Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe
Resource
win7-20240611-en
General
-
Target
2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe
-
Size
1.1MB
-
MD5
c8065280d17595556b86df7a2ece3154
-
SHA1
f3289b7e655553272f0cb3d86782155094368ed2
-
SHA256
2c0ce00eae568c54b204bc33d0bbc7e5756ce4b9bc29aa5580d0ad46f6146169
-
SHA512
6efd8913e6e190f7aa1a9b6909aa92163a3e4f9bf2967296bb8edcfa4d4fe1bc9d1d98fba38def5eea27b54e7344d697b178004ad87c603c6dbea2a508997847
-
SSDEEP
24576:LSi1SoCU5qJSr1eWPSCsP0MugC6eTvqMrfUgYbkhqfj8uqw:rS7PLjeTFrfPOkhqvq
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 1720 alg.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 3624 fxssvc.exe 1648 elevation_service.exe 2884 elevation_service.exe 2020 maintenanceservice.exe 4548 msdtc.exe 1432 OSE.EXE 1544 PerceptionSimulationService.exe 3064 perfhost.exe 692 locator.exe 3684 SensorDataService.exe 4476 snmptrap.exe 3104 spectrum.exe 3536 ssh-agent.exe 4308 TieringEngineService.exe 1692 AgentService.exe 4988 vds.exe 4512 vssvc.exe 4524 wbengine.exe 3480 WmiApSrv.exe 32 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
Processes:
msdtc.exe2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exeDiagnosticsHub.StandardCollector.Service.exealg.exedescription ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3cdd464d293b476c.bin alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exealg.exedescription ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7eb7864f2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be277464f2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c29a5c61f2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064618e64f2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1792564f2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f04f5c64f2bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac38a664f2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exepid Process 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe 2616 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 3220 2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe Token: SeAuditPrivilege 3624 fxssvc.exe Token: SeRestorePrivilege 4308 TieringEngineService.exe Token: SeManageVolumePrivilege 4308 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1692 AgentService.exe Token: SeBackupPrivilege 4512 vssvc.exe Token: SeRestorePrivilege 4512 vssvc.exe Token: SeAuditPrivilege 4512 vssvc.exe Token: SeBackupPrivilege 4524 wbengine.exe Token: SeRestorePrivilege 4524 wbengine.exe Token: SeSecurityPrivilege 4524 wbengine.exe Token: 33 32 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 32 SearchIndexer.exe Token: SeDebugPrivilege 1720 alg.exe Token: SeDebugPrivilege 1720 alg.exe Token: SeDebugPrivilege 1720 alg.exe Token: SeDebugPrivilege 2616 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 32 wrote to memory of 2708 32 SearchIndexer.exe 111 PID 32 wrote to memory of 2708 32 SearchIndexer.exe 111 PID 32 wrote to memory of 1724 32 SearchIndexer.exe 112 PID 32 wrote to memory of 1724 32 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_c8065280d17595556b86df7a2ece3154_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4416
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1648
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2884
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2020
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4548
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1432
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3064
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:692
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3684
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4476
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3104
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4324
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4988
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2708
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5010ff367f6a7c7c2079ac99f9861e41b
SHA1faa22d8ba30159738301347a270f5b4368cce0e9
SHA256b1b36c7b74da2a4dcb6cf0dbe59b53ecd2f74196e7ecdb8138ce96bd0e19e34f
SHA512b6c8f877916b03887a8f3d3b6f372e6831d753dce2b6dd0a4d61cab61fa8ac5ff3e59a48c8ba36a2ba6ccabd4109d4f33ccc0eb75b206a12497d334bf38ee906
-
Filesize
1.7MB
MD570590f5d1afd7c45e2eaf6409176afcd
SHA18454489871a27d6e2e6f91caaa9ff7e78d108754
SHA2561d4848e4d459034af9a4f4671f0aca78d17264a506fc3acd4380ad452ba4d824
SHA512e20e22142b766126d6fd74b57d71ba15bbb951ad2ac3f899a044bd2e9f26fa7cb295074bc8b041cf45ad8c19fd26f31a25a18d6e97f35bff6a20038b38b5370c
-
Filesize
2.0MB
MD5492518544a34fb373f59e2571429c93b
SHA1a97d76d50d3eb07f47108cc4cac87d27159be89a
SHA256decbc6cd067eb2c3559de5ae23c6aa7b81eff8ad2804a7a7429262da3073b73d
SHA512ac8f3780d13ca9e829993b0a78aa0a2704e1646af20a1ae09b7593033c4826f64ecfb072803fd656833719b4090db52e8c3b9d4b5b8606b0bf82e5140731720c
-
Filesize
1.5MB
MD58462e4f87f57444c755cdbfd59723bd1
SHA19019341a4f29c026ee09c30e84257dcaeafa89cd
SHA256f358effceee641fefc5f4f445f73d2f54aa6534fc6b84e0b2f1abd4994d28048
SHA512642a736987b2de82fc337323baa53d8c61ee446c17828e338e877ae0033dc66e3dfe9f603915606f0507afa441ee439a06a599e016b61ee3eb4e508dbd04632b
-
Filesize
1.2MB
MD538be63b993daaa61070b6d30b5a71abb
SHA1e10a221b3ce3850ba9d173ae643f4105bc435158
SHA256751cfc9b034f7d7ba5fe91c14867cf13a46b8f82896f3240d4318eb12977694e
SHA5128346747871db0045a25f30747f252cc45fb3153df71e755a019610035f1afb35e19d955d3483cf10172095b1c34d7f27e9c3060bf15b3aa05b79c2b97737719a
-
Filesize
1.4MB
MD52b8e6c772d41c03e69b9a3112a0362d8
SHA1038cc889b0c419d338ccdce405fa70778bb729f0
SHA256d02083c06b0a52a206a5b1e3022fd4f0d87c7e86d032515dc2e7538cc7bc1ed8
SHA512838da1934836ad725cbccb9a99459c2da4aff4fe34dae49b1c29e1141de8f0cbb615d93d3054ba69105cf30710a80ea4914a08dd5f9a451b5bfd9dbec4106a50
-
Filesize
1.7MB
MD54f1205473198266b17698a94c4afb17d
SHA1decbd59434b0cf617e41fae630d7691b3d789c3e
SHA2565997fb3607c7de8279dff4a046fec60d9934ce85bf157b19f959029cb70c1943
SHA5123da80de50a8998e0dd4b990532d117b6c3e7785da9f24cefd0d96896bfa8908f5149e7c9745ed3026fff0687111b82769f769a610afd45c958cf640fd6ccd5ae
-
Filesize
4.6MB
MD537044a78e07e269470063de60d34033f
SHA18bf0d4c92a729f62e0064c28e8a6ad277080f6c5
SHA2567e0ad8c09896fb8a74312168acf502a47a0dc7cd0c7e40d4dc051990efbdb7e3
SHA5122a465f50aacef8efb7ec63e75040dbc369ff4b94d0ad69d4c4b46175afc368cc932c570ac0be39a31c6b3891764b3e3026067224f29ef2cc2789aacc7c1f70ea
-
Filesize
1.8MB
MD5a3daee9d6be529ac53a20a605c4951b8
SHA19a85a3bc919aed6d0eea0c2cb1a44624e45a2065
SHA25615977b22f5728a1a29dc3ba09cc93186bfc11181a4db9ae78be128a18296d338
SHA5124f2d588d04d38a6467fe907851e892cd8c463d5f15947dd90762e52530f47ea6f6f758794db43c6d99a1882f685ba4c88db6f9819bde811486009d5fbd2b4b70
-
Filesize
24.0MB
MD5f94d7ff44ad240b04c8859b3391bb4bd
SHA1169581758db4f9a4e90a350ebff745a8da02cb0c
SHA25607605f93964aa4146177606493c6b37513feefe08484c58fd3bb53b088c64895
SHA5129ec700d9590c887b3f422dec834616dde8fa1c9deffdd28759d0fab37853e212bca83fff61750069899b99e73dd73905157e1e2ee8969bd0dd89228843f8db50
-
Filesize
2.7MB
MD56656989c1fbffa49e815b6a7d9f00ab6
SHA1cb9b71d15b71943a903e0da564f55024daef2d54
SHA256d7e43498e8b153e98c17bddaddfed7559092701b06ddc37278dd0a2329d6dbde
SHA512d6f7976d8e2eefede4182613c2dd8cc22d155dbe6ecf30664014e797d551315cbac5894650fee7b51efbc53e83ca61dafb93be00fd5bf350b4f917aa6968690c
-
Filesize
1.1MB
MD588eb80ececa07b866b6af532b578691a
SHA12e2bbebf2514d26e4e6051ae087095656ded6b8d
SHA256b61f7fea5020282cd496f315e6ba02ec9424e7895388d339c353f1525ba15f2b
SHA512500bf3bd5665414bea12f390d15d0f30d1006fe7d9583fb1615b07a7a49afdc9ffc9f84a4448641905ac22f3d8f95e72d19e3f2bcdcf23bde749899116791ec4
-
Filesize
1.7MB
MD58829e96a77f4ec0af31f35bfc49f135e
SHA1ff9af46d00954244f079863335c72ec0a877dd94
SHA2560d4cd8ba3985bcc1ca69efe71faf71e63b77d968dc4325ced51a10ae4130d909
SHA512b373ddd3bb9ddc83d1feffbe1dc089eab6a4339f7e323dabb5ce0162468d6b0dd653570ed3e179a3ea19a93909ded9c28f08b110afd7449f7f587e0b27797676
-
Filesize
1.5MB
MD5975503750fc446627e129c0b381b9898
SHA18c5f9864c44ed1af20eaf643fc53cb3a3082d499
SHA2562e0e8847e79d31b1f8193ce5669e353abe8dd0ecd71ce79e0d4bb9ebf3d7f041
SHA5126db2a2a9cb9ffad41150047534f3b46dfadcf0d6320ac5c5e3b9e73147112aee5b1f864d5c7e1898710deb1f3d887d4c7b68db589d030300996c46a9ee188fc1
-
Filesize
5.4MB
MD54c8e4911cbd53897c7bc69c04a8e7699
SHA1ebc79e1ea59be53445b3fbcc57456f605ae39f76
SHA25644dc421988376d939fb6fc1bfccd749ffe04a001c3fd92e18380ee6efff4c809
SHA5124b4a44afb46017bf5b5b653439878bdb3d313cb7d770d430e79ea7a58c23a7d0403d2c7144ae50ffab08dfe2d2aea1d9ec6d4fb405f6f3b08c0b6e654f1c01e5
-
Filesize
5.4MB
MD5a6b99ff78907b2062e04a8b5df3582ff
SHA13d8f583ee837fda976bb1da6f637fc9a7084cad3
SHA2568792c5d39157f99b1a6aa4766c0d9034d669589428af2f09d91f706c378d25a4
SHA512bf35b84f7098ad46e876b3bbc6c30cdd205b975607e5ca8184c98a2411f7bbbd00ec0087cbcd945f3f6d85c82643d43826194d93cd6ac836808669d8a235e1c9
-
Filesize
2.0MB
MD55f4ebb150d4a84be794501518ce905a6
SHA1686f03c74c368931d3c56e47a9ffa9c99cdb864a
SHA256e277f4260c41c7e92b5b93b1d3a536c7323ed03dcbb987a262513a10a3328226
SHA512048275c865f1942029549946fc100d7ac11b1bf4a915cc3b59f471a01c476e7924459b2b5c6a2143a1dd93928b026d4d3ad7d8e86836c92f30d9fde546c96c47
-
Filesize
2.2MB
MD5ded1dd492a257e47c792117f8c94274d
SHA1a09781e464c71cb7344bc1373f36350025b151b5
SHA256998fca60cb7aa54f99a1fae1ee4cb5b77311969bc464bb47d27bfe21bde3c1e1
SHA512dc6e1eb829a2474e5c061bc9c6dcbb2386fc64dadff77e4fd3643cc3c70a56323395cc0679f3e86c15f67066f6e00d2439d3ab5ab2b48ba3547601e50b481f0a
-
Filesize
1.8MB
MD5112e2f09e9c50e9e7c1c2d81d77f21a8
SHA19550eeed4afe84441e31f0a2e580786319c72b35
SHA256fb33e67900e54de471cd2eec4f79dcc793e9ee078a617b89add276c06f1ee51d
SHA51263dbca8006c8ede2f9968838238a9da1e18e1f2b8ae479fb6d675721d081ee898def7f23b7117f232f900fd78e012b1c39f8821ff33aede0dba5972a670fceb6
-
Filesize
1.7MB
MD5e1d65846180fddbbef48a795c4da7f77
SHA1e310749ebcab4c6fa20131c2304037b7f71a2f24
SHA2566a9911a1f3f5d60d0cfb879b6f4035866d90821ddfb806494f5425a683b3472c
SHA51209faebf5fc30f8179ae57fc0da6b3de57f77643195f480da0ee196e84d8f94a823e9ec1729ade37957bf63f1751015ab362d2492a8aae288cce54b4871c7ab50
-
Filesize
1.4MB
MD5b9857dc181637c7f4d2845fc889d35cb
SHA123ef1e6b58f8dbcdbfe550078cbe3e5ccb3c14d0
SHA25616c3debf4fc43d4a33b05ceadee6f18062795a4d409f7635d2276807b7868378
SHA512fa820ca0896d3db5c1fa3afcbca092454d2cadf00710d085c66b67280faf12189039704f8c14b2f514cdc6fa3fbfdd937d441bc89557242a6530f70610cd7b40
-
Filesize
1.4MB
MD5cb4293f3d205a03395cfabe25d946f6e
SHA1a20c81ff65d96ca4ee2ef718ac70196cfcc7da5b
SHA2560a04f1dd53d3ef701cf1dcb4db727f559305afd804c10dc91d001f6f44239c32
SHA512d8e4b81eb6e64d0a156d0f374fed0a2664c9a81f93b32446c4f05acc8ae11990019c7bcb23360b42fee24aec9025bebfe5614efc928d663d52ee153ead203a29
-
Filesize
1.4MB
MD5c3e728d4417df84381c08ab773772921
SHA1c6ae893bbe5efb26ba95e54b74daa4e2acb8377c
SHA2561fe841598166fbc82d83a0e9b685dbc95fcda260ffcb34b15fae57692e71a9ce
SHA51291f3c5ba9f294ce3e0b967631c231815383ad9f074387f003a430f86980a2845b8bd157428e4efa3f676da990254a4d60a3a6884b163a56f7b33188ac0346e8f
-
Filesize
1.5MB
MD5417dd6d27fafd6a7af29717ffda09d92
SHA126aeed02c803cd0f7a1e02f3b54ce8a746351203
SHA256784f0686615997c15bdcb62a0513801cbce379001faa9ce144db88ac431761b9
SHA512f12a0cc834d3e8a8898ecc30df125b9baa6984d0fe645063682ae23a2b3b76e3e6e5077390f517f81054a7ceb438904e8a171074902c8217823b6350a4ce6997
-
Filesize
1.4MB
MD5a157e91eaad92a9e8795c5b65ea91f9f
SHA10be439a211e23a8fa7119b4b94c36681a652dfa5
SHA25675f6869e9f746a182bb128717426f494824ce635811fafa7a8a3a7069474d4f4
SHA5126698b67659a21a0becb3311a7d70425eef9e5dc2ad5141c55dcdceb3adbdd5d8e5af50afed89a96d4b5acfe74e19f56046754a588df4d9aa5e32d6fc4ec69f40
-
Filesize
1.4MB
MD533b46beeb0e5d59fec0a3697851cdd71
SHA1b97a243cd3ae29f01eb0249bff05277b342a0d66
SHA25694185839f027c0f3740ab9d74405127f984f712ae4eb0982236b859731da3a06
SHA512dce9a36572ad4cc970a2ea2a7b31092159dbca064caecbe72879d31fee3730e7636816b9d78eb28ea2388883862774ba9503678f977b153940410ef7d66fc0ea
-
Filesize
1.4MB
MD5c376852b1bfc59f6d8da53b77853678d
SHA1089d893f755bd4470f237c0b128f743dfe867ab5
SHA2566301e22b346e0038f3a82d6bd196f2a9d3c771da8352569bc0977d027d5dc25a
SHA5129ca1cc3490eb9a90a58f8ad3fa684051d8c38f3c2473402998043b939292f83a652b9d56bcda6b29a4c0d6dfe3db27198620ffb9908a801be818466e1867a4b9
-
Filesize
1.7MB
MD5e64730ae1feb056977f8916e1a060a9d
SHA168aa71c2d6495a945090b77df7dc354b92879c73
SHA2566951dd40cbaf0f262342005135379986d0936af4500d9f3beecb27c30efe81e3
SHA512c5630a9a821ba7431829f98af1599ae4e234f56f7a019b40e3980c0c6fb4eea3171036628c8c804da3da321db0d1e8738571b3e5126e068c6a7e248d5cb68379
-
Filesize
1.4MB
MD50d27a90b224e772052af40d1ccb380c1
SHA1bd3374e2fb1d4e29b0e03f5bc2edcd8801cc063d
SHA256698566ecabf1ffdcb2e0951fdb9824ea48ba2bba54611dbf68ec1ce2d4e46088
SHA5126e1626b75bc8b0c2f5d4c736f237e7eb094d60b028ad0a24b143c64c8c690f652305cca63f560d02e3d3907e00f6762552b17c577cf668497f3744a2251bc141
-
Filesize
1.4MB
MD595c1b317e4d98e0f63b516c80e86dfbb
SHA104c19936ccb43fdc8b421786dd774d47f0b221d8
SHA256ce4ace3d49229918b3b012f25f351f00f359fb7ec4b54b2411e2131eaef9d6e2
SHA512ee13c7ce0f19defcd3a2a4117ea9fe07a57be658ba39121ccc10d21153133f154a913098416729ad9441fe203fdb62b35c2fbaee238b7e71db1f827d04d2e21b
-
Filesize
1.6MB
MD500f63379b0d3bdba861cbe516ede020a
SHA12cc5b604fff961b446439454ee23f849f32652f7
SHA2563702ce26dea9a54ea8c8c5a4723e88125cf1c5232a198633c679f90e16ae32e0
SHA5123376613c6f738d8dbcb2703a86c072e6cc29b5bf3556a8253c220189635136837550ecbf58b1dd1c3d62a2ba5fe89f709604cfdeb57be382c235798efdc35868
-
Filesize
1.4MB
MD56f450936bb1b5c2649cd67eb23512ae2
SHA1f305367d7fc26b992424702e2751e610c8f49755
SHA256474149fae34915d14d8ffeaf9c3967847dc76ea09e07b324677cf16adf34deda
SHA512f5011b36b618f78c9521300548665cc37f401d4c8f12c51762c85056f745bf6ccdeeacada804160df5f0404b88face84dea9a81e4cfca4af2fe3696f1912e861
-
Filesize
1.4MB
MD5ae44572d1eb97aced3d16b5063d49430
SHA1279c2a69d71a43ff2aba232eb262f7060a04db30
SHA2564d2802565f832016147b05aa614a69614c278c034b8ddcffd5d0e459fe9ffd86
SHA5125e1990463df0a148ac6bc87a7387ebbbd7fbca0c88bbaacd68cfa4065a538ae2e9b8e5c00ebaca1a7b78743d4dae2a59897bfda0f51d583c22dcd30a2dde955e
-
Filesize
1.6MB
MD5281578922e978b489cda927befa5b923
SHA116294b861647b2eeee280ec5cd319b110d508072
SHA256fc073b2c9415bf4d809754fc9b2a94bebf00effa4b07e3921c9e9439199af65e
SHA512df004a6873606202b8e174b53b3c85e7338964a90e006069d825b531e5c78345392abe24c4cb7fdc0174c4a552d1188391393250c3879728711ab45d25b680e4
-
Filesize
1.7MB
MD59518665d386642f8b72b15ef308d2238
SHA1e4cf497cc0b50a2b637fe17e1a928b3f45339b30
SHA2565811151ca7c3d4d1fe5d719b907d3037dc5995589ad0785dbb483d053e684743
SHA5124ce8b9b825cd1dc3805bf2ac9ed46581f0f90a31a8ef928c24202e393317818f78d87f3755eac9ae07c5f2f33cacb6148ba78c881994450a81b47e6ef6aa2643
-
Filesize
1.9MB
MD5cc274b8e7721b42497ab66a83082a30e
SHA1d6021191899c2bc8482c17cb9387a0800fb2f9b6
SHA2563a8eecb0aee1a345473d7f6e16a6815abc4a10a400061217870a8e1bb8331746
SHA512fbf8f3e42d27485352bb1ac3f325dd13fba7d43505042047b365d71799f3f4fa9a18b2d50117ed81f16c48451b0cbb465ee0028b20592564f5b6f50ee5dba99c
-
Filesize
1.4MB
MD5f33c9c2b92e31214a964fabb2df3cd83
SHA1187d49214e2f0726013a9980157c73d5dd54d233
SHA256d2b6bba96bae6c4fdba6981f1ebb0aead4708044b06d87bf7f70c7599f1d7e7e
SHA512c8bc9002b798f3d774d45db9f5d0edd106fb8adf1f82b2543b255d26e0fd76d68c92bcdf794bf3ee26cda50078cf47038ca7bf49197729caeef63fbb500a45af
-
Filesize
1.5MB
MD5767bd4c48fe69631a796ed68c8c9c91d
SHA1eee01adf2510e336002e37aab975c966e68da25e
SHA25665353bcdb52a91cdef1767833a00525aa676920a9102c4807db77624d5567e94
SHA512c51fda06e7029a3fc22c4769a3327d2c983deaef44fbe53e5c15f7dcc001e5dad7a3be764534c92554f5a41931d188ed4bcb1c4538aa56b656e0d242094a4357
-
Filesize
1.6MB
MD5744fc21f6ad66fe188410499cb8fee3c
SHA11b3c9086751cd219e5a488361ed533ce133697d4
SHA256d365fb530c5f25995ab0c76ae11295452370e1b8a1c40ea88c53d6a804b20b22
SHA512793bb453a10d4c573a5123bfb055f1c6708ef82718452dde57f3070a1de8370a988f35746adb926b55bf9b2106ffb12966a7df8d05ac4f85775b39e85c4d9fa2
-
Filesize
1.4MB
MD5fd657877b11c85f0caca39ee521e3629
SHA112c07797655e831e08c90250491768db352dda9a
SHA256aa0af1f25190677e996198671caea00cbe18defaf74276f8b08ad4bcf402f9a3
SHA5122d929150d06eaf95c02626180b38f0ea7b217c795ea27e4255a85743f76f6afe20307f4205dbd34510da33f9d3eca0bdf19f857e3519a000afe388a34ef48a1e
-
Filesize
1.7MB
MD57bd52d8a5f1c1adfe8ff64546e66875a
SHA12c61f97c52204dabf52fe5b1dde448a32a44e30e
SHA2562998739d2ec9510a2c3a00610dd27dce016fd33935daa106c8bbe7f715ee11f7
SHA5122c7da2fb6a7f688eef46ea3247f464662f0329530dc2932924233cf2011a4dcb8f4d565f5d0f461ebaac2467f78a3ad00f67b55d4a1a7f6f8d08662f188e2876
-
Filesize
1.5MB
MD5441a16eb29984407814faa107d6f1ab0
SHA17944b39f191ffe5f308b3f2cb6c535c4bee98511
SHA2562fd3bae4d6965f31f1f18cc6ad8ece8d92e672a86ebc7606fc38e033141c7081
SHA512c6f3d3e83e4fd24c667f7a0e51ae1ca49fd42349b074cd215eef4f9e85225cf09d9bd74bae09883b5cc672b27dc65883b4906406c0f4eef22061df990a28a6f8
-
Filesize
1.2MB
MD5eb158e27d1fa87c6197d439a61f7b24f
SHA165fdcc994afb86be98d0d4fa956429d1d1da9852
SHA2567039be1f898a0ca80f6908390930726f491d8d13b5cc66334c6191296c0b718c
SHA512a658060a660615763a5939267e587a00235bf3565a4448f56d90f07e7f73202976f1d3dd6ce635de1148d75224878db5cb972cf3bc6c3d72dd28e6d5a52c2981
-
Filesize
1.4MB
MD548594157554fc7762dc42a7a745cea23
SHA142d180b69b4b01360734cfdf3d1a4be17434d609
SHA256c05fb2e2e0893b86169a4e39b23df523fefaf497d54c178b2b020528e6f8c484
SHA51278c6e9b5c3f3d0215f2f45b1723d80eab54ff23cc20495713f173cb21596f3864d9957720337750de1688d13a7519bbb699f76a35075a2c80f80a48b38ecbedf
-
Filesize
1.8MB
MD5d4067b09f4ac1af495ede285989680f7
SHA1ad9568f1a224d5f9edca50013ba76832e2c6006e
SHA256d6f9817f3a99fb86fcc0bead832e92c4428d874454ee835127b81ec6ddd0a7f6
SHA5120d66c16a247f6878743608b5943b6bea0c0dcc600d69118cba30a899e58dd2d2587d99bc4a31ed5256c563b24c1da95d402cae05123a49761eae4f46fc3005d6
-
Filesize
1.5MB
MD50b35a90a0f47cd12eff5b81cb55fb162
SHA161ba3cb5d7f569caee21b870d0256ca7a484ea0a
SHA256465b4cbb2bd544d564c77e621677b9e4e75fdf9e555aa9defd02d3e7494c65b6
SHA51213d3f503a1c932d7a7fe2296adb5a4af5c807a8fa419615af22e146633088339c79e6a5df9d53ce4e079dc585f95de5ba8a135b6a5164c379aa6bd2ab18ab362
-
Filesize
1.4MB
MD56dbd043680da96b97bd84fabc833048f
SHA1582363715a022ca785ddb67f5a333aa8b5781f7a
SHA2566a5ece6527586643c05b73d7b36d56882501331d9aeecf97632c3d74cbca53e4
SHA512ae66f4258c88d3e872a7210bed356920fcf3b046e1c558856e974d6b80cbc2e76a84bc69f4125b8117abd76f294fbcc16aabd9e00343231031a151f3a8c201e8
-
Filesize
1.8MB
MD59ccf28dd4ba18392d71de4bde40da484
SHA110cbee7b8907658737a53a36d77f303731db8cd1
SHA25602d3d95d0ba702ca6736151d9627a37d015deb33699eb9fc1b8458ec97a33ffc
SHA512a1b58e7cd4054507fdefbbda3ee1eaa416bf1c74e9167d5cca96f52a7c61845562c579e480d4c4b01416f22221571503747ca024714b239b87ab0cbd1dae33f4
-
Filesize
1.4MB
MD541b62a7f791010ae76dbf0e6da248f9a
SHA16141ca4ea289710a6bf252c2c707d7f75eca9821
SHA25655331d691be7e96b822e038df04ad6612c7c4267df38f4a94282d4b0956c0f11
SHA51208293e60ddb6a7b2a21fcbdfe06072f771771e5a35db7805bfba37e0830d40807d5f45d1c0c471b6e864966dd1b1790252648fe6a6c638f8a3abb68c0f160954
-
Filesize
1.7MB
MD557d4c5c2240850355ef48e58d2e660aa
SHA1ef53707d0cd155e20ac6f2d54932c4952870856e
SHA2569c7e984d0beb6409721758daf9ea8f97c523a587b45a7b23e07dab73920047e7
SHA51260d93c0641fd04eeaaa50d5e500688bccf922cc34a106b173fa9edf1592c7933ec2384715afdc1a5a9b58bff365adb69a13c8e9667d4747e76f7beb3663ff5fa
-
Filesize
2.0MB
MD5faee10803728cb5e85af607e42cb341c
SHA115e563f818126bd9f8d92c1f7cce01f4fa421a5f
SHA256ccca10cbc343c5ab82844135026ea8bb6c1274dd2a2f466ffdb3cb007a2aa01a
SHA5126ac974e77b3126eda959ae64430710e9e971fd260f9ae52fa64a4beaa908d6d4aa7e10c1f8c696c9eca94e954d0382580318fea5145e3bd2cddf661e700078a4
-
Filesize
1.5MB
MD5afcbab1dceabdb3d6f86e9b0659cc41e
SHA10e44fadf01021b575ffe039d01415ebb2ccd675e
SHA2566012776f6ac0a9b13868b325c7873bbea0d4c6712fdf04d394a3d479b9cd9756
SHA512a1775b4571f5fbfc7d7448c3ecc497689b3c8563593e21071b8cd57335b13a3dc345dcc7c36e40b1ace128471926282678ff4ed2cb185888b791b3b682685cfb
-
Filesize
1.6MB
MD54473b6ca3e5459ffacba0ddff81b5f70
SHA17950ee9e0b8e56d2fcda5fb8870bb6436d06751f
SHA256ce3cdb35f035454432a619a32394588d5366c418929f9f38a0eab8fd8c0745ce
SHA5122146f5e4801ac264f9a25c9c1180b1b08b09a3d77f65c0a0ffd322aefded53f75479d84b566a92b59dff6c39ee3f79e96e2f1e0cf208dbf8ff284b2dba66126a
-
Filesize
1.4MB
MD5993bc4ec0dfd684bbf22138258b6e065
SHA1c6eb5d1739f87112dba1ba5fac31b22042039798
SHA2565e2d732604e6369162fef17ab13ec4b6e774b5ca8de0de9cf7fcb593f47ac48d
SHA512b30fd3169f16b9b2b061a114cfbe1e123dfe17a9f35d6af387d66b79674bd4e31c4623f6f2efbba94b6c2049ec4bdbf9ec31b59178586a6298b727afd1bb69de
-
Filesize
1.3MB
MD5cd4494c4d079a099e41bedc326fb9a20
SHA1487f53f480d642f10c38f9a17442aa76a26226db
SHA256d04ca602549ad77577828b3b847b45e480e6cc9271bc95607958408e00e97b05
SHA512ca5ae082f501744fb1852b57d838ca1af2f8b4bbf971fa4a127b4bf8fcfd9e05709a5dadb0869a2da0ab0b89905d787639f49f9681eba38a5d1524fb488f786d
-
Filesize
1.6MB
MD51ac8e038487fb9bced29ae45acb11bde
SHA15db024d89390ce8d719f524d7c1da95ccb18129c
SHA25629000712bcf96a4662b878ad69f4560f46a0d3ea14ff54e1f7d1fc8276f1a350
SHA5121db5f139b887c3af27075566a975c843350abd2e823682cea24657e216381d89ab7560423dc0ad3223e967719f4d6335d916fda10e0702360d45a08259ecbc81
-
Filesize
2.1MB
MD5be07f54756facebaf101d570eba62d46
SHA1bec59b4700fb405a513a9f0d7de5b3295657f03d
SHA256eab3379fbc13df0ed29a4f345c382110161be6ef54714d8ac9659861daef2849
SHA51244455606fd7915e4c5bd329ce4e9d20ccadd7a141966d845b55689a37b029a2ae64b2444f0251549a997bdca1368a88d2fdfb5238b56d68ac6de018016fcdaee
-
Filesize
1.3MB
MD51eab01fa38e5a84eb03cfa564e992d69
SHA17574d624d6f62df9f2ced76fd4b5c0c3c1b8b8a5
SHA2561ea18619be1e8de9962f3613d56a3afceb962a3d9c8928ebf720e87e3275f3ce
SHA51214945d967df6f6817f4a5220738ae5143cdc9a7f85d6931ac5b3b99e4ae6b132cd726d4dbcf3d7534207820aef864d29e4d3a0cd8fa8b02760c15585280118d9
-
Filesize
1.7MB
MD56c06e5c85fcd572f460d941f67c18b12
SHA1d5f716688b10e9e7e637a889f1ece4be2d0120b0
SHA256efb6dab08c6a771b01185e11abb273e7c8b94ac753725c26eb0085f2da2bf625
SHA5121639d631a38e059ae99b6d8990da901bb0bcf6e380c60b8c9051b621136291c50c5df40a311b58ff6e28885d9bd972350db51a72f8564ae1fbb29d4a1de215e1
-
Filesize
1.5MB
MD53905528d3117c599bca4aaa9f968d7ed
SHA16768015e510b0eb5330aa55f7229b787a4858f28
SHA256ddab9fc14e7ed1a15e286c3507daee10ab1e20684df797723682b5f778640f84
SHA51265af48f2b40d49390857886c30debc0f1e78b4892bd392c14c19011e74acecb340c6687649691ed2d66beb3da8521b327cb3323a56441a90dc194e8d10dc70cf