Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe
-
Size
1.1MB
-
MD5
92473915eae9670bfc3381535d5b863d
-
SHA1
1de1904006abaddf6b9a6ecd2df37be4c5895d0a
-
SHA256
e5d062c7df0e461aa0fe8fe42640bb52c4dee56605575f6656a0fd90b1388ffc
-
SHA512
ce315acfdfcd7d3ccfeef73c6e2673595686010ee139bb40c05d565032d82cacdbfa2327a2b31b66502ff77575cc6d920321ca4345eeff973d8b9674b3acf11c
-
SSDEEP
24576:BSi1SoCU5qJSr1eWPSCsP0MugC6eTXgXe4i7ojhsP5Lgrk1TWb4AN5:hS7PLjeTee30jaNf1TWbdz
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1572 alg.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 1956 fxssvc.exe 2068 elevation_service.exe 3176 elevation_service.exe 4988 maintenanceservice.exe 680 msdtc.exe 5060 OSE.EXE 856 PerceptionSimulationService.exe 1120 perfhost.exe 1344 locator.exe 4968 SensorDataService.exe 3620 snmptrap.exe 1404 spectrum.exe 912 ssh-agent.exe 3348 TieringEngineService.exe 3200 AgentService.exe 3032 vds.exe 4456 vssvc.exe 4716 wbengine.exe 1816 WmiApSrv.exe 4892 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7853a8e98beeeac9.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020cadbea99b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000767bcdea99b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040da2ceb99b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e14e42eb99b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000299c6feb99b5da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid process 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe 2760 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 4752 2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe Token: SeAuditPrivilege 1956 fxssvc.exe Token: SeRestorePrivilege 3348 TieringEngineService.exe Token: SeManageVolumePrivilege 3348 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3200 AgentService.exe Token: SeBackupPrivilege 4456 vssvc.exe Token: SeRestorePrivilege 4456 vssvc.exe Token: SeAuditPrivilege 4456 vssvc.exe Token: SeBackupPrivilege 4716 wbengine.exe Token: SeRestorePrivilege 4716 wbengine.exe Token: SeSecurityPrivilege 4716 wbengine.exe Token: 33 4892 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4892 SearchIndexer.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeDebugPrivilege 1572 alg.exe Token: SeDebugPrivilege 2760 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4892 wrote to memory of 2116 4892 SearchIndexer.exe SearchProtocolHost.exe PID 4892 wrote to memory of 2116 4892 SearchIndexer.exe SearchProtocolHost.exe PID 4892 wrote to memory of 3160 4892 SearchIndexer.exe SearchFilterHost.exe PID 4892 wrote to memory of 3160 4892 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_92473915eae9670bfc3381535d5b863d_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3344
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2068
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3176
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:680
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5060
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1120
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1344
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4968
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3620
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2148
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3032
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1816
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2116 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ce61eb81841aa96215469b7f48280113
SHA14c5b394cb9b6a71667b12c3d6219bf2c29bf4dc8
SHA25623b0f734636d4ecbb14e2972394d71e44fed709ce0aef212cdff73c75e7b79bc
SHA51230e618f197642a945eaee37c6d144f19fdb8b367a25872aaeca2ab31882c2556658446ba48386fd35273caee34e4f278b849f11db11077d9c58d53e5917291b4
-
Filesize
797KB
MD50918788517b6a421b317995ea850a507
SHA1aaadb2486b432336e9b0d85a25f24ff375f3db89
SHA256b0c91f112f0bbadbe49073562972778735bdaa12ad0ae47ac6322b6c33c90422
SHA512a2c935bf122ecefeb340cfaca916d7c602ed62f544d0964bf4e72b3736f94240c885eb29e94fd976197e73013ac7cb6f216a9d9ebb9b66dfa1fdeb3af68e2173
-
Filesize
1.1MB
MD54981c9ebe872b6e6ee3166ad0fce148b
SHA1c875d1b3d2d240ace8be6756889cac713bba5b59
SHA2562cb8309e87b1aa594a66a2b418c79d348cdb88dd0f12b326eb61f4417d5597a2
SHA512c79dc8b5c4001744daeece7799959f0e9df759b6cbd4a3d5d4fe24c0a56cd4dbe753743fd9ac2950a0b693237df2498f4bb90d86bad3834ba17e624035e1fa28
-
Filesize
1.5MB
MD59ccb2b5efeb9d25dea379aa626728139
SHA141416ce1ec8539484540b2c7e3920c013ef9711a
SHA2568f5a74cd76b6ab3cd740b240941c472beec939c3a8f7eaa19c1103937ee5f2fa
SHA512bdfcb9ea4bea55e181bc9771a76595fd20041dfb62965964430821135fad2e2a3031c17a465d38f671823a04e990f7dd2bef31409b6de33cbe11f3087e7e403b
-
Filesize
1.2MB
MD5c3143511b7c8ab894b52e683f7e63d55
SHA12532799d36631e82fb6901460421f707b2025c31
SHA2565f7e8e5491dd045b6baa6ea970492e696dd606cc7bcc33b1ecfd6bd50764a0fb
SHA51241ea82e05bae2e1ff0f9b10dd9977cbc7ba1cf8acddf355f788575d522aad9c4448835ae860ec8a01156be69afaa3936c8d7eca0bf0bc039941deecc51f2d3a3
-
Filesize
582KB
MD5240075d9e4db3c6b98fc9a0c95d29c8f
SHA1a9df823fe9050328ff44747f1fa064a198b23d0c
SHA2560f967b6654bec13e7debabfdb6697f332a6a6133812b5fab60d3058b0c7ef87e
SHA512e38ec0c5d6a111310af937bd0791145aadac2d39f8c509565beab99e0ead9f864a6e0bfa00451f446137b5a328e0e92a3570a96bee551a7d4db8ae11ce13ae4e
-
Filesize
840KB
MD5fc7d333f9e912ba69d1093445313a3bd
SHA1b7466730abc4ef2b297376cdc60239ac5b0815e8
SHA256db794352a6605cd3d93e39077d60ef073539826aac7adc7beca3fa40e5822426
SHA512ad411e68b330c4751554bd052064b3b713fd75d32afe715cbecde15d693ae9d67cee1151b534a0ed9585342174dd4ddbe496dce7f43aa51b08bde4de710dd053
-
Filesize
4.6MB
MD5e39e34ff0c77fa80d59d14d0f8eb0a21
SHA142ce0466a81308685ef64176458509d63c10ca8a
SHA256a1145072fe8cca9d331f1bd1c458e083951c66ca4b072756fcdac73274493f89
SHA51247eceeb76eb7b4632a77481efb851b4b31deb057015a184a3f8a38ae33d8cd06d53af5cc3a6000dfc217eab2c6c2142986a36659c502d47cfc3a54527e50ffad
-
Filesize
910KB
MD5728926ddf98125aa018819ef663f1656
SHA1e18a7da73053f15c16585487e30eef014fa93a4c
SHA2561e2b84bb875daf19e1cf2d3bea7231c7950f81146d6c7c5a79b014d0649f72b2
SHA5122330edad52ddddfac4b9bd2d76df9fd3940890d76d45544b6c163eab834f4ee0ad1b6044673b8a5da9a7bf1d675c398dd9ad34a3040e5b9825a7125d47d4709b
-
Filesize
24.0MB
MD5bc709d2725c3426c62c20eb76e546c0b
SHA11ed0c46074fbbf6ee35f3b4e127039a5a22988e6
SHA256b38a99e3f65f0598cac61e6d8ab991739186df95ed96abb20063900e0c4d9790
SHA512943cbb6c3638b3d8d48494907bede9cc6b85fb638c4a237550af1dcebb071291fc40fd7da4ab1dfb4c2138d4c1a796c9f110c9d3ba910adc3ee7304542a9f333
-
Filesize
2.7MB
MD59f26d09dfb2d0dff78a1c22e52ed5a90
SHA1806340b983c3c458252f85c1c78c297a4f77f0a6
SHA256b4ef1f9af0569bde6eae0ef78dd02bb2c028d72f874657eabd28448a8e6e702f
SHA5129d10a6218b0747977457b9015564d7d1cb2247421ec191591298720852cb7f783da37d721509db278f4ef540e0ca64cf39ed656e81cce9d25021684cb3825cf5
-
Filesize
1.1MB
MD54fe815c213f2520cb6d3a17a7523e7da
SHA17517f42e7030c4e7d8d5493c88547f90b2c7cd95
SHA2569990e572ef1e08d2016af7492ddfd2ad9901f8d6f6cabc323d433448e462b978
SHA512853f6a076ebb9de43ee63355d8b9b95f99860620ae914257efe649b5e9a54497c6fc546bffd7557072eb860eddab4d4f21a7073238b6c11b81e7b0da68902180
-
Filesize
805KB
MD5842e21d564001efc09dd1bc2db5151c4
SHA17f70c9aef27790aed8eed5957b75c8d098f75a9f
SHA2560f254cc2365aec15d2532812ba8a66716ce3799ac55fc777ab5c98d5eecf9fe7
SHA512e419845113452fdbc4ba793bff3e521c7f430377d7945c82bd78afb4bcebc09176e749e8c6b79348c97170340e362dfe5de4b9f55e71e48f9540c4dbd9d1b959
-
Filesize
656KB
MD5dd351d80d3210d081547dc1a2201d5b0
SHA10f4c5c6211c58d13a6d2c2353c82edac05fdfee9
SHA256f487231773b84dd561a03e3502a8af584dd85a068624de18108c162d8d494091
SHA512ff423998e7096167b72a07c7e5bb128848728132ee654fd6c9cc54706653f3cfa196905632f9f55a3ef5a30ced3eb094c5328438eb68946fed46bb9a578e2200
-
Filesize
5.4MB
MD5f2307168106b2173b2fd7caafadf7872
SHA162bf85ea66101e0fb4116fcef886d740d17fb708
SHA2568e52e8a2e5df1461bdd45479e74775379049804ada219b0cb807024a14e9c963
SHA512da4007ce51201781868327226b370a6b73cb128e468b92ac7128c989c04a30bbf54b9e3586d94a0684e72b0cc3d3d089a2b909ecf8e045733ecc4123362bb553
-
Filesize
5.4MB
MD5bb2815e7bf973d22ed825260af5d3bac
SHA14def1cc22d276e4a4067ca6b838084e3d3be6f32
SHA2561e30be6254983c7f4ad949e973e0897ff81fae480383333ce6aa9f8d99f2a40c
SHA51284d320eebfc4a7a9e4e8aa061336b52879229eba2712a8dd069aab55e79933adb303783ef16d42c30006c4585f517765ca96a76c96994a308d8e0b00bac4f8c3
-
Filesize
2.0MB
MD5be793f32d6ffcaeb44027704f00777fe
SHA137e37ef2f3e6d260ee281f372b39b533cad88066
SHA25665281dac52c072f6783e880d4b6d86fa869800b06f202f2d2acf30fdbf8201a7
SHA5129f83d4d7b09b4136c23484d86d90dda0854921f50e79956364f441f664bfab20a455208118ce0292e83dc3ae669de979593429c5290f9297718526f82a643dc5
-
Filesize
2.2MB
MD50bbfd3cd9dd163e03ad6894e3bef85eb
SHA1a9d46da150316c43c10510e7f456acbd4cd3c990
SHA2562e6fdaa8a23577c3920a4b3d4fe0a335bc68481d625467b1c1a836793dea3905
SHA5122ca0b81b142c321178f04987ffb0f79a29ec29e0a033eb542cbea4e9419344933a376bc98ad002b1a78ca314dca5fb6e993c77acb5fed04048ee7bc368183f91
-
Filesize
1.8MB
MD556371f9d06da437e4d3e88c5ec1f9dce
SHA1a6cc38811ec435769f804ce27791fba7788f8077
SHA256a8fe3a4a25c0ff6335c0cdcd36dcb7ed5b0a2216efc0921bd49fb0fc8917ff6b
SHA512b949a12313c338673a8ab96f004c20dc30b1df8558c91099491cac6cbe5110defe12dbe0e28c9e7c52204711cad5a5a70d14975c802cdbbaccabbb8170ea5958
-
Filesize
1.7MB
MD53e817c1d1ba1899ba6f54d5f82a89a1a
SHA17bb8fa8f35de3bc5aced754b7b82566eb741060d
SHA256fb1d90362ccff34aefc01b09068926719afc1832dc45f35433b8c4d5e4b5c52b
SHA51272bf443a553ad31619c4c3c2e12899be8d4e2f29816a2ce25d00a4b1f35e17aaf42603212609994fd5fb4c4067be5276a3800b02d1407c87104e27b0ac5ad399
-
Filesize
581KB
MD54947fbb744ebf4d1f76bc9b4785f2156
SHA116ef0318817f654d19b79e7ab72b4174a102e5f0
SHA256d7ea92b85960946e61470c5688166949a095abbe154f4c20d1b5a6c253d3d750
SHA5121b97ae8aafa313b9e552eb0e629a670c3a755b50f1a99a9797034dc37b12bb97ef4364e4a6ef988ffadb99ef9a3e293acbaecfb5f1336daeb5ba43cdc74d5aa9
-
Filesize
581KB
MD5d88819135941c0ca831f6ac74ec3b050
SHA134c250f009b41573520daab6e7c8634fd0811237
SHA2563027cf01720c380ca1e6aee031abc1e76414256f1b67315f188e08430f891a18
SHA5123918fb0f344ab8674ffd35402359a3ff0210d3bc1bee47612be3af8d303a295fbce13d5f8ffbc780b84e033d5430f30176cd8efa3f7539a360849471604f7732
-
Filesize
581KB
MD58f73454b95527d6fa2d03cf3cffc95e7
SHA1eebe7fa69487a252f8e4557288fbe50f5e4db5ed
SHA2565247d5b5c94492d592b1bb5a2aeace04ee898eee1bd9d9e1f3e2b2a62ca40def
SHA51296abba1a887b684b038ae993dacbf115aca962c7ff1a9f34c22554bf044f56e247b9ff17ff2d89b10e39e0a824f26fe0957dbf97433427d64d8494401156fe75
-
Filesize
601KB
MD5bf69f13f17743ff08b0c2aa57fad86ab
SHA15ab7eeaca8a31574c632af80988d0ce87825da85
SHA2562f49e9fdb1712180c669ce75984a3ae441301020ee5423e9c80be040274eed49
SHA512c074b5bfbf04ace450b59286963c12406aa1f9096955877f81485598b843047aba90ecdf46137d29fce42b08ad79f11bead0d045b8d4f82990ba3de119394dfa
-
Filesize
581KB
MD587cdaa490d04f68001f827d2f0b90a07
SHA1a9a5bbac81c4335d88cb957b801efb9416efe4c5
SHA256e0b25aab3e8e5619f7035135f6e0bb2d87739a048bb58f588cbe82bbfd317902
SHA512fc183eedff745cbf4f92e223d0e3a213096f5010fdce834a5ffa070e4ab00536bb84a804c43e907a92fe6dcedbf3a85408bde7a7350e44f65b47ce7888e3e1c0
-
Filesize
581KB
MD5b47bc0cfc3849b171b30c69d886d2f53
SHA177251c536ed47486e2391bb373b10d165a2c9fbf
SHA2564f1a409eb61dfb722e30dfddce465a76f3bf2700f61c98459e5fbf1ca53ab101
SHA512cb457983783f263f113818339390b97637215238140ff9f29c12554df38bfcd5a2a068652eff0159d277ecfdeef4f49ade19464c67c108374aed91e02a523201
-
Filesize
581KB
MD557f0978123aec41dd3bdca4d1c103fa8
SHA1b503f8e44cd572012aa03bdbeea4dddffebadfb8
SHA256d92ab9ec23ad067bdd91e3581cc88bf58c4dfae68100ddbc1bfa29996af8a9b0
SHA512546b0bf048fdff03d87d3f4d7cefaa4d2870e475487b2ed9a4098c54b56dffbf3d25772c18884629fdd1c3178c227ac69b4ae27e1d8faf0a79efe45f9cadb079
-
Filesize
841KB
MD5615612a9820f9e59c633488458a119f5
SHA161d6afc1ee7ccdee78ce6f8b6ffa706c3ab40198
SHA256ff3a531ff6637f80278633c60ae6533b364e6575878e3f35ac4f746ec259ee47
SHA512708fd48bc5dea176ae988678a73cec22bfb139e1bd9b7562f9f773af46f5713312a9659009302cfb0e48329e956d1f1307a6bfa58c9507e09015f29671650a85
-
Filesize
581KB
MD5b5b75318dc5f9579a88a4b94e88f5212
SHA169ceb62912ccef58f7c8b1fd9164733f494eb29a
SHA256255ebf8a9a7a62dc4f305269f3cf9856723b03f36ab967a5ce812f09699168ee
SHA51242c2ebede8d9523545c71745b7a2c128eb1ce0306471c7b55e234dbc10c905bdb239b5d0e08b82fa5babee6e1fe363f5afde98766e59d17492dc048bc4efd4dd
-
Filesize
581KB
MD5851005ad5a442a3718c8f3fe89f0f5ca
SHA17bbf8dec5918114f4f2ba2fe60dcc295ca89a395
SHA256334e1f48bd01548268834a3edf08da783ec74c0b5844edbe31324f27c6cc57b2
SHA5124503dbf5accf8dc99c813ebce6f5f41ee29d14577192118572cdaab2459ce5e82f01d2516c6e349c821847be63e46ba1a9643c703d3353413b719e6debe02f44
-
Filesize
581KB
MD50cb130b9b684ae13af5b3859eb0f7b85
SHA1b9a0e1f88fb6ace3476ddb9ceedf0b152dfa27a1
SHA2568e9b16506c13b3c3106b2b599620dc2b543ed3a37ff27fffc99d697d7707286a
SHA512a50341ce8b66ad998ec8957d42928dc8ddf6870df751b8d015886b5b711c03932a95338381ecff880eae98ed6739d3aab5b0a3b3d3c0e869647e74a75fc6c2db
-
Filesize
581KB
MD56ba301fcd37657c43a5d068ed265f5e3
SHA16a7cafe5c2757e51c1da25a2b893be8a980b8ab3
SHA256228410ab643e1024e14822fbf71485aee83542e48db9a321790101ec787d90f2
SHA512cecd63a4ecaeb99d76f618c2fcf71326254c293adef58c78f193420547d3d4f32191c6344f9b57a2732b26a234ebf81d7f4d7f782614141a552aa2ed60e366f3
-
Filesize
717KB
MD5be439b17908fbd1d083d62739e513a69
SHA16ea9bd3883e8a1a60975258537101e53c9f8019d
SHA2567134e13665fd355302f2795cd41a267a17f0886db17a28285135b9a391c1bfdc
SHA512754037605b1b62ea054bff8f47c8494cd6c0941b3903c0bd9f28dec27e74e8ecef5c29bea18ebbf161c681c85bb94d6d11a91d597755c6dfaf7af6d16df2d51d
-
Filesize
841KB
MD5b91cc1aa6d1e89ad3192438c8cce1202
SHA15e525293cc2834613c5ce33f380f35ee6551bd64
SHA256344494de459d96b8e17839dbadf5bcb40a133b2b8a4e8e949bbfff791bf061dc
SHA512695d1135d6ac3fe502d32d5d6f5abcbcaadad4e247c6ee1d66f541f81df90bdd286a2a001b52edc4447b9de342492fa58496ddf7a36eb168b1ba1c3ba8951713
-
Filesize
1020KB
MD5a1a62fd2800788924c750770475ff855
SHA104f2f3d827769c90122b224c2f7656faa9f73553
SHA256f02adea47a642999607627de1542c5a0ffbbb9e3636c9b8bf590c98a0f9cc7be
SHA512ba31af7f594692f7dcdd12a10f061ca1acbce4cabc471e92c5bad65622030f69523edfc028d5061107719c28c96d9ac488dc24d423e086244a60ae768eaa2140
-
Filesize
581KB
MD58c1cb7bd1715ed3aa6ca29554b720d87
SHA1306603260326b4c759cd545539f0b8dbfa444b1e
SHA256d459f8570a2349be3e40a803963aab4ec3352ef0896d15701f5c1e3ff061b9da
SHA512a04521ae6841d5174f3fea1b650c51eedf6af1712847f96868f5661dff11cac675be9283fb33029df3e44e6b24cd4f425c70b236f37a6cb018160dbda75dcd06
-
Filesize
1.5MB
MD5345b0572ddb6879d30bf0870259e43ab
SHA1d7401b1b3abce8e972c6b3948afafa498ece0e2f
SHA256041c6d26117d6f9e1a91d10366c62439793b052acff5570a870707b76fbfc7b3
SHA51235ca0eba90d0edee08601a29773c8873a22c922026991a60f6d276bebfae6cd2ad9583556cdb11ca46b58bb66e087090e6c746834a566b05d4ee703e79e1c2e5
-
Filesize
701KB
MD5d637350f7bc3f4a3c86d09fb047e9419
SHA1e10a6be329407d542690b37f245798ae2a957e8f
SHA2563061c8e634d040cf8edc26f80dc61d4e647f5ac6650b787322bb3c28d111b01a
SHA5128e10bb850e18cbe9f327d801ea211c48479e7d9a34f1ef6767279a21a53ecc8a4d521af05f6da6ba8daf4438ef140b6696c96aba9230b6606b96c95b2879c042
-
Filesize
588KB
MD5385eabe307ec8a292c4b150de0886344
SHA1801dfd5f95649dacd2c7382411e1db56832be130
SHA25611d77395d98a13e560a1caabb9abdbc2223337efcf835dd912c893cc0c0df68b
SHA5127fdaa58e828de24c6b91197b9b5c3229ea91098e58c0a66008f31793d3b030b8e2294a523a335aeaddf0ea8b15e5d773f24edab94a7f39fa4a46b9cb73899e54
-
Filesize
1.7MB
MD5eaa9cdeaee4b062f24522a094a90d681
SHA1d4bedc3997b8f007fabd10da39b6c2e2df1d6682
SHA256e0c25e5d22b355c76126767b1669d76b348f763a33674ab55d74bd41ea47c30a
SHA5121cd0958530c95562f6116e2be8efe41283dc7b5570ba18abe7339b36a25365d00610fbf87e51133e6f4448fe56d0dea53ec12115442484edc6c645a5eac82a71
-
Filesize
659KB
MD5398424c894da2f0f2a509629425c94d1
SHA1b454e3800f2c317a46f4191f90eb889e007c7686
SHA2564a3375447e89fb064dbfd7671929306b579d311f3fa1a0c3d2a2ed90d470fd26
SHA512c4194dcf9215fa9116a932cfd3e958cd1ad67ba48770c564de02bb3cb65709f9966e9b0380279632bc68bdf20c5f1ed70be5255bf2f8b3f3663ce4c3bbc17612
-
Filesize
1.2MB
MD58c9aaf00af43627fcb2f11aad56b7087
SHA136e84463a915814318d41f06bca62ac083fd03dd
SHA25610eb3cda66cda8d79b585164d16413ed830b06c2b2da48447f00126a2cdc2caf
SHA512a2872eb91f69f925f859023d380afc3505901511ac487a1dc6eb097034a8bc6a5358f3854c5c778f650ea24e9ab72a80fc885000bec1d5913e358f67d9da2b50
-
Filesize
578KB
MD56e0821e4aaf63c08419f917beb902bfa
SHA146da242cea803c1d5253d82e282cdc81b542b866
SHA256da22c8193b490a5639abdd9f4e531beb83d44cdddec131d6fbc09c98f4d6b832
SHA512985f1ec841b3534903d8563df25cac89facd9770f525a9e9ee2b79a906760c3b62cd272ae772e85a51f243e0573706e01660c3cb0377f753703779983f794400
-
Filesize
940KB
MD5dc1476be7dfc339e698bf00bb2bf54e1
SHA159a1278550b551b1fd4947dd32ce1aea3e35dcc1
SHA256d7d0fdb80c6bcd08727c8693d22b6863707e57c46bd4bacf1767981683541e98
SHA5127a6f81bc5fae670ffb7c386a3249096457b6a06049f5e6425c712cf3e608f664d6a8e1bc53d6ac2d417a2e8ecd12a36eedfdf5211c2228e12605f3a2c7abca95
-
Filesize
671KB
MD5a44d1cc1b0f574dabbed0547b3fcbb90
SHA1e2d8ca904a0a8f537c7ffd181857cf7916ff32d8
SHA2568f211b5c1ac6f2a589826232cc26c7035f113147ca565304b7b7d50f15935f6b
SHA512b08faeaf54d7c0260ee45dca1edb003bf034e957c47828ff3ef5adfb9c6d17baca036859555d70cb56a62f4b8d50f0b7bc7df8b3c492d3e387fdee1760dfef7b
-
Filesize
1.4MB
MD504da828eb7aa54694d2ec44684c095ce
SHA11a5e2f1f50eacf6d77476557bf2636f88abce435
SHA256baa4de3008b5c14a8d419e767025dfb46b4b8101916b3fff4cc7cfbdd548e0fd
SHA512c7f8ba28f2c26d1d595d497ba6b6cc2111ca4b90a287f37dee92291728158e06f103566fbecd2f48afc038cfbc979db8fce45e708cbb99e7b2c702d0e824c3ff
-
Filesize
1.8MB
MD5c1518f025d0a1117adc6eb7f5092ed41
SHA1d02eb27d1dc09638ad3b7030d9a07c435957cb62
SHA2566981ca23976c1fe3f0766c52ba5ec55eed747768b7bd8445fe711ae4c1196492
SHA512f2dd946766536254c59b55f30206d35ac4181cc45fca6362c5b90b66faeabd42edb69fb16453f23aea5a06618c9253cd45e837fafb7ef63345e008dac65dabbc
-
Filesize
1.4MB
MD583967aac45a36125d938c8d1809e27c1
SHA1f5b1bf2d73e285ee2bd5e62b8830ff976f2f0360
SHA25613e40f60c793f0ef1518a979ec2d9bb5d1b5faa175c95eafe4562eb4072e92dd
SHA51271a01043f5cfd2e71e2ee3f51c1db8b6e3d682442e96747a419d353f348bba47d7e6746b143d5f2d9e85de6cb2124caae3b41a60e5599f8cc090be6aa7555d1c
-
Filesize
885KB
MD54dcb56d94903e93fb40f7f4baa1cdcb9
SHA1e24a8f3f4dd4ef01bc66582644b62bded0f64146
SHA2560a374116a09543695d7e3c74fd56e409da7b8e4db8528ddd2f3c9e3a6342a1de
SHA5120a2fc7456db4959cf36e61543f783bff1c5d963db4136b08d5531305993ae0acae0ecb75f7f541e228cb2e043cb6f3de1456b31dbba5f5b8a593e6a36e36c1d0
-
Filesize
2.0MB
MD560e9f65d35e6f92a4296e5dc71cd907d
SHA1557bf20d646d9ff133e8d0c0cdf20b3b85ec6a32
SHA2567bef65b1fce6450bde2057c72ead2a92aa17a8d8898e3d4825ac3c1341793a8c
SHA512ebfdfdc83a2a2755e25e328cb5ec4aad1987b863c39f4c10a098228eb35f5cea80247965093f81402db08b2c5f6e08e6f25532f9f59ebd2ff7b0c1db8358bba3
-
Filesize
661KB
MD56fefc4eeac1f226bc9b83295987233bf
SHA15b1c8ce16b89764d180fc17d706a859f7d48c52b
SHA256b3189e28b946a3fba81e11b0e6e892072b54c50a0ef232fcac51ac32f988c174
SHA51220ba22a1a0b74c964cc7acba9d0e355de08e722bc60335ec78434ee765538f6717e30cd1bf58745b0709eca978ed66a275594b11e6359303db2c504e02dae733
-
Filesize
712KB
MD503fc938161da088b52496550e21fc209
SHA1ced5d47a469cb7380350b02df040460e995cb878
SHA256e7cb41f741d0d073d675950ec05ae4063eac74e32e85e7ec1c2c21dec32e336b
SHA512725b5a2bd688890881e84641aeb3e5a5b765ec255e47ce433012a48467042d6d190814c4df4b6fecb61f3d902dba7f83c67b6647441eb1047f7403d2309dc8c2
-
Filesize
584KB
MD5415cc5ad7005091fd4f59a61fea25993
SHA11bafd1fda9c260ced3e9547d502bd4539b7cbbbb
SHA25621eb9e9b4bfbe704e0085b3656dd51e0dec3c4e24105e9ea2cc6cb6b8cb908f5
SHA51285b172a91b55b862422843b7af809ab5d163ce4a5268f14a9cab5af922c054978d605b066f5e904445865edc7b423e4e5ccfea769c98962c1b2f05e786229874
-
Filesize
1.3MB
MD5a26c744f0da0196dedb75315f792f3bc
SHA1728cdc5d8255bb2ef59c2087298322aadfaa34ca
SHA256f321ccc922c0f8fd576dd19fef56b911d54d851bb5a1ad163f754710a81e5534
SHA512a55efc048b6cac166c18836e3fdd233a3a06944130e5e41854e38f30e3830e419ee2b265c8d1add135ad933b8b9427e31935a99d83f1ebbe9c5c6c969adda786
-
Filesize
772KB
MD5329bf3d9f1ebe1fcda649085448e8dfb
SHA10fc4f6392469c452615b2178b7d022669537329f
SHA25651c6f15a36a89776ec9dfefa5234498afde8f070eae299a416fc59ebe01b9355
SHA5129a838fa93b5e96e7da4f87ca9b45d1cc0bf475ada2ead360fa010cf02b052cebdbdd1cf9fd94fdd63724567a278a8a57ca85b3adfda25c2e900f65c783ed1430
-
Filesize
2.1MB
MD51c6a9ae1cf44421adfb5e9926810ec1f
SHA1e433fe41e43f7b6ecc5fa6f5dc7237e14f161705
SHA256c872b6f874c31c04914edaeb57975def2cad7aebd3c8f725fad637baf4068a61
SHA512657f69aebed83fd7cdcfd0c3c9cbff8c58ff5ea8cf4194cbcd09638d25613edfcd8266e07a081741bc457af0ab77b3851e45a72940ea2e43eea75b16c8c6fa8f
-
Filesize
1.3MB
MD5104ddc71faf27cdf1a9462bdfeb5ba6e
SHA11a70985281e0adb1a1d6667a26106febafec2143
SHA256d4a35e4b3c0360ef1b437626bedcd9e19e60c60edf67bde45c088631ce90bf0e
SHA5125b07bc6547c162d58db015f5cd7ed5d5a57bb59dcf285d8240b9d91e48f839567314bc663cc7b889c7b7b8503495415cafce3d0177285056f47b4b8008d6aee0
-
Filesize
877KB
MD56fb4c091fdf020d471063dc6d7e4b2fa
SHA15298226c0b050c536d9f26cc44ad28082959b5f9
SHA256e9c7211332efe20af3354f9d9eaed4f55fad1445fe1055aaf67440f69972774e
SHA51246339bffa3e655e3397984d9d677ff4b6519e460390c60b62983129e65669e75763ee1c6cb5df25182b0ca51ad3462de89282a1001dc2c04b2004eb5ec48c838
-
Filesize
635KB
MD58718094c7d21deddf0d1f640a3474cd0
SHA19c7d85ac82120619c524a60362c27919e5fb11ec
SHA256f4ec4624ce68e316cc9a21ba0a7efc7ff7e4ec0794b8124641702aeffb3f1258
SHA5126709b0fcce0b860ae8c0a6ca85520fb79d43a912d2e1ec60b1b3a1aed48e67149ad7be79e0ab6f0bfd0e08cba0f5407d03859dc6fcab289c8a660003ae226d8d