Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
Resource
win7-20240220-en
General
-
Target
2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe
-
Size
1.1MB
-
MD5
0a56ab399f727f393c8a1fb7c01eb966
-
SHA1
6592a27024a2cb97cc4ce7776b201cf651f312bc
-
SHA256
f5aed332ad3c41d54c9f314e234a43d03c2257fad345a945838f864bd1f552d9
-
SHA512
ad629a9c6638231d4f7305c925882c84cc18a7a37023d1823282b88a82506f548d0d83e3363fbb640996b7f3ff6ad1f024c24fbc51fe231ce64853d635651867
-
SSDEEP
24576:WSi1SoCU5qJSr1eWPSCsP0MugC6eTOaHsK+fM2jEaNZBqoeW7V6tGLfHtqls+0:GS7PLjeTOksDM2jh3BqS7YtGL/Als
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2012 alg.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3900 fxssvc.exe 5048 elevation_service.exe 4248 elevation_service.exe 2136 maintenanceservice.exe 2332 msdtc.exe 4388 OSE.EXE 3904 PerceptionSimulationService.exe 3308 perfhost.exe 5004 locator.exe 2068 SensorDataService.exe 3708 snmptrap.exe 4548 spectrum.exe 2556 ssh-agent.exe 3768 TieringEngineService.exe 2812 AgentService.exe 1280 vds.exe 3568 vssvc.exe 3040 wbengine.exe 4472 WmiApSrv.exe 2080 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\12c84d2dc3136770.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\MountComplete.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c0431eea5c8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001544cfeda5c8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d169f5eda5c8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009431bceda5c8da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000181dc8eda5c8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bdc48eea5c8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f07f3eda5c8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b16bd6eda5c8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 3868 DiagnosticsHub.StandardCollector.Service.exe 5048 elevation_service.exe 5048 elevation_service.exe 5048 elevation_service.exe 5048 elevation_service.exe 5048 elevation_service.exe 5048 elevation_service.exe 5048 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4524 2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe Token: SeAuditPrivilege 3900 fxssvc.exe Token: SeRestorePrivilege 3768 TieringEngineService.exe Token: SeManageVolumePrivilege 3768 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2812 AgentService.exe Token: SeBackupPrivilege 3568 vssvc.exe Token: SeRestorePrivilege 3568 vssvc.exe Token: SeAuditPrivilege 3568 vssvc.exe Token: SeBackupPrivilege 3040 wbengine.exe Token: SeRestorePrivilege 3040 wbengine.exe Token: SeSecurityPrivilege 3040 wbengine.exe Token: 33 2080 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2080 SearchIndexer.exe Token: SeDebugPrivilege 3868 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 5048 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2136 2080 SearchIndexer.exe 106 PID 2080 wrote to memory of 2136 2080 SearchIndexer.exe 106 PID 2080 wrote to memory of 2072 2080 SearchIndexer.exe 107 PID 2080 wrote to memory of 2072 2080 SearchIndexer.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-27_0a56ab399f727f393c8a1fb7c01eb966_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4316
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4248
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2332
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4388
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3904
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3308
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2068
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3708
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1168
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1280
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4472
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2136
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5932f9a3955aafc1bb035dad2c8de09e2
SHA1a335d1c1c4997f6f8859818f2319a1479d769667
SHA256db22ccc8802ac793675641b0cc852babbd0b3a17acea75585444f40c90ecc2c2
SHA51268dc70de72e065e3f07b685415dc10433b83c827c597c18351755a03363d6d2f9a3d730bba6f8d911dc9cdec2f30a50f48e978d265bc9cacae8bb96f112d8dd2
-
Filesize
797KB
MD58105e115529f9b49b67cb22a3ca9271f
SHA1e085f867b65ac0236b0f3fa11f295a70a97e74bf
SHA256ed5196a89f52900d7eebf52c75382c1a0743fcd5e5f795f9a6348c8094e33c92
SHA512d657f74793fcfc63e014e72fdddada1bf9ce7028b2d8884fd00a654574a6d121dd998fe7b09cd1ca245e450a7d245281fef31fa2b6c5e3aa4488533ef8e7ee44
-
Filesize
1.1MB
MD5852ac139472add1a418e01281428a7e5
SHA14d3326a64d59f730d4efe2aa949c37d5020b45cd
SHA25607e59cc0d60b906b6424bd7b6d1d5163a8310dd61131781277571477457369e6
SHA512c491e0fa479fa9f2e8551e2988c80a8c1d94b6d7d43b1ecddd25352fa14d2b77811053d5e413b6a1c7f79f550c3ec928ebb2f8154c59ed1fdf9da2aaaf77ad8a
-
Filesize
1.5MB
MD5ebd282788b2cac5a7cb364edab6790e0
SHA1d0ecd2eee72303e9f30d6e8650888744fded039b
SHA256665e43dce1a16b6895ff67377bf428a08f0636185c6d816cf2e238bf557117f9
SHA512790dc11ddb805850a19922de3e2713a126e54e8f8b95b5e593520b1a5c0825ad2d50728387c3adb979ad4b625949603ab2856e53f943ab6e5f007b920a83b45d
-
Filesize
1.2MB
MD5f030d0d727afbccb0eee7f58df67087d
SHA12c2bc46bac1eca2dce1ff53ed3a90f1894f6184f
SHA2569707ddb4e22229f5763143c94a1bdcade53c000b68d4d4008ea4f44df057e543
SHA5126ba1bb4c87a34b9e3c520f7432a58563a2a6c294722a075da4d5f4d0d4102c059109f6e715970822f5d00512127c783e9cb6151be9db8b2376ad079ef4dfe2d8
-
Filesize
582KB
MD51d5430d3ca3739c54673bc3ee45e0c83
SHA1935033900d973f6d69758abe928a4b75b82d7bc5
SHA2568000cf226c0f077c3a1174dbe35a995624d284f8c38c0be4267e62cae055fb33
SHA512c71ee648731c19886f39dfa1edd3e11aa8cb9611ea90d61c7bf4d42c96ecab04374c42a753ed14060f37d8820eec1a6bab9b1cfccf6b30cebea3485792d3e075
-
Filesize
840KB
MD5fcf830fc8a5d1b54713ac261c971c1f0
SHA1f6fd352002e97de75f7871355f3cdc6517c712e7
SHA2568ff7c2c92fd2118c2fef6fd58d68255c7e6708963936925d4b1ff0db7ac7e9b1
SHA512a643739671f16776856584168e3933150afe59b0301556ba189303c37703959b1f6e902b1100b99ddbe2a2cb002d52e19e87fc9d120a308513d61cc66613657a
-
Filesize
4.6MB
MD568a02efab364c33bf25c9a103690be9f
SHA1400b6a879173e27afd2cce2e67c540c894b4af94
SHA2562ef38cbaf52ed77c333a7b14848d1d1db9854d0c6d409f5b3349958534f3dd1f
SHA5122323b8cd96bd1182d3e32e61c69d7ea97c93fbefbfbf144768a9464bc6b479d0b35ef8077dadf64f922973441db998dac8bac342f826d25f156160fb516d19ba
-
Filesize
910KB
MD5ec3284a61361e4fba8ff3c2f4e296cc5
SHA1dc8e6b73c0574f4b2142137faa1448f0a46161a3
SHA25695d9c50f5805d1e05fe9b9a072738f6dc4e7637b2aa2d1347e2c5955e8a6c6ab
SHA512e15273dfdd1f9dc650efd117f67a1bff154ceed254d1f87ce2d65dac91c933e59fc56d6f54e8e5bc391834e81ff79e2a75604e0f99f532a87e1328948bbd5de3
-
Filesize
24.0MB
MD5ecce1ca85e2783b233ad21aaa23f0fc7
SHA1bd2c7ae50299f94ec677b9cc69719c1b07652f1f
SHA2566714238bf0c6d1c849fcf6171ff0f508bd6995d5db8dc12b37ed8a605271ab7b
SHA51285cde73a0e0339b67934b729dbff35e8e2fe540a5ae873debd5690d053dc0afcd9c645e499fc36507fe5e5189439d89e0b7ee588c83b70c7918ee8dcd0992daf
-
Filesize
2.7MB
MD57051ca84358461364612f668b7201ab0
SHA118a91e14699fe18b165bc41002f0f120ff857ed0
SHA25671b852ea81d6c74ebfbed5ab89b5e5beb2dbfb25826d7b9a54e71e3784edc1de
SHA5129e334b115c431a8bcbb43939073b871cdfdecb1ea39aa7b13a08e36a80b3c7bf50f34d0591d324c50557cfb98e392d1108e77e4033c77477e75d60bdc2259735
-
Filesize
1.1MB
MD5598d4410a35167505866a3054a66e00a
SHA191d8a305430b4c82caa9b9871c5d8e9078e512d5
SHA256ad2e1169f2263a7f830cb0fc80c70a507dcf56163b06821ebe8f2f5d6792d752
SHA51270f6c6bc2db757c673bc3cce9e910d299e6a4a07a3d682eafbffc76ef065a17d3e2f8c2058f98b8222d11b0cb6b85579d62810999e183ebb3d8d2f6e6ab6c36d
-
Filesize
805KB
MD5f82a1e5486df08bfb435d52196f65e65
SHA14b2a7445670555c3b87ba47c3d5212097f31e4da
SHA256d5f97202c9540b6bdab1c63188c817ba1edb58e6084b9e3623fd9dd4f6f11572
SHA51202778d71fe18878a957d94445f3fa90018d79263beb09fd0b5b38de5210a9cbe65904aedfcd165845ded114e3067697fdbb49f3b0a653fd62d3888709f227c69
-
Filesize
656KB
MD5481229ffdd7d683624c07f93a7ebca64
SHA1ce03c5d9327b382facb2ef0d0663b1821c835ce8
SHA256a217a993df88fd89ae1a84ac937ff812685fdf6689430443e3d70415404bf540
SHA51268eefbf12dee6f0a7eaec52e320f6368837ea25be8e6996c894305f65924def57f6ed7cf12af4a5d5240b71ffef93c93d530cf2596c513146527491a58dd9b45
-
Filesize
5.4MB
MD5d19c18391814a5d91370f85af5173e66
SHA1ab2438e9f401e6098c7a118959d1f0122f99f5d9
SHA2568fa3646e8c95be2523e3debe9e7fdb57f2a5287a0e686a9852d01e8a663b03bc
SHA5120929b09ecfb38049097d5572055c7010fabd45a895cc51837fdc208bdda5874426e2633d1609fc3748c67c65b2211dba467568d53a42f2d7e44b53c440dee61c
-
Filesize
5.4MB
MD59380a8aeaebea3de383e144ff77f342a
SHA17c3c230075ce85c7eb2169339d7007dd6c1ff39c
SHA256abafdb1126e813911ffaed9bf91b31b0e7230ad32f00186451f2d69ac0ab0e7d
SHA5124b590b0ac9b63feb784ce0f21547a7a3978f3fc17f3070da5deeb9d46082e9108750da24e565efc29df7d3faced382f2ef85d68d10edfe6a8b783abbe58c0912
-
Filesize
2.0MB
MD58221b38aa2039f2d184c121b67f714bc
SHA17f1928224feb548541edf914b91db149d8feacd3
SHA256843a12bcbd8f4c770f7057d94894199de418ff090d4c31fe6d7be279e84873f6
SHA51273bfa513ad94a7dbd6b971997c5cc45eeb0046353365447eb4c62b3f9044d81a8e64f1439d13328337a08ded3510222eb37edba37cbae0fdfc6901cd7d10748f
-
Filesize
2.2MB
MD561476fe4004c0a4865bbefe200c29773
SHA1870620809bf675a9bcdd309be3baad906a516fd6
SHA2562c2a7c2080a38a9e9d6178c0053c3b85b7564f17f24693bcf90e913f46406849
SHA51220530f461bd48da675add97951c9452fd305c8fcae02b2945303da58f44d63a16a443ac13fe6177f494654be725d40ce9bcba462bc9e684cad4168ad855fbcf9
-
Filesize
1.8MB
MD5468ab389ca9a885a5ea1140ce9556123
SHA11ef3aacd86809f3704841549f9f0f4cce3ec6683
SHA25678e53e706504d50b6170309ed66f776ea4d6f52d23f2405583cc734645756b4d
SHA512fc4fbb5c67b4fd42dc581ed068ded5e4fb644b6fe3af18d82e1c4ea2e1685fc9ab030fac65542a6a305d80ca88c94f768fa356ae7dc0e2ee13bd21dfd96a78cf
-
Filesize
1.7MB
MD581aeb38a857d850ae462228297aa6593
SHA1097b56cd18022fce630fb9565e5f460643c00e14
SHA2566458b7f60655690cd77ec22aedf1f2d8aa9fdfcf6cf4d39ff6e4ac9422120e0d
SHA512ddb09540f55606e23a329a8b79f97421b37b361dffa3203ba6eb89cdbb8b1fa84898fa9e4964674d490b77b45b274eaa20d360436c239a1131075142a218af23
-
Filesize
581KB
MD5cc3872bc3681e6f2d8ea63db907b731b
SHA1dd364cbe6f2a1819cc937bd67626f641f209b3a9
SHA256ef526cc902b2fb7e7632619803a4b96d8fa29723d741da992536196cde506e15
SHA5122553bf4bf89267ab09a3fb8a10067ea41022c62cfc25a7b9ea13d3fd293d371c74ecf48c4b87b177e8e10926c4f44b517ba7cb29c55e6c2ae9b05aba4e0500db
-
Filesize
581KB
MD5f59a47846d93d1c16575eed87b041ccc
SHA1ba558f535de9812b48577da63994d8e479982d5e
SHA256fd4bc96012b73f306b20beb979668d06e62210d3d4be4cdf1485ad27a4ea3dcf
SHA5120a17dc6e0861e560cf4ee9d87dd48d8123dbf30c9178d4f992efa1887d909d7339369c7ffac40848e90fd5d7f06e4007de814e15888a4e361c6f93b584db90e6
-
Filesize
581KB
MD5878956fe7081d177641d377f2d263f9f
SHA125f7cda447aef8d9f95f14f38d3040d1c94b22f7
SHA25657e040e727368044660e4726869dae5b0fabf36f4166eeb5f1c0521eb593e84b
SHA5121a5676de2b5416785d3fad9f89d6065713c70f20a89ad27dd1f263f65ce2e89c4dbc8e6a8d44be8113e9b553e95873cde2a8cfa8dfa194845fab3139d5b08511
-
Filesize
601KB
MD55ee7c4473e6be77b5c0efe8f5ed0a196
SHA1097109606bc854dde48bc69895986e8476e3c73e
SHA256396c5e6777ee69a468801b28e32e498639d09c07f9ccd8e0e442509d3342412e
SHA512fce60fd13dc5d71c4deb17d176aecf8b96bed06083ec124763bdc9c0a2db4ea72f59138674d35cb8248518cc8429a9cf656221438478f18ca84e9640b09ced30
-
Filesize
581KB
MD5e3038582c46054e14da1c167d8410c47
SHA144b831994a0e38e95cf4a5068bc90ae6a237fad1
SHA256c132fafb598c23a7956cf6a8919baaa07bebd64bd721966f409ec60c241e9b96
SHA512cc0836367c7332de97c450602aee678a4367dad287fe2a7c157a32039eeb96bc9f8bfec80dadbe75fc3de7ae594a21ccbad121c22e2fe024a7a6e336821fd41f
-
Filesize
581KB
MD5eb06ac2e6e0c1ce9530a4aae90a9a840
SHA12c1cef55dbb0261849b1426b03117e4b8579d60c
SHA256ad92813b9218cb5806bdd06b67ea311dbcc56ce5162e75f9279bd242796cf25a
SHA5121107b82d091d20d3e401e242cb72ad357e8b9d7deb23d515df7928615109160f54e3cbaa2c1946d51c2b5d46d0263ef63e81b6435667ee7dba09da0191228553
-
Filesize
581KB
MD5854794859d3d159d61a9ee386747072a
SHA160eca51eec3ee42d679100267bea1e983b277d43
SHA2565bcc04c5a87088013fa3114ac50dc068562d6289f5e0a89a10b18d29af992527
SHA51297b4e54320dac7b75da4fa9e614c9505ccc277f641224b6b0e309fd4cb95f2b1a245f4666ca87abcccfc187fe5650ef6fb393642b66c332e948775a164918ac5
-
Filesize
841KB
MD5f006120def421da437bf269ebd3a15fc
SHA16476dfd8556cdf742340d7351ef96b14e10f888d
SHA256f467320a25b838b97a9b4c1d710e8d27b7ffae53816073b315ed3e615c1fb0ca
SHA512a352705008ae70c0ac0a0e9b15c6de1ac4eaa28a64f3b9f8c7e1d3938cb8a7f42b0cf4bba5f4a42c0184b968ce8555203be6c1edd478e9a872a0a23b85991d48
-
Filesize
581KB
MD5f86fcffec07f2cc859ded9df3b9ccda5
SHA1c7aa7312736e97a24f589e5736d9e7ea60745265
SHA2562ffd9c6f21b86e775126db2bea89d6c1180366a54921c9d599c8e11522cd63a0
SHA512893900e970e6f2e04d1076d2785c5518ca7ec7906fdb3607d93f47691ebed9acb313c18b7c15e8220d81339c61d2656bd9c55256cbc3e4db928e0baa147f540f
-
Filesize
581KB
MD502f6be3485f6d492d3e172989a28c73d
SHA1ff61591c4c837fa588dc5b891b8e384950b4c01a
SHA256746d8834c07f5d316044ab5578d41dec01b982dc47aa12f3b6ec4445f6724118
SHA512a179305daa8b1aa6efb2df69464936a844f2a1add52342f27acdda9a44625e470bc3b292031bf2cd7bacbf6f016e5f418ad4be0862f5663d085fabf1f186ffa9
-
Filesize
717KB
MD50782d60a75ee9defed664363ab3120dc
SHA1e818cbadf476aee26a6b81efc3caeaf332725efc
SHA256823f307b0fab057864fba287e5ad6d62d7d19bb49aa687467875848a8c3c30a9
SHA512230effed626fb11a0c364b27213bbd39dbd53ed96b3b7758b4bc1871ef68c17f682782ca17719755798a9186b54344cd4426b5ee7c5f975a8c968234253ee319
-
Filesize
581KB
MD591dc95f4e119b3e5b3f31c8bee87069f
SHA16a16acfe22f915ce7e5b196d4c196252253c25c0
SHA2568771aa9aadbd28df57790b919297ce5a19b345d2a8798f10c85d6674bcc07d30
SHA5128aa7172f21af75e15d7b643e7543fbfd25670586ffa08db21e8ebc7cf9369318c739b74d117d3e6ab7e0e17dd3e834aa709066f7689822f3ee59742dd2240095
-
Filesize
581KB
MD5d7e22ff793eb358a6eb4241db3c12734
SHA183ca6950d4ae703179dd6d81ccac7594877d7f43
SHA25683eb1689fa92431f7da36cf197c9ee171fc5d6c01ffe139346ff2cb602f2beef
SHA51211e35f6ab94aaee5ed58df93118fdb3741578e094d9c614bbb4f3586db68ca96c768dae444c070dab4d7ea1913e381c81b8a93a7d635d14f9a402a0d1f12f221
-
Filesize
717KB
MD5bc7260f8b786854a5784c3822b62cbe1
SHA1040c780ab38e02223ab4b78be9945014a33cc68d
SHA256285fb7b598308382504e68a5355033ca78ca5f449d49b70f88c47bd3a34d4971
SHA512778860703e47fb912fa005ca09c4a9548d249d3696e42935dd121f3c2f4d0daac0c0615b9413eeceea13df9894af37baefd478848c5b6f186da15e61394bec15
-
Filesize
841KB
MD508316ba826aef6eb147eedd30a2ce90e
SHA15884107104a593184f2eefdafaf5e794773874b2
SHA2561bbd3c2119bd221bdf9d550b1147491d9ab636110bb64ad03248c66142d24bfe
SHA512a61cc04e8fefd0205e1676fc7f912ceb1adbecf3de6072852f53e777734c3dfedeaca8ef47c98fbb1d1930a6b93fecb311b904b1e42dbef795867b7675855573
-
Filesize
1020KB
MD546ed2fe891bb398b9e688e014933b912
SHA190704cb06c02b83d4308afe9417cee9a922d28e1
SHA256a773cb1584e56688aa5bad94288a459ca2ed7d2270f98879ef0c2564e19f1071
SHA512665b3526864540ff68b6fd8d2a310d00878a5a31fbb1a853c9dfd89e6a385c098f8d5457376c54bff1a525927f2f5e16fe9ba7353d2076698f64399f7f41156e
-
Filesize
581KB
MD54061e9ad7029f3dfc55ea8829bb33f4f
SHA191d8ef3e7007f32bdb73d40dca2e81ffbde0bb9e
SHA25675490f7ccecd963808bf0f3b755dcaa5eaa7b6270c79ffbe67f90853d06f867f
SHA5126155945d05ba7b899641f42adb51b071e928e4d6eaa816f92d62de14809ac7fda005db5832eaeb1f772c33a16f8b56846e88c83ada1d21e5f8868c2290a54193
-
Filesize
1.5MB
MD572d15df04e8db59a5195b97647ef4836
SHA15178f1e9d16ea19dea1ad29b700503d6fea3b625
SHA256b763965862cc788caac1c68d7a1767cba4f15a80a7a4f4f20bf98d91be764d10
SHA512d36ca69902c28b5adbe1c704f80e923923516ce16327df54a0c9f70e0c0e5b0c1892daae16199a9e7b6be6e7ac8a92c20f968e4ffb1aa86f659a0d5d05473014
-
Filesize
701KB
MD5fd8a4140a0548261a837d4a94d37363c
SHA1786689261cca4bb5b4e5782e306ca8717fbd3e58
SHA25678473df5ca46fa3c2e58b036fce4ba7f1110d2003518131a5b63d402d55ee667
SHA51229203dc51ff9df8bcfb691a510d268532bfa076694fa45d8eeaa4f2dcb0f09919382dd15eb7c3979e699ece112cf42383e6a4db44b2ecdc0d3938359ff64eea1
-
Filesize
588KB
MD5e20b6155afbb82cfa3067bbdda3dbc01
SHA136f986f7ef6ea01c644d0c8d33bc80b85b1c6290
SHA256a6606e240b33fcaf1662e76d9fd0319e6386c8df18a2a97aa9a7afd4156a7864
SHA51232126551b3de7d416b62bd780239e753dac34862b68daff67c6c245dedeece029523486c3a08deb6d1b5f991749a0e9e1e5df26be0de1bc91e20ecaef474eeef
-
Filesize
1.7MB
MD54437facf7ed169b421df532c9fcd9fd7
SHA132be8ee978252946d99132939f6af78670e18aea
SHA2562ea66daca9cc0fdd1260096ae9103a724c36f2bfec50d68a57b2c27583fe0eea
SHA512c7bcdf2c3a9603c2c3a3d27d8c4bc041ef9c9a2d40003e72346117c647200ea90480861e2ccf39b3586ae5de8cac147158af3456ba4da8e2b9d07b28babb182b
-
Filesize
659KB
MD57efe75f3c9cf0115e6932cbd89672351
SHA11828a55c0dcfd2e11c1d646c52a9cf68bb5353a3
SHA2566016c978f89c89b4d0366c1a164f49bb6f9dc07f2303ba89fece3db210ced6f8
SHA5124086213bd5a999d6c0cefc264b42cc913a19a6b0e84192eaa3c9f2ca7f278512be9a5796539266cd4fb98f0b863c379eb338139e1ee1563f63cff392b5e9bf3a
-
Filesize
1.2MB
MD5c903c6f71be45ae60034df94072a2620
SHA103a0c8a7d4a8c5df6404e5b36c688acd16e9b674
SHA25670343e139a4dd17a96d395ae1bc4364488d64ca93031dbb48c5a62581fd2bb59
SHA512c9527f20e640721006476761f6aa8fd111e2498170e32915600e86e99429d3a81e30f1b93ef5ed36d3f0a3889c523a8d4751a03afb397275d6b577e42ce0b3c5
-
Filesize
578KB
MD5f5afbbedb8a5cbe706a3811d1fafcd8b
SHA1ce5db595a2ff0f8c2ef7fed88a2a5aacc37d419b
SHA2569747767e7a9406f952fa6a52a8fd7dca741fa1fadd30b1aeb280fbe8a39d60d9
SHA512d09dae2eeb6644af8350c5df6a98522342088efa62ae3c6788eb6cc38d12986bfac1c2927ba317a2c5bcdd0513199c730324780e7938850d9c876923d1a80021
-
Filesize
940KB
MD5036f3eacda921c95281b01abc46a0b97
SHA1eed8d24065bb55a0e858e448701c5d0c1b753a34
SHA256e17c4129f35cde9ef5de9e805f2ceb35c4fbcb0cde5312781686f3086647da45
SHA5129f874cb73462f53831cd3ff9b9e8c41e4e6c2a74602ef1f286386df560d52b63ae9bd3c47ce04ce05909c3e057f35d5a8772d62e8eb3d454ce5bcbbc959ed1f5
-
Filesize
671KB
MD577f7933801a7ca018553c5f637131914
SHA151e739f8cc76b1500945bda932f1c0af7a971e4e
SHA25662e74d03eaadb4c8f4168ca9f074c6eaf0085129595551a288749e16360ea2aa
SHA51289867e7fe33d86ef08c7fd8b5da394b42bdb180836e862372b4af4ad1ec4945a6081ab05818001087c37e5cf72225c1bdf5d0fc4e599ade97e1381fe00fe094c
-
Filesize
1.4MB
MD5e4844a497232c842646e805e37ec82b2
SHA147a4c6b74200ae1f553820f05c09dacc9a4525e9
SHA256efe6fecb2e9d253964dbe7ce10ef0ff8994f21ccf9a87365197e9dff5892e494
SHA5127217d77c394303010ed47934b4adfce14339d0259b5ca2137e49591ae601554231ce1aba692587725a7905b2b49f5614a9db81cfce868cfc589d25e572022a65
-
Filesize
1.8MB
MD59d30896e2b300089547e8fb0ab0720d6
SHA141706c3d6ede93a562d3132a7e18b68b2b0bdfbb
SHA2560889ccc23a5c05ef2203701eea6dff53915f9a62e813af5dce795b892bb0f52d
SHA5124dd712a3399961f18f2ef30251e60509a31fdc72ddd2351fc07d272efa797d262d9007fea2823a5cb9b7cb69f0a977ceb2404cd2cf0ab54fad0d3ee0432f208f
-
Filesize
1.4MB
MD575abe99e8382f7ddc45555b75c0ca0e7
SHA17370ddcba07e1baf10f77f54b6d1566b5cd32404
SHA256d9f1099f209501f0d0d1cd8ce04530fd0df2ab4f1798787441ed2836274a2f01
SHA512dda3e013cceb02f42cf3fef02adc042bd632e270244aed952313f727a1e1e2293858e852b4a1f6b497719f3714baacda2be632cc09b151e7b7a07e477049fe96
-
Filesize
885KB
MD598148954fab8ae8340aed8053043626e
SHA1ac6a67e126ea64a90a345cdd2e431f8b48dd53ee
SHA256d3f7ab93e8b668348fde10ff66be195415ea84f21881f3a97094e678ada2513c
SHA5121805fd53eb69e33493f53907f1f69dfd020053741606663f339931e4cbd26e4cad0355d96d855163a7300214c9c63adc64d158c0679f764584d28c779031d1fa
-
Filesize
2.0MB
MD52d6d306935dd99f0dd4f6cbdd7c416a5
SHA191070980f02792caccc6ba0e5dc4a2fd5bede636
SHA256d52d73a3cc6d77840e41876a22f85032f1dc402174ef7ccf2005acfe3e7d9a50
SHA51218467c655d72065ae37f3c037f47aba73127f56aaaf2106fa2b68c0547418d43750067ef4f17352c8b4828bb95e13529a45e2f73d0ecaa5721bfa54c8cba7ac6
-
Filesize
661KB
MD5e1b2d9391439314d0d5d19995d99f891
SHA179c3d6fec356d54fcc8edc424089a871a4b91a1c
SHA25662b3a0aa78c9a813abb6d853768b51824e8a599d9dce84ce9bc2762d3034c0f8
SHA5123160258fa417c6c70fc70de2d05f97f3ba806ffb1949a403a117f8b607ed91ebe1765a6ac523c2beb7cadd83086aa5eac2423b8c7740e5094b972fc8d0bd7caf
-
Filesize
712KB
MD594b169a14e8212f57091c38232855f55
SHA12f36a0ae7400e2579007e75fe0a871b202dfefb4
SHA256ec8dbe9318ed22c7d09db9900686ab82e4253719ddbb78ee0e77ad9868d73639
SHA5127da3d57baac12b28a5cc7ce7ac41894cf491517be5fac324f3c65218044fcb37bbb9c9b1c7838de21254fae56cba08ac2496099e282ee96845c57f26a0857711
-
Filesize
584KB
MD59d05f7910ae4114fd834b054413d1ceb
SHA1351047cb4f479fe7e3a42a8bff8705eb55a36a71
SHA256437c428a017fd9a39a3f4a03f33627f90dea58efd7e2ae3118380e100afd7979
SHA5128fdad06c07d16fea6cc7e110504a7f0da545f23f7d9d245b3525ba36aa70cf1b399a1f7a044560d14f47ecc011cfdbb4442af2de477e31f383f9124b398d568a
-
Filesize
1.3MB
MD53061fa2eec4251247d81abc42f3f9c41
SHA1e71a490b5e8ea281a69ce40ccc0b3e6004eeaff6
SHA256f7c4502fd23e0c1975c0f120071929ab367ab810a3c2ed8c4c89a7f616e77a1f
SHA5128e0404688954a89fcca1a7d2800e3a7728c9d6cb45660ca1dd1895c29d49ceb9ac35001bf36ebd333156895d8fdfa7d2f813791f04719afe3a5dc3f7967f53e5
-
Filesize
772KB
MD5e27f7e8082f60b7954deb447cf592255
SHA15e8f07d4bbdf6d7d40a48e3363561d9694107347
SHA256b80c64f1010242ef0fe086d0d5f9e58b039e138942633c3e2d84bdc627aad429
SHA5129c8af45cdbef9a78f83fe41b62e6e9a3d14b75347caee474fa9a1599d88cc0e3c805c130c89216ce1210f86644d88b3fbeaa7b9b6cca83cc70cead1943a9381f
-
Filesize
2.1MB
MD56af7a20e60f61001116fcf379b8c9a12
SHA183b152b0a5591f7ffc6480e04b77167ba73fdc0a
SHA25691b1a776596791470138f37decaa8426b5a03db947cb2dfb112605ca25bc1bec
SHA5122a9ec0f379915ed85703a9cbe812e38c1859c1b8f880daa2e92292e483dcb8d85f80eb9c5c1a754a0918fec75d4e2d9a88b92971802e3035ffdaae873eddd5d3
-
Filesize
1.3MB
MD5e11565bea8c8cefa4fcd8a07b8ad1286
SHA1becd5812fab9d611dc671ca14bfd974cc4db339e
SHA256caca675bd7a745270f8a7d0735914bfdda993345f05981ad6f2121a854e42d6a
SHA512f77b348e459452f3b5845502c0fe8579711b6e73d8ead36277a9cc0d239a5f01e37e5df379009f0202537e877b205c3b92b0601e02a883fc59f72a33761c7a3d
-
Filesize
877KB
MD5c787107ab83c3c53575ac06b677e116a
SHA1440dd26c2438a03a1f68ffacfe4e92472c670d19
SHA25668df143b91f5ac5eec61bf53029e1387f59dea4bc8b4831fb937abce0cae7d80
SHA512acb10d777ec9a57f1dc3868ba199c883e14a778c9fdd78872df11045be3e6cf76bbde630f48b57a7e3d39a444d3bbdce0c1f65c253b48d5d4f83fbfa9048c1b6
-
Filesize
635KB
MD57141a4065cf2332ac37a01b53f5b5549
SHA159c10c0834c6395a83de20d2741827f0b1277287
SHA25688d869a6d8204732fbcd274982a33f663192dd72ed1683053e9f0b6c2949e674
SHA5121fc917648b11edf2f42157acd1a991391cc02897f595c24a2ada3fc9862404ed5f27c7bcb278ab7b646bfa591e957c8c0f47d0b3038aa97d2b1ebdf64c56b076