Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe
Resource
win7-20240508-en
General
-
Target
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe
-
Size
1.1MB
-
MD5
3b0925d0d366c3f489be7036bfecb440
-
SHA1
c9462226d516ab7c57f02604a2a327a1d5d37196
-
SHA256
0d62e45d7a2eed28888cc5f4f8bd060ebe8bec48a945c08f4181a6f2073d2874
-
SHA512
98c72cee47df4aecba945b69445243fca175a81554af1a2c66327c3e70a0203c2f63cc5974407cfbaef61fcd0b9fac50b7481a3bd9a19a4d3c095e35e4c92d14
-
SSDEEP
24576:XSi1SoCU5qJSr1eWPSCsP0MugC6eTIWHRlMugdD+JsRgZRJ4fM430Eg6nET7M/IE:/S7PLjeTxxlMPdlR8v4UC0Eg6ET7M/I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3368 alg.exe 540 DiagnosticsHub.StandardCollector.Service.exe 4376 fxssvc.exe 4964 elevation_service.exe 3592 elevation_service.exe 4104 maintenanceservice.exe 4880 msdtc.exe 1972 OSE.EXE 1944 PerceptionSimulationService.exe 1856 perfhost.exe 4868 locator.exe 1492 SensorDataService.exe 3376 snmptrap.exe 4640 spectrum.exe 4944 ssh-agent.exe 2360 TieringEngineService.exe 468 AgentService.exe 4840 vds.exe 4108 vssvc.exe 3432 wbengine.exe 5108 WmiApSrv.exe 2432 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b7d96cae703f493.bin alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aa48dd020b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000839cbdcd20b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000364cedcd20b6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f5f00ce20b6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054df88d020b6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002037f9cd20b6da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe 540 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 936 2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe Token: SeAuditPrivilege 4376 fxssvc.exe Token: SeRestorePrivilege 2360 TieringEngineService.exe Token: SeManageVolumePrivilege 2360 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 468 AgentService.exe Token: SeBackupPrivilege 4108 vssvc.exe Token: SeRestorePrivilege 4108 vssvc.exe Token: SeAuditPrivilege 4108 vssvc.exe Token: SeBackupPrivilege 3432 wbengine.exe Token: SeRestorePrivilege 3432 wbengine.exe Token: SeSecurityPrivilege 3432 wbengine.exe Token: 33 2432 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2432 SearchIndexer.exe Token: SeDebugPrivilege 3368 alg.exe Token: SeDebugPrivilege 3368 alg.exe Token: SeDebugPrivilege 3368 alg.exe Token: SeDebugPrivilege 540 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 2432 wrote to memory of 608 2432 SearchIndexer.exe 111 PID 2432 wrote to memory of 608 2432 SearchIndexer.exe 111 PID 2432 wrote to memory of 4600 2432 SearchIndexer.exe 112 PID 2432 wrote to memory of 4600 2432 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_3b0925d0d366c3f489be7036bfecb440_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:936
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1680
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3592
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4104
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4880
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1972
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1944
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1856
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4868
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1492
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3376
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4640
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2400
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:608
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59b069d1900ddb776431e3642cf2d7e62
SHA16b223d7d66a36b104eab78198db2d8c209c49c7e
SHA25695fc44a82af9c80ae658bb6fdef1c933844d1cb6731a9378fe3f5c4b423c0cf0
SHA51282cd865823b8a2b7414b21cc8137a3a3ed086462cd0dbd0c0901ebf9f3b66f82d793eb8f628daa11f02a35b83b94fd61585b34f15573270d7a9d779da0f8ba25
-
Filesize
1.5MB
MD5da5f7fbd83651bb2560f602cc4c6aade
SHA19ea966aee4fbf4099828021cad3f3c2f35e29ef9
SHA25604635cf55bd6b3586d1299ffab640ac6d6fcd6f1ef8b5e2fd7bb42e77a39c60a
SHA5120ba9c63a68b238dde6d7a1c17d7b99c8c32d9e6f988ed7ed7b1c21c870ff02d36072576fcd1a4303034d49255020bf4ef12f48a81f99d107719b4efbfa8e6cb3
-
Filesize
1.8MB
MD5c37f5b8eccdfb46e7a7507d6eb92e5aa
SHA1a98f2cd46055b5901337e2f925520564ebc601b7
SHA256f59bcbe9eee0c03d07ce0d538df0d86fff533bd76a0d8528a9f43dc288b34bf2
SHA512c45d2cf8e33139c6d91a3994ccf4c5f78976e62a4d3aa72cb780036a1971ce067be6da097aab52645ed2870e58c9fe252c31dbd1cb18488f88dcac060f419682
-
Filesize
1.5MB
MD5b5e785ed08239486d11c1686c734c1ab
SHA1c1116ccb116a65b196e2e324753a0bf61f6060e8
SHA256b11cd558915d331cd776d61b29d763bc980b2743e727f48c9cc66ff777e78cb6
SHA5127a126eb0828aafa91880c912189f1c8775fbce4042960d339e2d1573b47a930a9c85efddf1f1aa9ec471eee8a0d2ebb8973878be0d439a7c90cdf09983b07d4d
-
Filesize
1.2MB
MD512ab0536b6ebba5838a12d4e34f3d711
SHA15cc5edae5a063df404f9e70aa88f6010095c1ea5
SHA256072838be9ce2626b38db91c4c7849197600bef360593f140796201761dbd22a1
SHA5120e992443765a8646c051419da16a4732e51b68ef1f76bb880293d2398208d122bd8d53b4dff33530102a11cbd58f321942d24a65e550df964a12c579f44c7845
-
Filesize
1.3MB
MD506cbf115a13423aec62f857b6f7d41be
SHA1c428ee92ff9947140b07c223eaa6659a498f481c
SHA256fc477c5aa3eb0ae4eeb7f6e44708b4c35e91146b19943e0f7aed128e78f58112
SHA51273ae8a453bafce70ac9b59d08875b7c3dbab5dbcf8712dd3cbb56a72685ab6e09c3a87ce7823fee8ac99d557b9da102e0bc90d29ed491dbfd0eefe02ecbfd5aa
-
Filesize
1.6MB
MD5d936a41727877e1f7807ec0d7a460260
SHA1950f35fc52f10c93f8cd7b563de5f40c3b0cbd9e
SHA256b22ee2bfd0a0cd2ff823ae0a726b77e2b2ca24c6b5708fe40afb45964ba9e92e
SHA512a646db8165bf4968931827da48dd1a1cff83f7efaf7a5b05bc44d9f9ea6b790c7ca8c4cdac72765dce6edc64e996ef8da82330c095c19d1fea26d9e1480c4a98
-
Filesize
4.6MB
MD51c28d6122a1606f18f31d1ddef0e1aed
SHA14a40591e1487ef700838800435171008ab8950ba
SHA256aee6e309f68d8d86dd1961e630c3fae32c9648ba0ef8ec0a599adb925fdda61d
SHA512b2669a5f0225c6b9f9722647284c0d0ee7765f11a1e2bb8f6285993f4a91554929251ee91e22d5ff19a64264ebd635fe17b2e20af70a6d8f763743cb9efec419
-
Filesize
1.6MB
MD5ccb579150970383de18f221db2fbb645
SHA150e1719653de6ffcfe0e665387ddd0f1e609a36a
SHA2566da0a463747327f60cff8c9383c9de951d8dad966969719274e6984e6088cac1
SHA51223f9939987fbbfbc5187e72d5d85bee5254b3b4e90e8cc8f8f7613d01d57527b2c00e02c71f1089ceaa9edda18af3b60b3a851d17e8b6d86f556103026640440
-
Filesize
24.0MB
MD512aa4a9008221f41e7e4ed86755efd15
SHA168df2e16bb2e6a21f4eb5e007891b8677cfc9f83
SHA256d2affbf081f1bbd22371145aa23d14c7baf1f4c89cc0a252e20a26f642861201
SHA512f1b7995a2085f20e4196de0008a72427406007cb431265c1a89ea095fdb89e7a5cdaf28b0531b7b334725a7a713a613ec31f8ba50f9b53a8b80c0de2a7d52ec8
-
Filesize
2.7MB
MD58cc2f26f2e55772118d09aa345cee2f3
SHA184d12d7f8059efa2f9e285ac149e476b8eb5891d
SHA256fb402ca418632a3acd26c4fbe17e73d3bb49d153f4f5e742534a5f496c5b26d4
SHA512decb5714e1117e8c6f235a44d08e9508ce5f6549b8424fa736f501b86f1510a74d707e9e42a50488dadcec0bf024a4e3cd24f5d7b2d7d21e8ac079a4aa745918
-
Filesize
1.1MB
MD5d5bba793fd8731e21c659cd58d6a64b3
SHA1995d3bf070761873b01c65ee004c6a4c45d47746
SHA256630d90052b04e183932187560ff96b69f2343ae693240bff468715aa544e39cd
SHA5129198dd3482a3dcd2065485a07cb15331e69a5d5dd65497ac58cec3f63a1f7a541e8be10cee2a6e3d8552225730cba88a89b7f6be9a5bbf48712c9e115d998ce6
-
Filesize
1.5MB
MD52c774551e6264ace2a931665e9a3c2f5
SHA1012b24a491712fd22388e69ac52011446a7c129f
SHA2564eae8da7ef08917dd6133f1807b1dc0601fd20f6157240258c21b29adefbfcd3
SHA512f01bc228f1cf8c4a86dd5c296115bf26eaaedf769f6a7d84024a5cb0d2b9bd6f80ff2244044cc3f584924cc0db4c13ffc983071a74fcb6ddc5cfd6d7eed693da
-
Filesize
1.4MB
MD55953f3fdaece3e22b127141dfafb2e0c
SHA1a818038aa745c49c03d248b3fa59c88b4483fd30
SHA25677c93ca66f59c18ff6628c3090022df6c82c222f3addd571b27f560dbe0417d8
SHA512a61f371573d036a03607a47005408fa5fe9999112b811720f9b1c71a1fd696014c20704c73f998e2a03e3948a3066601d83503b2f0a63308da36593cfee21e84
-
Filesize
5.4MB
MD5f4e7671c8def63703979628d42e24861
SHA125bbab9e383828b7836bf1a34ef9fa1291ad471b
SHA2560d3f7787bd98e94d837b4d35504992c74a184d8d0b42b18e6520ff6dbd28dcfe
SHA512f40584d65db24be90fe16708e84f475bb69b0fba543cd0d240df7749b5a18a3f010778e86f63af267fa59d54496cd0bdaef7c18de99a5c03ca10375852033e8f
-
Filesize
5.4MB
MD53f35fe044def4645c8fea3d7392794e7
SHA1872b846085988498a13ef13903006dda5ced9cde
SHA25617b50e16e4b53d77c78b101c6889e694d1068cfdda401af3a1a45fa254ff99dc
SHA512077ffa9209c81e3e8b47321f6f1a5d500e91ad2a1ae04220e43f7f6dc77dfc3475999253251ee6dba729bde18dafbafbd8889cb8e895961c22eeef5e69f55f78
-
Filesize
2.0MB
MD5ef9c9c7db66d2f3af595c6bac05c73fc
SHA18b1ce58797f2c8870c01407cbe345b66bc66c0b7
SHA256015cbced21b62edf02ef9313bbea49ce9091f326532c7314c326650120a6aa7e
SHA512a5aa1401c51f371376ee6a74e9d75b37e670c7fb381dfd0696f20be0a725d10a2bd91d833a9c1d64df166bd7e0f9bfb835c2a8890210b657970fb859c3611355
-
Filesize
2.2MB
MD5365d81ccb71aa211fa7cc8252128428d
SHA176984f6e687a281f29ea2856b92c922944d44672
SHA256f6c29bb912d01d961771e5c03910cd53dbe2786aa64edd6a34735927341998b6
SHA512ac0da4253b01c9ac721e8a3a0c934725e59a25d1b38669a09e873c8eb7c7ff17510a24105d436ec5a87415b7dfe6c4bc37bd0f643d5a70e735d5af17f53b1287
-
Filesize
1.8MB
MD56945dd2569fd34e18df870f1fbb162f1
SHA1da69f1c34f0ee8c7f29b0b17e8db50a3c3c78d0f
SHA2565430d08d337abf9aef74b074cf067ec5426abc210fe29e0d89db9f112dc3d23d
SHA512a447352f88e262386c8dac704f8c2dff67c90bad6230f468382ae9e7556310205aeea5098e4ca80ef72e8e25e1faf8cdf99d00576f9095206991faad36430a87
-
Filesize
1.7MB
MD5a20137e7ce26ca3b7b4e4e427c029ef4
SHA12d7b51c6e3fa260bfaec91e60724dcecdc71ca72
SHA256b5f6e3c4003d1c34244a1933bd1c12d83db9fae5b62ed5c88d2d627d7338320b
SHA51204562742fe226ce85b83cbdb76851eda1cb2bd2dd367edeecbe0334b471120f415b1b680dbbc87e8948bfda17398d194072ca2575f7bc834c36c60a1c673c4f4
-
Filesize
1.3MB
MD5fdcb5bc4eb082476815593e92cee1a7e
SHA16dd56a068d083eba56309691732609b22753cc8f
SHA256a5a505ef1ce8cec92cdf18e35187f16ed277a668cd124e7fddc1203dd4ddfad7
SHA512d5d483706a179934da193d975799f48395fef6bbeb14f147c9af1259dd748cd664e559d620c08826c1754f95251ea3ef654a070c61a168bf7498cb5d67707a80
-
Filesize
1.3MB
MD5a208bcb584fdad7b3825747a4f7dbe72
SHA1069c31b6496a308375656f16fd9be6f1784811da
SHA25687c03d237acead01c3ff5317890d732b52a8d54fd781a2fd041b6ae11932ed01
SHA51266b59f4fa9ce68fd9577a0bb65b1514f6dc5b659caad28390fbeaebeb78f5881d8de5d81a461cc91ace6f0bed071fdc34a7812c4227ede2b8543a40bfa19da3c
-
Filesize
1.3MB
MD589260edfdc5ea1339bb41140ec680974
SHA131b59945bded5a5023ee2f562bbf4fc8cb16f7f1
SHA2562a2d15ea2c1c3ab347d3a6469c52e7eee7806f9962589c5a51272164930de5a1
SHA512da60a5ef6306ca5bb87e107d1bf1bbb86e32cb61ddf0e0eae4f61c90b115006195797ddd1f7e16af506dd64e08089055235b5fe84e8193dda9bc373d69c7b98c
-
Filesize
1.3MB
MD5e4d2f658f714ec869ac02139c791d7e9
SHA1a572aacfcb0744ec278c09c1866d8c2409d681f9
SHA256b55ca86a0a0fa6653c00b4fe1b453f16f0eca5debb455d2ffbcb225efaec9c87
SHA512f0b0fd77601c49aa784b23b8ebadff2ea12cb76d6e08043f2bea81fb3f0a711accb96babb8e7b58142f2a994c8a254370a7c7bc73b91786ef07ba7a56c589b75
-
Filesize
1.3MB
MD5690ed8c03a0c00cec82a623abfb9a7d2
SHA194a3146a4d7d8c142bccc01bc6da1dd77970ed1d
SHA256eac7c88fdba292619fb74e944fa47c648e60e1de5731b9b4a714f1c9d848532b
SHA512f03124efb2cc8755c9b0055df725dec46a48840cf10a84f03255b732c3d25d5130037479f4b5c5479f9daab8c2ac5c6d8d43ea648c3f0a89a6794d3f92e7c962
-
Filesize
1.3MB
MD51a485db8582b7205c5a7056cedacaa61
SHA1dabefd0a05d5f8b46f7a58a7e2e91c0c160de8c8
SHA256476bfc9293d68ced953c5fe45cdd27516cbb64e5b7e940dde06d4454c8a36409
SHA51201f9ceb9478a4cca36b13d7b2af2262d9ea1760090bf7f17f8a069ca2270fc9551b92faec715ab009a4b27e498c7f5a9410a5f0e69bcd636f09939a2a2a9ca9e
-
Filesize
1.3MB
MD5bbbfec50a30fa90fe549d2b1705bebcf
SHA1b3da192956ef1a0cc52a4399d574f669b517292b
SHA256022d3e6e9a6e074f75b0e20439a83ab03a9093cab235d471cddc0485660fc77c
SHA512f6a7e460b411aaf9bc6c063ef378264178b500c279ed491a26dbbcc44fc3c3b56e315db3e821706b59351392251979003111602103738565112a01ce19e7128d
-
Filesize
1.6MB
MD57370c02e67b1da7eceae6b478e8dfda0
SHA15b2a8b11fdacd3066cc6b74d755377f261c283b6
SHA25618481dfb4d369e6a5813294d521dcf487246fe4fc5559f05040539d261948f4b
SHA51201944d02b1122905d0348bc6f0475fdc80a2992067e53c99ebf24e136d532967a2aca58c29dc3c9376c87b61669ea9ee0cd56827335b969f47756dbd063ab521
-
Filesize
1.3MB
MD5ecdcb598482e0b2ea0e2d6703b9970d8
SHA1c7e4d832dd21f5ec07049f407ada26bba03ee70e
SHA256dede37941711e1651f5bf41356caac91a2f70d75b66fb50e401fdba51f8727a6
SHA5125eeb06da2643b83b61548a3909f079a526af717fd3f29e51dcb78130c6c970a4068f6b1fd424a88360ec7642034712eb5812d1ad73a8fd5b8d77e777625d5cdc
-
Filesize
1.3MB
MD538e7f90b51476145ee9c1ea74af18132
SHA14522e10c3d4c8aae5c2b379cabc3b82701581d59
SHA2561e770f3cbbe3eb283ac89745dfb8b56af2d23f4558247478f62fd50036cc6113
SHA512e25d34cdf13278b3f7a7b8e592b65be6e03d455b9833614a50fdd50820deb412c1f144245c2af12da3551fc99364605809bba231db1bf49d478849a14e522115
-
Filesize
1.5MB
MD5e8e85efe75f06360b459c5b685f1613a
SHA18b11712c6a0762256222e726f126e19612e707f9
SHA2560fca75e09eac50152da98d899596845e5b0b40178a4556c475412fa2ec7ec255
SHA512083ffdadfcba5baf174080f7f29b1225f7a90611fe3cf6f53cd1d38c236931cb478a5f82ea7c5eda3fda9d5116033d1220b96b8fc05432d59439327a71303e64
-
Filesize
1.3MB
MD5e83ebe21f425adba90473df5b67a522f
SHA12ac966c6813cb2b8fb32e56f427d7d5c996ed359
SHA25689b79028b44ddf84afe5dc19576ececab6c1b52499818aea64d0373c06b0f241
SHA5125a6e63ab1cc5d02a76132d118ccb9f3a54ef5f584e31157f610561c0855fd25e0aff61f0fb56a95704902f7a62fe153bd4400daec6f23eecc7499b38f702c980
-
Filesize
1.3MB
MD5f115884b9e62f395c314a36fb135cfeb
SHA1e7f24346bd972c22eec7b61f4e92123444457d14
SHA2567008e84978dfa04d5452277e7bdbd55a5f5d7b40fab780cb3f2f90dcda931556
SHA512de9ec22f46c081746804fda64454743dac2de300aadd92d00e1a94caaa88b6ecd9cb36d6ed432a5858c0a7a90bbfffe123853964f06ebb0a07235d74e86efdaa
-
Filesize
1.5MB
MD559650d09046142048af4e7b74cafd25d
SHA1dcaa35cbb9488fb4cff7911057cc42f7476f8456
SHA256c87fd17ba98c7ee6f9e933e4f9e85a36d803107719b0143dc9b77560e3925f8e
SHA5124a07f4f256c9a0d1cbedc84c5ff39b3d652e350418da3910e0a664c78123a817b805675ee731003364da76c97fe2bbe68e0051209e86c56b57da7ef68753ce4b
-
Filesize
1.6MB
MD5ffdb76ada92106e7ec6b299a93adc2d3
SHA10c977de78bb12975b5a0c0337d86c6f6b02f9109
SHA256d1a112f77b3f26fd8bdce64cb3f747869a254f22fc057049f4ca41f6d64cfd24
SHA51257d0b8c516a3bafc5b73460410ca95bd6a20758d8ce9266fa64251314ae0c610d354189dca1a7312c6f50ee5c60b09a5731cabf73e9363013556190ad5601779
-
Filesize
1.8MB
MD559ccd21b90cc0a310f49debb365a8416
SHA1d91eadc1341b679024edb5f7e2c40edf9615bf3d
SHA2562dc394ee831fe1aa04f69e1c8fba90bd9b929e52716f7c2a2ddfbcb8c9d98e9e
SHA512ed7ebc984312b1bbafad91dd91f018423b0f1a09c9ff092669667c553e0b6e2f2f0787710c2f7d2bc695de74c36159f4c216b5afba3cd920bdd2739a9e69e464
-
Filesize
1.3MB
MD59616094908e9468a65650e431f88f4c1
SHA1bc0b6cf645f04af4f99728136d406580f102f559
SHA25664f87739de326e43e43fb855f230aa40816e7e30eaa973c0cac8bc84dcc36def
SHA5121435d807a67e238dd879ae7d33d877b8ed0fa9a0abaa04d509539bd958f237add59cb2c6dc88c3c8f289b723e4e450f75b7fd13e8d6cf4d30eac96ed0d00bba6
-
Filesize
1.5MB
MD5ef8a49a807e622c1c966643158d1ca79
SHA1602d3d7bd0320ad3dbee8e012f790de9b2e93b52
SHA256efd45c5ed217aeef301e2e25513a90c3955f2a0759f2b781de570b692c7e08c1
SHA51282388c8e8624b70483e413d1168716b956d7454c34d1920de1667ccbb0430e9c55ea943285121d9f39a89da526fd0f4b28bf74133d07b80193afe03d42535403
-
Filesize
1.4MB
MD595e8e8b2d861ec6b52a98e91ec9444d6
SHA1cbf29593626658b56f30c6357189c157b872d0d9
SHA2560e28fa2c3108c0612bf3207ff4132b41f7f2692490ff305c866ea400e65d6e14
SHA512cbdce82197159faa1e0c9415ea23d912bc4293f40347ac016081b3924189f57d8fa9473fe30098988efd04943a518d721cf29be8f74bdc0fe9dd8f01a801d1af
-
Filesize
1.3MB
MD594846f6b91dbd38f6e852da05e99f4d5
SHA141a218b366dc2ea3c6c80c44e81faf99d3384a2d
SHA2560bf118cd15337e39f8bfa1f41e505eadd2a5f42d30a95b65b813210e23dafdb0
SHA5120c2d6a87ead3d78a7c83a9fb874edf9ac862bb3c01be1fe19a1ed542f2d316967bbac228440f361a910d08bdd1db57629cc89827b0b383ab59d38b31d06cda6c
-
Filesize
1.7MB
MD5185d55b0ac22045326f50ec1a782dc8c
SHA1225cda2dcc20041d3d288cfef0bc66494fe92bdd
SHA25685114e0cdef98f0f8f1534ce8fe65438272fa2ae309b8b97e66319a24baa1010
SHA51220fe72128e7adf23f1cea245d5e4cf7587ee13bd1f8ed98a2815eac5cda99196beb4424b10cfaccc006f71330dbdc77118ac82a87b0bdf60609e2fe59925edf1
-
Filesize
1.4MB
MD56377a11770f4f74e58448020fc345600
SHA1d593875b0b3ead45ec05530ebe08ea56429a073d
SHA256e5514dd84f1f4403f91bc27179bbe76615b4c138ed80e4208149335653f867f3
SHA512ead741f13d6c1a32029e736b492353c331bfbd03bf5e7224984843e2702fa1ad4cacb39faacc91cb2b969dc00d7f489590d33475a2e7a1f60cd4d3025fbbf4e2
-
Filesize
1.2MB
MD5ebea6a0831ac0b55901c18374e50a6a8
SHA1500ff70fd4fcf6672f7144b812dcf8a4865547b8
SHA25651bf8b0c9750acbdc7840630d7be22aaec1243e4581efaabdb43a90c1c42e93e
SHA512c7c470b96292a878b5749d0c5bdb93ff9e3fbed7fdc8976b47be5f8b71f39c64827c70065f74fee030a5e723151a527cfe959410b95ca0d78473d58268170f8c
-
Filesize
1.3MB
MD56a297a996645ad192714f5ec61b5d87b
SHA186de834b46e1297bfcb1e5b878d7e5c0b6fdc166
SHA256184101bc1b22605c943eb8fdfc53361e06c0cd744b543ed5efe227fbe4031981
SHA51263f348b4eb137eddf1b13f26123ee321e2d949e8e834635274dd8424448c3eec2e52232d37de537d21be72862754510d5be54de01b627b4eb75800d4b56991df
-
Filesize
1.7MB
MD5ecc0082a0b1adaef3591bfe71200ea52
SHA11b560552078cd865fd7359b8409ac683ebc7ab4a
SHA2568481f75428adc45cee0f5e1b804d1d214fee8d8abd61a0e67e1f3b39525bf2a4
SHA512afdcc59adde50266688d058bf4354ace2cecdc2e98b6d045d3250e475e5c8c85dcdeec37a81cc46689fba621f48200e6da2d564a9e3187c4b8bce5c8564f9cf0
-
Filesize
1.4MB
MD551afe7b8c8dd62ec3f48163057b50e94
SHA1f083560eeb4d396c07cb1bb285da2dc343914fe1
SHA256e7844ee8fec92c68f76ba4606a4fc9f8bf6555bba9f266bee2618d52a9140b0e
SHA5129b966064bf988fc4289ac9f565d7df7dfecf903f33ba7e8a84791bd8d9bb4c0eedabcb0bf9de8a032d5eca5a361a52d7587a28f3bd9b38ca8aed703b0d4aa938
-
Filesize
1.4MB
MD5f32ff9811c354115129e6970c4e9ffba
SHA1a84c83187c4e25c91ce2202f6a2ec274961ef94d
SHA256332f4d121a9f2a49e41432251ce3984f99ac538f8261fb1bd10cf36820f5b142
SHA5126e0757a96f8a4274c68887f0970287b2278f8845deba1060c7d732e2b7a09ae208b725fa05ea590cfaf36c9d14e39076c4e56678efb85eb5e5b4ab9992aa0819
-
Filesize
1.8MB
MD55e80d6fd7fdf4814af91037c85f5694c
SHA1a3ff31bd5e6151c7f567d9995ec2f6f59ffa780a
SHA256de8085efb06fc2caa51b100cb381e923f4f883357da29e4457bcf04e782037cf
SHA512b0110073986bc73df8c263d3d95956b1d4e40edd6b124dbacb862e86839afd6ddfe37b452e35a84981cf17f56068c3298f231b15e86e88eb3810aa741837225d
-
Filesize
1.4MB
MD58d8e2b2c32715ca93373da03177e0984
SHA1e2e60f380064eba0f4f27568a0582a535a567498
SHA256c75185ab8ee208e59178a4ce8921b1a3e32e97dcd350db03425fe404f96eebdc
SHA512cb48ccc6056d4ee67d30ca97a88b89901878ca86f3f75022ec80c7ce393ec4e799e4fabfb31d7ea276022ed95b44d61bb652359b50b76efea034e168a380e18e
-
Filesize
1.6MB
MD5663f8ed230d4ff0d66bc3b012bd1a98b
SHA1afc6817067bb2ab623080e3cd5b4720a08ead52f
SHA2565d7d309bc3c3f1bb15fd7d3e8a6d09307284aa382346dda9626a252312f3c341
SHA5122121e44a44f8c7027f40b82f09ccb11395de4a9ecedf1101172d1c0843e9d4aaca45cf6b6124554c6e5db25c1fc83a248c43768aa52e7719e4eac02e1d013db6
-
Filesize
2.0MB
MD5e536d409192d95c064b837f87dc8f54c
SHA16b68276ce990badd6f062ab2928f09fea0c86041
SHA256af7636652445b914a24d9cdcf05d284f3258992ba979c5a1f6404122114b55b7
SHA5121e657e3d884400d6e1abc6de63b948264c340bda10b3bb7ec859e4fd9d3bb6c7bff4854f0dcf51c531b107a50886be51576da20d4a428d7d845249ca88a7a718
-
Filesize
1.4MB
MD5a2879e6f87cecfa9005df1646002a973
SHA1e779cf82a3c3669564a3ca78474aadc201ba008b
SHA2562b926f7cb8993a0b05834b4e4fcff02ec70815bb2830e29f5bed715e5355a780
SHA512dc4edd8e78025580793231449df9868d262d03f2ebd8cbfd52b8370e2fb86ceed414308173a1aebdd12c08954b0c6c694b5286845e2b8008278148f7167d5854
-
Filesize
1.4MB
MD58968ce254767572baa25d24f4aa7440b
SHA195e91f5aad41ce7a307f5ce03eb944a18e4e7950
SHA256223d145e691b1a86c4d6d47d52f18e38d1305341c58a9714ec0f0e3d60a0b7e6
SHA5120e363cc3deb884be0a28ae0b2346cb91789b538e18fb1c7892d8ad108763d6292b41b60f9b39a8f785b9dca475910718d44372f9c776bca7bc47b1b8215f1fa4
-
Filesize
1.3MB
MD50af241cc6738250870f1a0c3407f28fc
SHA156bf8ecd215622b208a8c129cda7a33bc029051e
SHA256afe3113b8cfda6b77600e695b8e7c1a4b04c6f7e71738cc8a0b011f9e510f06c
SHA5129d77cf0edd82df35c04ad7d5f0b5e2b5c1723701ed28001ee2369429d647b9ece953cbd0dfd71ad143a7c767fb56226ae8d88759459719a9df788652739cf0d3
-
Filesize
1.3MB
MD531647a8526fb73a3e311f14c06fe5763
SHA1dd69e62cec87a970db47b129d56dfa1efdbdd106
SHA2566e764ef4190973180b49f4e74cc431802043a3cb2e59a761d16638b98c493b6b
SHA512fd66e1677e42c9a548766f620da1d0a94003254c4b289ceece549e5eac99901f25778344475cbe5c342eaccf6e2b2e733e6960936fc2b173b384ef821269e41f
-
Filesize
1.5MB
MD50dbf0bac41fafc602e7b81c7509b28e7
SHA198f35552b06d8382c421feaf99d8a34c9ca3b9a7
SHA256e9dfb88f8dcb26e7975d1bffc39a2e1f35da5f257e4437324ac01bbced12f890
SHA51285e6bfb490dde00972e2b8ac30f42bd0690867c426e6d7ad9da261233fea6d77527bc5869ce9269fe880f5d7cc0f9559f43f9807ed62b456aa292b52747979f1
-
Filesize
2.1MB
MD5be48d7c0a79af8850339a8059d11c7f1
SHA1f5799def20393249d80109874342eec478cddda4
SHA2562ce62c5e5e1d07cbf9c718282cad6e26bda9c34b70e933833795a43139d9adb9
SHA5125ab7f6074d11d982c93022a4c1b86344bf7942769224832f19d093fc534b95f955f5a87bc97b317b9ab3f79edd393011fd93071eebbe743eb7e10ab28f202fab
-
Filesize
1.3MB
MD50d48cbd61d975db5e23da82ce7275496
SHA1caff846f67ab7834f4d009c1544c6bbc50722bfc
SHA25639aa8c78a3d55d3b81afb36b07c2df657b014f22f6a376f2b4c1fdf28dbabc06
SHA512a4a513e274db288ef5c429eead85f05fc6dd7eadb38edeb65856aeed0c5bc4fa0aba6c3ccaa3cf4fde91b2340afe70c081dbc272e07a97589676a6dbf49b3549
-
Filesize
1.6MB
MD58d16b016f01a705600508e0a543e688c
SHA1d03d707124362fd695ccadaf4a5163770168aa80
SHA2566c6b0beef636f36b44199ea62c4c0f1160c9ddc98737842524350ea9aeb9af32
SHA512d291b9dfb4fe2871b0939a2e1090a24e3088ab8489daa8b5cee0dc6d1c4d44c171cb44c9f2ceae966597bacd7be9d77519928a9b2f68432ee845277d723b81f7
-
Filesize
1.4MB
MD522955e4261a920b412355f42b2d15d60
SHA1b5d38d4fc891b9e765bcdd74a4400e21bc0280c7
SHA2569b3d6fdbba6e46ecdeb01174526bdc022c1ac754c981ab3b708041204b4f945a
SHA512ebe351389d487e68fe52b9c481762f64ecafbbba0e0eab421401d498d63c2dddb03e251556e178970c26ae05573ce773fd7f127a2ee0e4c996fa965bd49e2396