Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 17:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe
Resource
win7-20240729-en
General
-
Target
2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe
-
Size
2.4MB
-
MD5
3223cb0deba4e943a7cfc4b8e2154b2a
-
SHA1
448b4c9058da9a6609eae0a30440c8980afe369e
-
SHA256
776bf92021a474ed8fafcf6be233c1f9c7f50deb4ab674c0d4446c7d315c296c
-
SHA512
f6a20dee4cbdd215fffc22178341d6ef87ef4a6a350748d6d9d3cfe5842422019ef29a23f11058410d8a5d23a03014aa05a1879371b05ee5d6734f179826577a
-
SSDEEP
49152:OpojL/+cPZpJGmF+Gl7mbN6ZNjshcYpKkjsVc2ot4+Ej2ED+l3eFq8um+Dmg27RN:hZplznGMkjsVc2ot4+Ej2ED+l3eFqc+W
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4356 alg.exe 732 DiagnosticsHub.StandardCollector.Service.exe 4004 fxssvc.exe 1888 elevation_service.exe 2336 elevation_service.exe 1740 maintenanceservice.exe 4336 msdtc.exe 1020 OSE.EXE 3948 PerceptionSimulationService.exe 1944 perfhost.exe 3988 locator.exe 5116 SensorDataService.exe 2196 snmptrap.exe 212 spectrum.exe 3532 ssh-agent.exe 4896 TieringEngineService.exe 3652 AgentService.exe 3676 vds.exe 4312 vssvc.exe 1740 wbengine.exe 3852 WmiApSrv.exe 2736 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\18af84d420b56551.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009073f0a26e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004daa1d1226e8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c5d390b26e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c125981126e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c5d390b26e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c03d970a26e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083d1051226e8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e074871126e8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e712d0b26e8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb22d61126e8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeAuditPrivilege 4004 fxssvc.exe Token: SeRestorePrivilege 4896 TieringEngineService.exe Token: SeManageVolumePrivilege 4896 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3652 AgentService.exe Token: SeBackupPrivilege 4312 vssvc.exe Token: SeRestorePrivilege 4312 vssvc.exe Token: SeAuditPrivilege 4312 vssvc.exe Token: SeBackupPrivilege 1740 wbengine.exe Token: SeRestorePrivilege 1740 wbengine.exe Token: SeSecurityPrivilege 1740 wbengine.exe Token: 33 2736 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2736 SearchIndexer.exe Token: SeDebugPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeDebugPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeDebugPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeDebugPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeDebugPrivilege 1440 2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe Token: SeDebugPrivilege 4356 alg.exe Token: SeDebugPrivilege 4356 alg.exe Token: SeDebugPrivilege 4356 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2736 wrote to memory of 4488 2736 SearchIndexer.exe 116 PID 2736 wrote to memory of 4488 2736 SearchIndexer.exe 116 PID 2736 wrote to memory of 1680 2736 SearchIndexer.exe 117 PID 2736 wrote to memory of 1680 2736 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-06_3223cb0deba4e943a7cfc4b8e2154b2a_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3196
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1888
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2336
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1740
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4336
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1020
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1944
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2196
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:212
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4596
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3852
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4488
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:1680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5cf4255bc0315321d6e44a7392c1b76ac
SHA1b2b0cf3f95bb4f6b9dc621e7a0aac23991406069
SHA2561126163a279f60baf7f69cd9073102d83ac3006640bd2b6a4f9eea1770048892
SHA5127ff91b99f3c0ee134ab992b5acc9c9a70d1c963ebc5cb6982ba9a764886241e122fc135bf1cead5df71f8a124b4f522701c3226a3e5ebfc33b739b4099299df8
-
Filesize
1.4MB
MD58933d804c853a6812695e0669b484524
SHA1d698783b1c79a12a9b0bcb9b92d0048c66243a6e
SHA256ce3da22ca06b96a12b0451ebba151596ac557c2c17f682b25c82d83b20f3f21f
SHA512bf2483dbd3e03331d23233ca62256685f491add7c2d39b2d7c8e079bccf9c2ed4ae60ca4074bc8ec74275f3f1f711a57558d1ae4bbe914e3266b4a5779d81099
-
Filesize
1.7MB
MD5d24ca0c24cb21425f0793d1901ad9779
SHA1d1230982e55accd55266e99d263f6c67c446338a
SHA256d0f22ff4201fd844ff50dd8a118d5148e88db1af6c14ef56498a189f589598cb
SHA512d610b03591a4d78d7835c2d1b7f1ee3393041847745fdfff776ced941eb22faef74e5d0908a1c7eee8ea592398d2cf072a073fe2d102782c0c56e73bdd1f693e
-
Filesize
1.5MB
MD58767a4be9870526a4935bec37c7d775d
SHA13711ee9d315300512beadcdd66efd5fb78321275
SHA256e2ca63c97ed8f25569b79425772e0f563e38e98c9847059ee41416079e39f022
SHA5126dd9fc0b810fb752e7b921070bcf9d780324d5a47929ad8196a37fe41e24fee4b200c40b7fe79126689b9ccd44b35dfb2e395f2847683bdcfddb7fc3e68f66c5
-
Filesize
1.2MB
MD5475e5603f21e3eac8026a275c02f6a86
SHA1e8913ca789e679021d45e69788b0e8997ecd3233
SHA256f1c11308e1c84e7d1ac3dee661b14a1de484ba3091d0ab92f72f0b43f286ab41
SHA512a852b02b833135a10d8cab0b1d7ce3c6058695157f8a038b4e1e04671f085d5f2259ed99af181a928f1640d0e0d2beceea31befb12f43679ebfccba2a2ff6fe2
-
Filesize
1.2MB
MD5c1cebd521f805361693702aa3f7f3a79
SHA19704b23f6ae2f60244430deb5ffb7f7859d2bb15
SHA256d943eb9243420533bca8041d5a919b7ca389c381d6e25f5745b2940cf6b8e6a5
SHA512f36328753bdecfb77a2d804c880081ff5653c653f6fd13838830d9fb50a6c67997770d31e9ee6de3babb5428678800253e58160f907e117284706a4902234b1a
-
Filesize
1.4MB
MD53518aa7c427350e2562529d6c03684c2
SHA148bd4351311bd5b2a89a066d3d329bb14c104d01
SHA256bf3c4e1d32aab9e9283360dd65733a399b9bb71d564ff1eb2914cd258ef601e3
SHA512022f707ee1d9e817b010c12c648cbe968f2aefb74e14e498498e17e11feb1b15417af1cb6fdb9564fb61afdfacfeca2cc1efde3b41157b1029233860515cd658
-
Filesize
4.6MB
MD5d2b92e4c2c6dd444af61f51f1491b6f5
SHA1d4fc958fd027af71c7ec16bc3264b08e51b37a2d
SHA2562caa724a6f3c073bb5a333eca12a4559e8ed7bbc7bfcadae19db5496996dfff5
SHA51265ba932f059b9622610d27d6c68cb922e2123c41217d0ee8358b2560a3d0b3e7d860aa251ee3b486c4d320e396e12265abe8b2077f6439865b605aa62a4ee13a
-
Filesize
1.5MB
MD56dfb27487e908d1052b5b76d165ab39a
SHA16738cd66dd7533fba812c24f75f0339109dd6295
SHA256a378829d2736d0774088270215b7cf7b2fda461cab19f74e02b66ef5aec7b93f
SHA512ed241b5e2ccea3a72116db0bb01d6307433022065069a5a44942c97a997ec4a81bceb6f95dfcaee124c3c21801482ade9419b5b9c278cc0f50dd1cdd76aa6178
-
Filesize
24.0MB
MD59ebfa80e64b374cc449ad87ae06658f9
SHA19caaed49e74a594d8e10c171f395c39c0b942549
SHA256d4fd03bd5461704d88e1d6e64bdfe3cc6cdc06cd33484df6b946ea0139a11aaa
SHA5121f5a3316f440b99477ef4e4c012b5431e35f00780e410d6414f2404764516099e3298f8f1c80b60ed9c4080c3d05f91c8fc4db42ca79747ebe76869a5b9b258f
-
Filesize
2.7MB
MD54d92cf379dc8639ea59e79866a27e83a
SHA10855b0c44a23e440af90efd7746bfa0a8fe09c1e
SHA25614ff1d485484f879b67851a3eca3836d4732d37417bd35a3bab9cf365e340ef1
SHA5126874495bca10c42ca257ef4bf6fdacd0b45872c1276f27f5406686f3e4edba85f3fe249a6a4acdbb73834bbd4f2150d8f81fd9aa9cdbce4f6842414bc44b9141
-
Filesize
1.1MB
MD533726148da752815ea5ae554b657fd0a
SHA1e2e5cf632206e5f18f89ffb39cdbd49b9a779003
SHA256161d32f795db8e11501f0967fffd07d2f4da4c8f335507620837a2242837d273
SHA512561c3c83d7594f9ef03e46b38a96f44fe9e4d0358f4b1ce6132f26b6a128297a59c6e32c0ace711f55624e1375620d5a803a19364d2e3d2cf156355b119c2428
-
Filesize
1.4MB
MD567ac3f765dab1b6041c86811e260d63c
SHA169d312c64d2328b3fe113a9f82f3b001ca0d48f8
SHA256392ce52ddd08ebd1d81a8fb42fe7f3d1a4c4000a8b0c19809f028e2e22adb9fb
SHA512f9aa6b190bbd08049d5a0543226bc0811b204da4879f0e2336450cd882632b7a61ae9e69732540b533f88c5131437abc6d493598d1065de9c89e8644d66cde95
-
Filesize
1.3MB
MD563c759aa60cf7b72653af377e62bd499
SHA15996531d262e51a4fb510c024e49b2a4031ff141
SHA256f0372bea88bd789c48cf65cf5d5afbe2ff716efa7cebbfc832312ed22b416010
SHA512d703fa4dadae3072795d6c47a7a1e758d6699a88287cc09c2cb816c7e02b91f8d62e7cfb5dbdb588015e31289abbbe858da516ab81ef37ed965e180fd83d0cde
-
Filesize
4.6MB
MD503ac72881b0a8c98bf6347a398760c52
SHA1b38678c22a672f5dda8fd7d38a13e49eaf57417a
SHA2566a32f974178d0bfa7ff6d60e255e20c7f6ac8de1a7fb5d7b1d3fd78a637cfe99
SHA5126c9f1c42ec23ef692f148d7578cf5ac3ee2c9b4b4e2df80e76bc6def9d116772fd9ea0dc6cff52f6f25946f9c1689ed5fb5933ff9c9fecb29f2751fda572c454
-
Filesize
4.6MB
MD51dd22ac78737cb983e2973244e9e10f2
SHA198fb0a6212f328d6990d9e5d87ccc61ed15272b6
SHA25675a4c3b0615cd1e6daba4823163350038bc154603581adb24721377278d95904
SHA512a3beaa399b75954262053b71dcc30580e589ba6444f72a209f4cb1e61b56e846b8178f708ebc51bd77ffde48c944ca4be1b5bdb11d71e59411d9b0290a8ec09b
-
Filesize
1.9MB
MD5fedf55ca6527e51a5f031363e9260c0a
SHA1a3df09c1b81e465ec5a5eb8693e5ac179219a9cc
SHA256aa40ae87e992bf976adb371ceca3e945ca55b9c9de36e913da3a5719b15d47fd
SHA512197c9ecfed2e4ebb805bee8f76966a1709a84c3d97885de150496d1935d2c13678efc12610123d3be8504020702e2edd9f9e55a2c54236599df5c08ac96ce9f9
-
Filesize
2.1MB
MD5184fe99d4250ac64db9f09eb498431de
SHA1c458d3aadada888b870a0ed6558acb523364e9ed
SHA256b59f6eda4fb58216f9d42a02e8e725a2541ae7ee58296497eb4832a18bbdd0fe
SHA51281040c114f0567b7ec33e838736c3287f751dc18efd2e04eb0e7c51d559d6ff5b2134c23ed3ed7c2b270694484365bd164d0c54e1090eb62c827a4870df3d5d3
-
Filesize
1.8MB
MD5d48e6eda56b4220736e7e2f1ace1ef14
SHA148b7a67adb1ddc2c403f86b651e3c13f9e1dbc5f
SHA256ceaeb453129718c383bf7b773481943ed7adba7c68175d933a51cd7025408f87
SHA512065b22f0ea4ec9581fa3381b4937436cf97066f8c3dbe5eede65cf2a8fa67def79de00ef906f48bd93f0f0ff953148ee2fe40208b1f8433d48c74c18d3d28c52
-
Filesize
1.6MB
MD5411ae999e9f2a4660700ebdb32f71c9e
SHA1782bb62146a90e5fd3aadc8bbadd01882a795020
SHA2560d83d59e895de7fb51a7dc1468a7ceaae1099f4ca077b3f95665955138e840be
SHA5127fe7efe9198c27feec7c518b8296d45b4973606188d3bcf55e82eff41b1ea789fd5bcd1fecad99afcfbdaf87a70d1a4db079d047968aaffcc81fa7076fe1bc14
-
Filesize
1.2MB
MD591f24f77112b4ebe6890db9ad3ae7a3e
SHA17a067e55f2a95cd3713561110f0f4ec1ae268666
SHA256463971127f6f95169c01f0a0c24759c12b008dafdb735682d68f64ada749670c
SHA51291c0b967f048792c26c4121670980798b08204f9ab572ca57eedc8343fa79e98ec75b369b1846b891e241c917ff4f50d07b6c828aef62961ec9dffa3a54c00b4
-
Filesize
1.2MB
MD534c9427a84a8babdfdcd9eb0a129c31d
SHA121dfcc28942f1a4c820c929f6fd404c3c747c9c7
SHA256bf4fad88fdfab390c69fd886d758c2ee2364e7df5b3acc88ff9b9abea05209a0
SHA51289744b06b81bf812f2e056866d9b3393d3ed481240970000c1732bad1eee35fda1affa4171699601ffad315c47a82e9c823127ef26c89236d837e16f9d3dbdd4
-
Filesize
1.2MB
MD5927b23e6136ad1f846b1f4df8e697845
SHA13cda5a8d16d43968e50103c79bb02aff347cb914
SHA256993eaccacd2450927d4a97aa94e69b32e2b0117e9d7cf3f40384c8f25be1e0e7
SHA512e92ca6069e9d33747616dabe0455605cdc3687370e217905cac4c5cb3a9fc69556c2e37df72ece47c337e6e9a19e26b6485ddd743448484b1bdb24421dc1e698
-
Filesize
1.2MB
MD5554272199d1a3b0bb7ebd0e2bd991910
SHA1df54ae82e436021e10df4f85c1570238409a99e8
SHA25653104f0af60baa26031167327ca108d9de719805649c22a52e5b158a27c84fc3
SHA51299d7bcb7aba68aa61b1a743635600a429176760052703270217a35e60a6182e1a112cb119640ff0cc172176cd49bd8ba1fa1d3fb8fe7bc15e1802b09328f61e1
-
Filesize
1.2MB
MD5baa4d93f0d9ddf69e9e9cfb4b8655ee5
SHA1f5f42acc7dce8d122d74a852d92d72b8909dcd7b
SHA2569558fa4ab7cfb13f1d0b8814c85baf176972b7e5b9848ae36b52ac6a10b3346a
SHA51229ac5292d861de082a24cbcd3ca64b9dc891844d07423dcd321968dc4285f1fdde2c4f8756f6edd0b903258028b29c204b522a8ff6186c344b6995c05d22b0d9
-
Filesize
1.2MB
MD55726cf5d696b35c0d8dcae7a1e716c93
SHA19b851ec85da2b90e02e67ee9f1b2f710fe626d24
SHA2567c476b951102bfc5e235d1b0fa0dab24e8be5c67a682ccced268a0436c016b9e
SHA512fe62fbcdfa6fb94db6d3e277aca22c158c6d161246cdf9ee23f7480f6d842c69ef006b172b37e76c5731e24f2611a77d5593425026f211bfa906c327c75684af
-
Filesize
1.2MB
MD50fb94e88a92f5e0bcba8eb1a2f24f6fb
SHA17559ad92d245198964be11274552b2e9df71e8a2
SHA25673b4352602002a853faba5f11ed336c6d90dfd39c421585c6662a0830cc92d2a
SHA51287ea2d15fa3471da11c879e555c7b8602cfd481079f90a81e2ea4c0256d8f06e019eabce6337b7c2a2c40b9a70bb92a03228ddcff1140389e8fea1c4903e2cd6
-
Filesize
1.4MB
MD59b9d31f337241f09815ab41d0e900c82
SHA19d6127a7a532898a4bcd050cba97361d04661402
SHA25683f98fdd8995f8429b7c819f81ff166a685a49ce9f13efec0fb5ead9061ea29e
SHA512d1954f6ac52fc103f852c5d796898d85cddfe0ed734864025b94395e74fac7fb42051168918ea2db6e7b5c53ea182552bafa589ba085852531675f92b56144ed
-
Filesize
1.2MB
MD54028b5dd2ff3721697efbf858ea7d62e
SHA146d62a73c4d9cd0f9de13e6eb6f20976006c280d
SHA256f16069235c7cbef85c53ee246f9aeacf9c66b22befd6dfc19f2f872c1f20de49
SHA51273364b5d3211392f110378ae3671382242b5ab2291d5ec3e640365b99c1aca736da48ca86449c266415464b2d56a0c36d2dd3b43bb2c0b6b776d55e599a256b0
-
Filesize
1.2MB
MD5f1a8b1e5c0a3b1bb637c48a445640246
SHA1e0adddf793aa53c70de8db63650acee370503cca
SHA2567f0fef5770beffae5e5256a7d1ccabb244639903e7d15450010eeb421361de7d
SHA5129345cdb5c3b78c5c50c1db2409da57f556f42e7dfa6642b05ef79841dc70f71c8787fdd1307cde85c0bfecead22b09929528d292730cf26a5236aad7cc8a47f9
-
Filesize
1.3MB
MD55ad910341fb1bdbac49d3df9839d1f1f
SHA126c67122faf6da11574b0026de233f22ca4b86e8
SHA2560345b496ab47dc1ed62b3aea033db34d824d0517946af7853d637376392aebc9
SHA51224c4271cbd0a66a02a20452f0c9fb73c949d7cf00ce3784a3762009fe7ab2b7b227f8ac205cf1aba79d424645767af2cc0e29cde58443f3cabea2045ac237094
-
Filesize
1.2MB
MD578fdb65abbf098c739602e555cd3b515
SHA1a2477157ee2343c8a6c928100b232d97f47f461a
SHA2560c61f60e67573f2957892be76daf896715174fac81ca58f8d316ce0813b07723
SHA51259294a91c3a901b51c8002f46c8bb209f67ea5658fcba943a5d558330ff4358568fe61b86c50cf949febc42a4bbe9bfc4ce7cfed590181dde9c8a8c416540186
-
Filesize
1.2MB
MD5e225cee2e648d1f0c65d415e04b9ad15
SHA1273e45539b0b561622223707f9b1a8a570d40841
SHA256b26136d7ffb0a4103f93eb1b8343d633c159d37a3a54f62b404ec476cd105dba
SHA5122d7359cb9f38e9cb16773df52d0f3282230185f23a8420c06d7b77d1ad4dafbf1d64aa5ca552a754f7b68535f846b686f0c24cd5c26c2c97283443225fbd1839
-
Filesize
1.3MB
MD58878cc5c5304875ce985dd55ed236099
SHA1aff18e61121fba6656974857eff9bf657dcc19dd
SHA25652b39b63f238fa85a902e4246932607ef7c94554651bde10fb4a185a3a953353
SHA512eeeb7a3b9deeb50acfcd86f880d293f3ef78f6ac451632cc90d63e258683d241a2ba9eedd494f832dfe367ad8a55974ba2614f0dedb9ac2670a20b930003f3af
-
Filesize
1.4MB
MD5ef32449775760a84fb61e108b60d0e7e
SHA157bbf3ad1e7c6bc30b70115921a6b8a9104df5f7
SHA2562d2b986393d856b2936ea8e93ca6b01668163819bba4d292c54033a2f3d06c52
SHA5124b422dda5671ff55adc4aa67731db8130242f8607f812e157ac40869f4849686be519073fb3ebdc403a7b89c8c653c8411b61633bdf863213f976960ba819701
-
Filesize
1.6MB
MD5d2e152e5543a320eecfcf43494af5f83
SHA18ea19206cf88be474993135da7c6275217f57ddf
SHA256a426ac91e4b49016ebb6ea3dd19ff19da49dc0363a2d104e9639e257a88feaaa
SHA51263fc1bc032904c0ddfa83561b87c35eee5a5028ff200d29fea98d0a9710e22a218f81c4298cfb3b10ac02dfe47f73298d762f3ba68b74676e90caf9d13e792e0
-
Filesize
1.5MB
MD5a2b3319c8298a451a23fdcf8e5f37b1b
SHA13e7b62129c4b884d6360f3835bf99f87d6f53105
SHA2568ec37feb4d78928c5e2e08438a8682360e561d0f6d29ac75d71e7ac4e70787f5
SHA5128abd7a35109193d578136625038e859f0e1f8e6f8e2eedf00f0175a131082f28c67a05c24cbaa8083c46e3d578783eac39fa8939cf73c497d59911a27260ec82
-
Filesize
1.3MB
MD50a8426edcda11f40b6e392ca722bfc3f
SHA151c0a2e22369c83105aaaf646686a277dc468f3c
SHA2566a634bb4fb5a7bb1ad491a396f9f9f25ca73f164575afeb7b1b67269f6612dbe
SHA512871fa5e94da577b5ad3886f0d181d8a50b089815ffe3ddf6925346ed202d940c9f595c409a9da2fafd6009e5e13ea9fb41c0e163ee326a900bb6e559cb9422df
-
Filesize
1.2MB
MD56afa8ea5b16bd387434eade79dad30a5
SHA14e32ad33710ec49d2a29ec692f064b116c79bb0d
SHA2561de8c38ec08844fad39d665ff94ee7d31b2f2b8beec86b61c0ac4a45d164c830
SHA512b0821121badcea1392dbc7defebf408dcc905c8006acb9f327e1f0e29fedc412af3e28fa9130c89e5cad15b093bc766675de6f52ef500a36b21704bb35fc277b
-
Filesize
1.7MB
MD5f4d906f37828943fd5d36882ef2b4e02
SHA1ded4efd12aad096c1c854dedd1b363fad2b69629
SHA256232b43681682bfd844f38c2f2f8fdc41868c419e45050dedf86997c190e5e769
SHA5127c8720410986fd94baa8cd0e6ec533d0602938553ffb60a5e41b754ceb27812a9cb2564b03f2361ae24b3aebbb78a2260578ab30e320e6b0d0ba3a71a0fcf532
-
Filesize
1.3MB
MD53af6ce03d5366788ed3a634c223049b8
SHA13a660a4360ca4aa474a520d85bc6f679ee9bd61c
SHA256425d671e5c1193a561d3cef57aa799cafcaa5e986430504a0107863a3d204dd7
SHA512432e5a99930eb6244cc260d9b64e866772c68cf37c93037d1957023eafc2df2f687f47a87a5dbf897345db58985ce7fac07c2cea2882339c42331bac4eaa2591
-
Filesize
1.2MB
MD5fe38ec5efc16c1c6924e3bb9ce4098cd
SHA1ff506cc8383941dcae71b3596cca2b29215ad5a4
SHA2567cbfff6d5d8ade19e24cb231342f848a56239aed7673150091312d12987743f4
SHA5127999fe1d853df0d8d030e5a3764c6d545c1d8ac43405ce9fc3388d5e83dbb0e921f7e0df2d84dfec946443343185607db18d38af7bc67dd4b03469fb329b74aa
-
Filesize
1.2MB
MD520876156867e775baf3a63783d31ccdb
SHA1559e3e4c9ded1397ed7784a2e42ce71e6d16b769
SHA25604978287d44e2ae8f354a11ad7f0aaed2ce331cbf49310ae7dbbf77b83bc67c2
SHA5129456bfc9019ef8fad5141b8783df598a0910cba2aba51811b5bab31f856426066d76fe21b2bd418c29ab0ca4901c65d8b7ddc6f8a1cb32fb64b943884cedecba
-
Filesize
1.5MB
MD588f6850aca7f71a68d0b3c8e51842b2d
SHA187cc77f58f56538e3eec4eb5b1b40657a67cb0d3
SHA256b86597b1840ff75998833a450a422a71357eadbf46cffdedd813196321d9f3f3
SHA512e3514e870cc005ec744b672f9b3a51a352767c5c52fb39232e8bad27097f6b66929309de71686c4d58f8cc9dad9df9efd38144a4324af73f5ebf085f8781d329
-
Filesize
1.3MB
MD5c34b0a159d9e5bcd69f300ccba7ae126
SHA130e2d3157fc40f3e3322b3ed699f7f62681519a6
SHA256f3fb17af76d218880d6550f49599dbb4c7a054c8faddc1805434d7fc2f61b44d
SHA512fccbaa256ea91be4b905582983a73e54dd84656aa6ed6d7d50f71df7ba0413806fcb283ae6c61db7a307884dc634f29e8a14e82807b991f61044c746e849eb3d
-
Filesize
1.4MB
MD528695e24a38b437bf817e578bf985315
SHA18e7b06c147dcf12aa282fae9a0d4b6fe8600fc56
SHA256079f1d85ab8194a2f51ceb49215a50bc22b6f970e8e21aa48b4424e19422db2d
SHA512396aa02838f58d1255fee99699dff01f2014470a13ad76ebcb184468f9b702cde6a07871782a430a86c418b42f3969395cb54df684e8abb98ab03337af30609b
-
Filesize
1.8MB
MD5d7a5a593bd85523efaaf7479c560eb06
SHA10992cc4ea14ed5da8a586a0a29b8b8d0b66af58a
SHA256b5d7470b421226228f9b74e2f8b6ac3a99c915e6ad0d1b7e70179be98989d878
SHA512f157b4938635b72f543c0e066c191f66982efe9fe2a9b347912517bd31e02bb314fae08405d778774df365d4280fc57000d06b0dcdaa835a61b9a68e183e45ff
-
Filesize
1.4MB
MD5514adb31e669fdaa610a2d25b53bb083
SHA1da6a77798a7d76f516c47f638bd3547fb812f9c2
SHA256d7613ce6e13a5171102f17e5d1efd63c4664b64271f05bcb2e5a1a353c9522d0
SHA512efed9aad6d573f805e0780eb1e20b8274200e7ec6b72ef53c0f3c5c2eb078c00fe5246526de6dc3fe54a49298c70d88aa1feea2313f082a0e9447ad2f2bf3996
-
Filesize
1.5MB
MD5c7af80393c34aa5be72c0f9aa3dcc942
SHA1ada3f44415d3d1dbe31dda2901d726d32906be13
SHA256f508d91700028c43eb07745422a07bcfd473eda911d3b9bdb36bcbc4a384b66a
SHA5126ac1576d0d30470e6305decee6aec0cf97b2ff2c6569e4ff6eb6280156e6badb109319b588f9c1af9738f8c9ce4c35f5091ce48015500dec5f6ecefee786425f
-
Filesize
2.0MB
MD53385b06160c41d83e7e96cd52cd75051
SHA166e37d39f56a96f69f9339fcd57533ae5222111b
SHA256a9e9a2844ed94bf98cc68654574281e97e0929216244b6144a68d979b1933ffa
SHA512e1e8832ead8ca01a8e7d3ffe45e9a9cd1a74fcb6731ae106f6d48977f44edf04953da5e122d815fe3de46d775dc1ca2a9a393785c4d7ac4b5a96ba0e924b74a4
-
Filesize
1.3MB
MD5617b4f9c8f2de37400049e1bcda10ca4
SHA1836aa7daf4442537645ef43b9e8b713d1a5542c3
SHA2561e7f748fcac6a8681f493735e265e298e50f751b7df2f16c1249f80b3d06d707
SHA5128a97591270326e1cdce9c68783535854bb2d57defb778dd346cf5d23c8d4a23ba5f96c65f4c20c45ba308a27fca0fb4366c5d37656f176801d28fff57b749395
-
Filesize
1.3MB
MD55f57658983aa16d05f36808ddecf847a
SHA12cd155172ee4eb86ef7df73aaad28875374789a6
SHA2568e5f45c4612447d75c0677cf4375eecdc351414a095a839d97f8c0ef227a1c08
SHA512f601ad9aac2e0a0a8bdddaf3ba0fafebcd275ad852a9448fbd2f93e2d53e53e9ae0a8dee8cd64b701a49b036131df7d616e991899a8961d9a9659ab2e7aec401
-
Filesize
1.2MB
MD5cea0110a30dd9d25cb5fa4696d382de9
SHA14f8ea19f7fe7c82994ee41ac837fcd7c6e502a06
SHA2568303fe453d48bb6bd44f5132f3df87cc2508dc094035a2eee16d6689b113991b
SHA5120f4c5e158a21a92e1f281904f1d06f0ca76f698b16162903e21d789199b5816ca8835cd134a29ab8918172f210107f51d04dee8c3752ee72c15977d7046257d6
-
Filesize
1.3MB
MD565c7ad517e13be8c1247acbc42a21ab7
SHA139a76563582c79588405e752bb64373d2b655adb
SHA256f86f92388eb3e7075bb8652b101e6f68d1a4a8e2aab0f235bfd264bbb241b1dc
SHA5121b6d0a7a81986eadb31a533123ed58b50c1e94acb9f97597770e2585a9373a7383c95deb4f7c0c739955a3f4f276eec78673e8004ed04571fd36f945240256ba
-
Filesize
1.4MB
MD523c996d1c699a2426e8d88c447c548ae
SHA15bfbf91f9c7816f5ccb7c092d9759fa584553121
SHA25619251743c5911b2ce7c32e0f6f4cae0bac9f5a5423b65c0bd40b745e4e5cf4eb
SHA512fb2280dcceeddeaa55d8d68a0b3d87608c4f83c966463dcc0838e7606c49162f6cbb00941c446a485ccc0d9f6cd7eb0d086058d838107e84a1d9ec26f5f3c642
-
Filesize
2.1MB
MD534daec1542dc33353534e0b9009b94e6
SHA1b4a2fe4f640481cc6ed04a215b6be5a74f475f90
SHA256d3b33a98bdb641e4de94bac49e1b8b187d32d3b49afb6d0e8e44c6fd8b254616
SHA51261f9b2e5591ea636c80031dc2cacb9b9c8d58c8c751136bc707b2fcbf4033801343692c63f159453ee6873970140cb94def75b4dc43d8828d542eae0bba0c8c6
-
Filesize
1.3MB
MD56faa9c256c7693d58dd6a59469d4770d
SHA13a6bdaa74839663df7e4ca83c6d797fa6282dd41
SHA2563ba40374b84bbf7ed9dd1f9cf18ecd58b0a0c9a9dcb596d2ed1682fb6f61a1c9
SHA512fdd119d7d27800f7754bcd38a9521f90c4c68bf99944aaacef0ae9ad6b17ade77258125964e732e977789a87fe8287991d15a953b61a6ea55efefe41de43569a
-
Filesize
1.5MB
MD5985494d940696d65919b1c804f6c71e7
SHA1ec1561f396268d98db499dbb50e9c04cd33361c7
SHA2566f581bc02f68ebd11797d5b7b88e60bbc614e7c16b91b7501b0f4894082b8233
SHA5120e90d78c6fb798f1335d3a8422b36b72c31ee8ed4b995ab8efd27b43d161c5bae35baaff3279ffe93ce504439a3cec5c077d6b6982409471301ec23d1771a9ed
-
Filesize
1.2MB
MD545074b59301d34d48e12a6527ed13529
SHA1af35dbea859c25748ecf15eb5a5f731de5be434e
SHA256c9263520bb4bcff026c420f569ad10e0d691d2522386eb8b85c43d60d6f27ca9
SHA512f9a9e8deb7ddfdd59936d0fbfea781c9c92fc81263b537b40e2b6997722927a3a50cdb2f8892c8b521fedbba20ec9c0333a89ee539005c3b34a1f4c22726be09