ce2d784332f
SHA51216f34714d298c3013963c468f36a8e06147ae0e5426a9a44362404c9a18e64b611ac58881cc5cb2c790ba6252251bc9928aa6612d2d062fc3fb27010d4af0d86
-
Filesize
5.4MB
MD59bff8297d4d7167b8b90151e1d47f649
SHA1224878040548b8db77cae63e52d5334b7edcbddb
SHA256b86b83e49dd1e96b82ea225f75ac7abc80746b51693f75debf083d0a4504dd9f
SHA512e094fee90636fb8c349c5733eebaa7a41ee65f6a46f160f6134f92518363ec4ea4c10207ba1cc92036153642d29842cffeab3875f42255d531fd08674c75a33a
-
Filesize
2.0MB
MD57f97b5d03a3bf12c6d47427e6b9d1b98
SHA1f462df5de934724396b9808d85dafebc381140b2
SHA25628ce50eae19afdcc57cac721994dfa5128c41709971e1b953c5759036f3418b7
SHA512fe3b8f3375aa8b65172ff0191303bc720fe971d3ba940c5aa6ea463279b7b5f034e9973ef75935f807037262dc34399fa1b8fb6b981d9b8d9b6729ecca196850
-
Filesize
2.2MB
MD501dfa5d3915120b6223c07ad9f0166f4
SHA181be9240c20131996f694cc55a51df114b55cc2a
SHA2560356d848c57de6197c5a7db4fa469754b52c30c134a2ad6b7c962dda7cb1b8d0
SHA512579055d1f4fca7c722bd7a0a4e3aa81388591825c036fb58efcdcfb93ecb6be1e02df2aa783b72b2e51c6b6941736c3929ca140cac6b60bd174f1b15d8cfa824
-
Filesize
1.8MB
MD5e39849ce7327b758e3937e4a31d65a16
SHA1d28d244838cb0bad843bf81c539fb9a57196e15a
SHA256b192843d697cd402ee88e75b59501bcd682f124a0d3545861e80ce306aa62e8c
SHA512634e57b94501bad2c4b524ee8053749c9a4e31e3de57d36f3d780c71f231abc87f72fdcdc423cc683d54c9b88b111d1552ddb09b63132680a1c50b36eb8153c6
-
Filesize
1.7MB
MD5cea6f64aefca00b670419d45dc52b8d2
SHA18c10836648ac273f6d3851a8c051a43be74645c4
SHA256a2100ecfd7e86dc97a9d76b4c3b12db398a19a6c06972d976e5cc9da31f40e57
SHA5122b7698dfb2f0b77f6ed27f019f092a77716e20c92885fb90856c18588093c894b5c134d061f017a966c17c2a58334534cbf02c67cfaeb6a2816e13c33a3cbf47
-
Filesize
581KB
MD59b97bde69ab7de27ff940a43414f69e6
SHA144ff81f0af59614c26d8ac3b1363d8c27d9b0008
SHA2569064c198493dae5ea928290ed86d021fe5d1ced72e03bb1963623f038f543fc1
SHA512ac8a0f5c169cc5989e3f36d30c6dbe89c1e92da577b0b43cbea83274582ad90c7235db8aeb7176f56b2bc3c8ea0698a27c049cd8f9fcf3bf5a966838c250e2a9
-
Filesize
581KB
MD59f8204f0182897dd6b2c2c23eae49a3e
SHA129e04735326d75f1474cd4bccf152e7dcdd57e52
SHA256f805b543ff3f66ea205c69aafb39ed6def946b35b73bf63aeed621369390bccf
SHA512124a0623f23d23925fcd4f4197d6176eabc36efb9f6f47e299c9636965652ae59be9735c0bb807dddfb51b8f352a3771d65076cec13199f9ef16aea1fd7f6319
-
Filesize
581KB
MD5b087f679070ed264cfea733cd95c26cb
SHA142d273cbf88d1756b50f0b109ac64e9068fd93e1
SHA256166992d9c68859de5c868988f797ba3b82e12195c9ac1676e65b6ae993ff22aa
SHA512f8f57b684b1b522e82c1dd940254011c80a6edb321edd38a508c915dab582405abedf3823abfdbf6e4aaf950a4f73fe9345a87518a90916af39ff723b46ce970
-
Filesize
601KB
MD5c861be15dcec7f1235e2bae47879605f
SHA13a1df4e016f57ca93a251147b5196c65b86d92ae
SHA256cbfd08c6b4e0a8cfacba80236de565f0980574a6e8d7204978fbc3235e2f4757
SHA5122a05897049db7e4bb1b75de9fa632f8b113f574fa7074195dd7c94b1dad2673083d5e0e8bdd5f373a273617b77c4b94bfcd2243023640ec3390cc6536b86f2db
-
Filesize
581KB
MD53324fafd7814395fbce9e34fc0db6ee8
SHA1902c8fd5e69d8707ef39bda9e96b40d2a9a94454
SHA25624947bbe9a2ede135c7246dedb7384d468674aab2a77b3a5d40c728c2a177286
SHA51261ac170055a79699c1fd2cd728497c5127267bbc191068cae40c18fe96c58c5859bc82124f587c9bba6fedb5cdfc2c99b435576f3e16964a3477361d6611c944
-
Filesize
581KB
MD5abce6f4906350d0cc6d8111cfc3f74f3
SHA14e679bb6fd3a59f7e5fcba57da87582ac62ce3e6
SHA256c2f19aef0c60bd41a2ef7b9387cc745ad30c534be0f29e33e1ef8fdd022cce7d
SHA51270b5613c190702f5e3d79d48550f28bbb3f75941a1aaf4ae47f3a2c91a49caab4726b6691abfafcd6475bb9c18f4429766de5726ca92fc6ea6e10c7644b868b7
-
Filesize
581KB
MD50f3bd309f77250314080c9777fec7869
SHA1415d65172ff985aabc7dd1cef7a51e82f94706e9
SHA2566d33662b62be44af6fb956aa8824776351277f3d9d3983f47f0a562808edbafe
SHA512738bc9b9039a42346cc70fe836ad1a30f1dd08caea6474e505e3f1f2f7b72680c1886b5efaf83f88109ca884b1af4052f91cbc2c9e9f4b1928c560e24a0aa2c2
-
Filesize
841KB
MD5d7b7fa16f9ac652aef6c563777ed4d2d
SHA1d44bb306777bef6bc5b19b649d989195bc804fb2
SHA25697615d4664fdfa122f4ef89a384a1de9dbf152e70a3c23971889d5a20f10f857
SHA51216ef6dc872e8f7585b9823c5cd4ee101193754565b19ef5731bbae945a64b3b958d704cb98815bc9f73d48e22fd6c25ccd360129bdb8bace844dd7103a345f8b
-
Filesize
581KB
MD57a226325fae5e6bf13ca70f11f4feae5
SHA11f8d1d99875f43c9d6fccc5db3ba605759286d33
SHA25669b99d30853f6653d6159d0c578ae1476b361b8d0b7f48649c4b8c7c988a0529
SHA5120f3120a9ebdb4e01c9dfb2c33d8129ba4d92fe47d820e4f662d3b2ab6a32fdd9ae309ab007e8cd6238ccbec39af19f0f72defee57f447f99330a37db71a12825
-
Filesize
581KB
MD50ed855cbf2c5553fe399ea33b1ec99ae
SHA1a1b281a43c77497ffe9df90347f3d83fe9d26f44
SHA2568ac63ef059b06e74c00398584251790027db98803968d29dcfc898cbb66d60a6
SHA5129fcf5e8c47ec08fba279d1540c56f39f73ba20c30a484d7dbfac65664f8165cf1d461af63a2c5efd64b57e71595fb1dcf669f3bc748b95963f976de904727bcb
-
Filesize
717KB
MD53cfeebe660123989f6aacadc138cb4e6
SHA1587cc3f108706f39b7b52dce69f0dcf44dc199bc
SHA256552c46a8fb632c57d162cd2d12b85da481ec2f39caed1eb6c4e7e6d7a35b1fd1
SHA5126c62fefc9725dc61e4bd6eb0b7da0a0764b85080242db4bd219312eff3c8da41f6d160a313cef767b0f7141d44f12e96098747d9e86e0eb239dcff04b5e57e95
-
Filesize
581KB
MD55643a3d42b58ceaf3664f2fde437a8ff
SHA1f16cdfb10c75788eb846b76fe237e526090e16d8
SHA25655d5658e539f44ee11b6c1b52b020f180b8ae097e9f218dead3a0b3ea6df311a
SHA5124a9764895c987280fba5ab0d11587dee5c129c9c5e712fafd9212d2bd8ad1b717a775b3d4ed3bb856c9fcd57c514c9585895ecf01263bdd7fd22e9b46a35e39a
-
Filesize
581KB
MD56ad7281083b2cb8428c3e380786ba650
SHA15ccde62420cbae6beff2de278dfcdd8ac99ec1d4
SHA256211b94a2a3d37e80d6ae42498991717a74a92f3622417112a4401d9c6b04075c
SHA51268a0408e1e21b7f1499994b71a1ff00092ffb1a7cece18d30d8a2cebcaf970fd62a9432ec0e78cf54caedc00b13cf3cacb966d9f68d7812f4bb553dd08c0e7e7
-
Filesize
717KB
MD57012228ad2a8c8e04e6c8a110d4da8bb
SHA1d132af56cce3ab5755251dfa41c23dcca4768079
SHA256f2acaaab400a07b90cdda1f00b7550bb4977f9bb8b93bc6224262e982a35e56a
SHA5122073d965d9ecb890d6a0acc85871f023795e2b8573b867ae1a511b424e89d98f6a54b6e86beb56356b3ff29f05ee1ef9c6960016d4cbb57cf106ae2383cfb00b
-
Filesize
841KB
MD5e18a94516ef33deea8185991f90d10ae
SHA152f48a6394a2337ed475dfed084a60989cbdb3cc
SHA2568670b9a91d448f0023dce761cf2f30ebe36f42601f8c1c375b96a38b48a3af39
SHA5123f0074c3871c2827edc5ac51b726af09653646ddf4aeb6c2f10185d87d660e19b70985e43be31be11d50c431bbfcaca1dafea8dad9cdc0901bb2d5dd2c4c3b0a
-
Filesize
1020KB
MD581ee9ac37cd7505145fd51c6f3132f4f
SHA1b59773d968d8c6ecbe460128ab61f756134e5210
SHA25631c26061566c08dfba62898e50e619aa9299d9b30c82c85cfca874cc3fde314b
SHA5124a60ca4c8fd9e355298c6574b4b7bde31f975831e0e4048970b67dc33df9018b0fd10ae695e33812c5282d4f0129533afcd04dca3a9db61a095df0dc6b6559f1
-
Filesize
581KB
MD5f60d674ea14b6b58a3bacacfa8b507aa
SHA172d61625001842c6e9aa959a1ba9d6cd5585ad25
SHA2561777a72df2f6b77d68b75d1bff810e12716003d66b13f6082b638056e235e074
SHA512a16b2640063cc841cee202f2e12ebc36c9a57791dc82ea1cac5a68d7585a4609e769a95db812db29803e134bdcbedc2f767ed9478a4bc318fc73ae1c9567e18a
-
Filesize
1.5MB
MD539e06ad57aa0088366aff95a2fdf9e81
SHA15e4658b26f71f72b43a68bdbca9613ac2069094a
SHA256b288083fdd87aa471ed421ac00f95626fa974b288329970e4fc36b6388bae1b6
SHA512c16482fd2bc5197dda6ee2da3698897eea8042c0cb854b9dfa68a182ba3de395346e383eca231ebe2919d139a7cc8dff9d146a639b6611c5e2696b0d47359c04
-
Filesize
701KB
MD506f9d6f92007a66f8270aea6fbc936db
SHA1ed81769b13657e5e4aac8eef772963a3cc737900
SHA256730b4bcc0b4be29e721488dea7424cc635b9e4f4c09885e34aa4e6604a1ae5b2
SHA5120a83fcfb3fb01ccd141d0f1c4c5d97187f057e04cb19ba8b3a427e6ba3d6b984be8a2b3a9d32c10af9c65b8eae7da9d61c75b226ad8c2db8dd8271155645c37e
-
Filesize
588KB
MD5b75c6deb5b4a01b9d6b9cf46601a572f
SHA100fe8e27e8bc2757ad56c937b23ce7ac7e275f77
SHA25649eeb892ba2732085d94d01b70ab0138d480d4e71413348d1c753eec8b7788ee
SHA512f149b227a8d0dfeb712a0e628e7db7cd6c9b85fe77fdf3d934154e1b6dd95198b1c6e023b4c6e948f99ecd4f411cc0531941552f3da7ce3db179a4df5b3bc64b
-
Filesize
1.7MB
MD502a37975eb3af000398760a7970a11d6
SHA1457e0a5fa5de30825ad6382f28c59db9c6eeea91
SHA256a68a7f9275119e3969746b07c4653804bf31985f36259bdf7578819514953745
SHA51255f22fbf2fcb146f31673cf47c32863dd5a488a60ef74dc92eb3b0a15e7c79fdef23000a9101b63066e797c33855d732d8ea10e760e5192772bb62df533bd3c4
-
Filesize
659KB
MD5afd951a973cfa25ef29f3d0905c1a48c
SHA17dd6587ce3bf01709e3df7d5748e65da5feb1a05
SHA2567ede85da3e80537627d9206795cdb6c1cc67e8f121afdd8562dedbe7246eab2b
SHA512c51dd63303521f6f9595218fc3f6aa2018e7ed607cb686210e68db762b6e4d8eb4966065ea0fe99eb3044fe9560ec240454905d248a9e356f9ef637eb4a0c3ae
-
Filesize
1.2MB
MD563dc2169ee22dc5779696a3ade025109
SHA1b1a5e9aecb6bf16f03dfbf72250c02fc983f96dd
SHA2560e1e4f0b16645835e1a157cb69ab8f869434bb023f8a70de0e6f12b1bca444ae
SHA512990f09e065916c43119916385717c9fbbce820a8322693395d2346f80a5ba7df860eddcc040672f37f5879d6ccad2868d5f4d3ca1fa33b72b2c0a7159883913d
-
Filesize
578KB
MD535f90835172286645a4015e57e388a8b
SHA10c63f7e71fe7f1850399a3f6fd41527514800aff
SHA256126e60a35dacfa7446925e6639c7064c45e658d0aadcf6e0a160d95ff8de279b
SHA512c377c30e6166cfbdf572a9fd06b26926a50b89fc67cb743351e5d9eff77683dd7b33406bb1bd78b7d2088fcc176e21c5e0b4236841be6a9638bf374d38b98584
-
Filesize
940KB
MD57e5b2a092801531d35f6b0cbba63903a
SHA1a5c57799515842eb8e037b69b2c35000f60152e3
SHA256e545ac3cb39a30e006ee8d7fe0aca9dd95e4e5b9a78565e4f27f0863e94b5848
SHA512e28572594da4966ece1ee953881ada1bbbbd372b406b064802a86ab95f47c2deedb763c90b508f3c30ff83d7cb07b7294b29d5a5af486cd1244a4ad3796eda18
-
Filesize
671KB
MD533ac85c15ccca5a10df96a6a6c269a11
SHA16f988c3e2d8b45a267b2e3d504d2eb7901995b6d
SHA256823a017af2b3ff230997ca182e1a0a471f75da8491ffb9baa5d2637049eb5927
SHA5129836711d68e979721294e28d42861c629a0eebb7c289771bf7c881c9c4bc6662c6459b2b5a8fe88bb557941db90fa432bdf44102d7ccc93d275e72f329ca9ed7
-
Filesize
1.4MB
MD51a637580ea525a5ceefefcd76e0ead03
SHA1c16b4990234c8dd13673b0f80cb6d6a30d0eaa27
SHA2567d4fdda76f7acfbf77782d562463943cd0ae080d704bd58d9cd1161e036d1b80
SHA512f666ba049e532e0ceb13a643c4882066cfb38ec56e1e50ee389eeb9ab4aecb6c7a843ec44c691565dd87181a72c3837ec27e0724de5787c0ef682d7419f707be
-
Filesize
1.8MB
MD51c5b471df86183236cd7c365c84069a6
SHA1225140389f5078e65e68814325488b82b8c60ae9
SHA256cbb0699ce2e5cc5c41c294d222897bb5ec2e01fb8966dc5a196ee7bc83d098d9
SHA5125022150354bb9b3bdbf26fcd613fcaa4183b785291e63fe85a1c2b8abf6ef6a15e0233789690510756d597d6a0555608ddc6feb5caa221615e34077cf08ce791
-
Filesize
1.4MB
MD56bc1a11795caa3cf58e4be75932d1595
SHA1d13462dabdd9b6a077620e08181360c82fd2a1c1
SHA2560e95962b9c24a4929aa8ab21f9c42e586643813d9cfce3804f9cc7f644c100f2
SHA512c3f9faf1c908a0d3ac8adbd823dcd7c313a44749fcbb19e05df14229c1c817b32df8136f749f11e4df294d8116cc8db0d6acbd00e4cef02629b8c1efe3ab5833
-
Filesize
885KB
MD524854c7bf4803aad19a2a4fcab4cdde1
SHA1cdb02f743f262bf6a15c6ef3ae3b346497505984
SHA2567027e2313d23e59aa20645838128609e162c372c29b068a2243a1f9eea7deb04
SHA512c4fbdc5be4a9bc99f2deb769c9c92e3059135a36d86e1b5aa5c5a500804445661ddad81af320dd57777c2d30a7a6e6209e031c7de2397874f9e154584d7da3f3
-
Filesize
2.0MB
MD5ed7b6b7ca8fb3f047051283b6864af50
SHA17b6ddb79b503270c36429453cc090b58c1123732
SHA2562b85e41128362ac11f880723f7dad8dc2e390fe26390e2c759178cd367e81d32
SHA512f2fa0eed17dca96a1dc3746ffa443196023fb76f299c1e896e4a36144c6558c5004dda7058e9b2de9616e71ff880990648f249ba39254d6daaa8a55e0b154f3f
-
Filesize
661KB
MD5b1efab226b21034383375fcbb54dd365
SHA1a43402a37b579766da819546cc80ad0e5c5dfd15
SHA256cac0ded1cd72455ea9dce79641466a220e94bc7b9559888e3d3df57ec2c3e36a
SHA5123bb9e54d2f7279ff03a489b2d3095e72374af29681b35c0930906abd6331534a60b1ebe88319975752700742882987e3e45928d919e7b32e6ad17f374b14991b
-
Filesize
712KB
MD544d0bb00bbb00e09713d1a18843897b7
SHA1ca8b3a248fcc7b3082308b072922eb6e2ef4eb19
SHA256233938197674da521721d36fc6fb37e427ab1fb6d69fa1cc73386e38c1a073f9
SHA5125ebbd45978accaa7fa8dd77bc92b2726ee94429dad2d80da530ee28ed4a74e5583e542d791e32671fbf18ab2113e45001226ed2b3522b69cd8b5107823ac7e7c
-
Filesize
584KB
MD59e91e5c2bd47ba3a3c89ea2d6d8ed10e
SHA1280d064efb2ba5a4b120ffd418b38aacb3e5febd
SHA2564a8bc2b3d6b13df302e11d3b7913aabe86db8d3ed525bb5469b4423d5ee74b1e
SHA512256d450a01c0bbfdbaa32ab4a19a6cb0fdb22651fd614a58f68a90f735c0473c0278c8b7f354dba7e625def77a0e3733e7cd6b59a854ec0ff6deffa4d57a57f2
-
Filesize
1.3MB
MD5b260300ebe65ecbd0e3cee01459c72a2
SHA1e6c831d181272a04c73f99c44eb7c726372ba9a0
SHA256e60c8d5ae52b15ff0c898e03b7ac88b074b40d7a66181baf95897966d2cc7e36
SHA512cd8b72d0354469476b339c17d96a54dc9624b1aee2295ae41624354a467d99d0406095beb2c8b9745199004fee9726a4e771a1ec9d280fcff945e6500d4b3e61
-
Filesize
772KB
MD570b6b3fdaa63ce1b9945c82090e221a7
SHA108c2e24946d8eea354c06973d02d41c41918be33
SHA256e749727adead15300b82121ca28cf6adf7ae5296812cb3a8c4f9abb86dac9254
SHA5120c19d227b9ce7aa0552c4f80c7c8a372b01130376acb14616948b567b6545b5ef2c2fd82061a8473e2ae7e9df6496467d307d417d644354671bc36c7b1c99cc6
-
Filesize
2.1MB
MD56b8c347d6bcc3619a449c60034249051
SHA191c8e22da8ef4fc820a84ef4fc4fa8da29249313
SHA2569a4a4933ca24628146722f39e9b4cde5b0302c8b5ed6862345ef5f9b5782c905
SHA5126f0c1c2f088863070056df7881cb0822aa1922718d7d011a09f21f057426a27977f5fe5d808caef03a64116bb9715b04703475638b06cbe76ad78dc34b5aaa89
-
Filesize
1.3MB
MD5d32ecbb8fdaaf88a40a3ab3738588435
SHA17f8820832ea847df65703e8793e2616eb4066152
SHA2562c34f1540d718dd1d7269aaedff2a218dd39c2f8e5a8e22af19e584c8efb9c9a
SHA51226b92ca92d14fd8da85f5085553fe56e86431e507990dfec1a39dbbf8059e2b80752b820b0e6a9d6b8d0dac6472bdaf9b4aae3cc5a5d628eee95d35c71ca9b93
-
Filesize
877KB
MD5193fa25f3333b984db35c5ec9943f466
SHA1d59d25812e96891bf77e82920691894a0be3c3d0
SHA2567845c89c9bc14afd9263fac3f11884c0b2a946a7bc95b62390d0b03ebeab1ac5
SHA512f6308bfc4ac43d7be2221136298eb686c62bbaf465095d2a0f65a7c93b1131a70ce7babf599e334215b2162841e4cede9211c0327fbc434bbde437c4deff4197
-
Filesize
635KB
MD52943471a75f7af2afd7be19b82da7762
SHA184b1eac28a99b6d55ee7c3a62c1c43eff3f9914e
SHA256a5376e57749be8ab1459a46187b466973ed9f391f3d87ab0bbd3819300e2853a
SHA512388477b5fd01730c38f415af8184527a3715360c4b1f96b4e1ec3141cf8195f3dc534f4cea1fde70fde8e5aad854080698485f1b30c32369e7d56c5886c6a3de