Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 20:09
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Resource
win7-20240729-en
General
-
Target
2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
-
Size
2.8MB
-
MD5
b05612cb6410d636ff3b8aed4d0cafa3
-
SHA1
46c3047aeee17107a99eb4beab9d9cf632cb21fa
-
SHA256
73d7cc46de18f27683e8574023e49de1bcd882e071e72de22a313a44a7d3b16a
-
SHA512
8d565b044fda9e7dc8196d3aec02abe9738ee462d462cd200e7125b8b93ce8e9e0c1ec0d31b5249cd8ee85a665be13b295822b1be59ce66618d485da85166379
-
SSDEEP
49152:vtbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wT1Dmg27RnWGj:NkPbiHW6ZWD527BWG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4556 alg.exe 232 DiagnosticsHub.StandardCollector.Service.exe 4828 fxssvc.exe 1248 elevation_service.exe 4356 elevation_service.exe 956 maintenanceservice.exe 1208 msdtc.exe 1616 OSE.EXE 4836 PerceptionSimulationService.exe 1660 perfhost.exe 3988 locator.exe 4708 SensorDataService.exe 4264 snmptrap.exe 2184 spectrum.exe 4900 ssh-agent.exe 2684 TieringEngineService.exe 668 AgentService.exe 3432 vds.exe 3952 vssvc.exe 5092 wbengine.exe 2540 WmiApSrv.exe 4968 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\spectrum.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\46d7dd0ea29f13f8.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036d73ae13d14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d004a7e03d14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c00688e03d14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018bc3be03d14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031094ae03d14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005653b5e03d14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c1d5de03d14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba76b1e73d14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2972 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeTakeOwnershipPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 4828 fxssvc.exe Token: SeRestorePrivilege 2684 TieringEngineService.exe Token: SeManageVolumePrivilege 2684 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 668 AgentService.exe Token: SeBackupPrivilege 3952 vssvc.exe Token: SeRestorePrivilege 3952 vssvc.exe Token: SeAuditPrivilege 3952 vssvc.exe Token: SeBackupPrivilege 5092 wbengine.exe Token: SeRestorePrivilege 5092 wbengine.exe Token: SeSecurityPrivilege 5092 wbengine.exe Token: 33 4968 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4968 SearchIndexer.exe Token: SeDebugPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 5040 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 4556 alg.exe Token: SeDebugPrivilege 4556 alg.exe Token: SeDebugPrivilege 4556 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2972 wrote to memory of 5040 2972 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 82 PID 2972 wrote to memory of 5040 2972 2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe 82 PID 4968 wrote to memory of 1572 4968 SearchIndexer.exe 109 PID 4968 wrote to memory of 1572 4968 SearchIndexer.exe 109 PID 4968 wrote to memory of 3676 4968 SearchIndexer.exe 110 PID 4968 wrote to memory of 3676 4968 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1708
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1248
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4356
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1208
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1616
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4836
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4708
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4264
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2184
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2244
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:668
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1572
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e28681e3705ca26c64d8d728e4cbc09e
SHA1aa48576ca8ce1a717357db6733aece0468452d7e
SHA25603fcce7f1ba82a0cc30905985bc9438637ca059040d4d38738f31d06d24d0f84
SHA512277ca83fd27e6ffd123c18096870692fe639e5e8838f025b70f3bf47dc5acc6326e1942ad42dcd5733ea88888dace463723ad7dbd69ba3ea65c4c23d3607a431
-
Filesize
1.3MB
MD5457e129293338fe0f605a4be0265f7a0
SHA1a7db9d0f2a90a1bbe333d8cd6547712b5a65f517
SHA25694c5ca50c5fe96d2447a80b23f0569afa5fb27a22b1233dfd8a7006fb9ec4692
SHA51280b5a758142e7879a86e35e52ccaee7ae00cc017b407d36391783bba37976c60f8f32c8e041c9fa8700d2fbb15ff694ec7f241bab8e94a6ad604e10d351b9477
-
Filesize
1.6MB
MD5e0bbf2ba5b00cb0b8d3d4e0c60dcdd8b
SHA189afce2b3ab240bf41ecbbbe260fa0d4c8368ee1
SHA256e386496e3813767118c9a43d19e7e42c8259fb160b96e4dfcd6a9da23a4d10eb
SHA512352ab1cac35a65aafff09492c02860c99911705abaa9222ced65cbdc6f5477214b736a0c390f45b96048f91f9c8a5cbc38e96667fefcd770fb9a45b52f582e96
-
Filesize
1.5MB
MD5d4e29fd1ced89842bc8b81234a7f3dd5
SHA19606aa2aedc091d41384b503d091f0709462d792
SHA256830c2cfcd880ba3d96ddd54276e3549f70a20042ad1dfed9b753a5d8412201d0
SHA512f8917e9a082bab0cae2feff105e1107e1ad024e71a05157295b22e06a1a8e768a2310d414b235a124ff6b110c1bd92346e3b8514f234eb67d269924b66e5ed21
-
Filesize
1.2MB
MD5bde9426d9e7b83a7baed3cfc79a35cad
SHA1fd940947f316f7d1c1f4b2a09a2dc8ac3de202e3
SHA256016dfbe901de3a03ee07c03c4b06fa238d7537cd3b745f044101670f3676a9bc
SHA5126ea0f1ce3af6e2a5b8ea2ed5f176c7d8c44466acb6ecc9d59d8fd390692f41fb5fda954aa306b270f691ea1891da602f587796d78ca93bfe9e3582e4b68190e3
-
Filesize
1.1MB
MD5a71a73ecd4882806aa77a87ed411dfaf
SHA1bf45f98d8f8500e0eade67f9a6d348b28d689a32
SHA2561cd4c15f49bfd651e8e086629903bb7d848905af0785bb3310a0c042ff56888d
SHA512191c660992f7790af3ec22ea1eb285ac1667a1fb36bd1f65f9de5cd2e0ae73379f634109369bc429643b846fcd26aec1ab3779951c1755acdd348f8e85292607
-
Filesize
1.3MB
MD569de01874424a0d8496289d25e5df441
SHA1608e8c9c089f79afb743528f6620d4c60a605fba
SHA2567f9f77f5ae78d2d5c19baaf2e3ca2d82f2993f4f41846bc2a8125300d0395d13
SHA5129c8fe091dbc4fc73f463333a2b4284a9804cfceb28f12ca7e92b53c8fe9c73a7d63ea6c076078c3767ec6c008f314e6cbe2847f542132d05e4106f866c5f9850
-
Filesize
4.6MB
MD5399b3a0d227ef9751bbbc135d68b23dd
SHA1eabd9e2ec8c4e0bbada00dfe750e7b930a27d5ac
SHA2566b953c2ade48a2c2df96feb06ad82f36a3cacc9da0890869bd83abb68958be65
SHA512cc7e10923f6108ed532dc5dc4c370c72cd37c7cb9b11e1b7d8e3d9a0fc273415d8f53aaa8c5aca7d1939d06cb8427b60db2aad950341083bbb79fab9d9e2b8d5
-
Filesize
1.4MB
MD5d9ff4d57c07e4544466dff479090a252
SHA1bf5c8b90fa7a947746544734d16d915bfaaf0e94
SHA256ebe1d1a3891718564d03036fbfbd3835e2c2501144d660ca28e6a23194cc06c3
SHA5122829dd5cc3a205370f66d7845f122101c46b7d0bf413dd0797f48062f178638157bd796adfc5c13dcb6b1d5b08e4f30baee81f389d3bc541b8e319f039ae676f
-
Filesize
24.0MB
MD5589abf5a81f118dc1a3592110438ea32
SHA15f3fbe1b8442694f28b61421e9b3aa623a5d8219
SHA256b3c85fed29f786f126d6f727838379897349f47415af6108ac1d158d9a17d22b
SHA51203aa8055bc26a002f56431a3215b0aa2ef4133eb59acb5a918c11530c3c118c142b0cdf1f966e05844e8c97ba41950a8395beb04b295724a2d24564f242453a4
-
Filesize
2.7MB
MD57984a5450a32397c16d989678c3098d7
SHA1c221f7e610acbb599a3a1c55f13cb107aad9a012
SHA256db827deb4171cfb5f4694bd10e4f1d927c0da712cfa1f1e594a1df101e8285c0
SHA512773bbd302622981b0f9b0bdac0a485804afc6e5bb1ffb1288b02b0752321594810b506615eb6ac66c3bb5f943de140e0902783b9836a5432ccf16d87dbf80830
-
Filesize
1.1MB
MD5e367aba5f0c71a06e46c162f7d0aea6e
SHA1a6c4dd48b94d34cc05493b3d4e1a60a081ddb7c0
SHA2565cd034574c08b8f8c9936a800daec155edd6584a81bb0031d8c5bb43ff25e699
SHA51236521c0b97d789036e354de0e7406d283b34eca378b0a99feff65f62cf07296993e04d7732c0c0b1157d4d9366b4466c357e57a54cfeeb309ca5fb08954f80c3
-
Filesize
1.3MB
MD546251bc3dde129ad5269d1a768fe6f76
SHA14edd1a8ee779f1f2b0d78543c38cb6096bca2298
SHA256708da3c8e38f192df2f1a5502c81abf434831a4ff5622fd2dcbb93ab6b1a89b7
SHA512d96b1083876cd2666ae16bd6a8f24d37aca9bbf58fc252a6bb1f524ee998b0dd43f718935f6fee5e3d801ce567c4b38e6d6fdbe2afff7b57d2c201606b3d8118
-
Filesize
1.2MB
MD54c8e9bff25eff273b11f0633b99d7200
SHA19cff0a7169a7116c62ff17d55fdf6c8c54547b13
SHA256fe9c9fc7cd0782cc2b07c31e75fdb563fa090e1f2e642c25c512477f17c49c08
SHA512e1c03c4a05ff6e2d9e36a3536337783eeaca90e3ecdafc50f1825c627acbd37ea1ff81210593462e97f3a15bd6d7b2ff07c7fbc6d5ef38b894269bfd3df4141a
-
Filesize
4.6MB
MD54e126f7d92e6a9afba403b47888ad519
SHA1768553952fb493fd7954cc0ac69796d79e1dca07
SHA2566dd2b99905b0cec74e2ff5f3c2247d5c83106711d788a6da2c0485e61aca3130
SHA5124cf5bad87ad34ef156c867c11fd097a39fdacda94936de3a746b961b76d2597c3aff669cdd48df24bb389ded9b8544f3c4f8f03de067b73c12246377dae26f52
-
Filesize
4.6MB
MD597939321dcf482c66aa4473169f0f19c
SHA16079cc71fdfe1c654c65c12dac869212546e5666
SHA256cc48b1b5eac8f65b4dcd08d0e1560243c7fa0b3aac44eda2096901e5b60e1cdc
SHA512bbc772acdc74dac60b2ebdf3c373e55d20e0a3fd0d50f9cccc98eadd5b0f095bb6d2165749c79f7a7f0117ee99c7cda0a2b2a707a2040e4a832704770059afa4
-
Filesize
1.9MB
MD5a546565def5903b1a8f6a4c2a8b0c18c
SHA10e141744a6ef26cd8c15d7ef975dd6dce5688813
SHA25617234c89bebc31de780aa37d1f6342de634b4f2765bcd7495cc2f14b8ccd72b8
SHA51277b70a24334cb8dba60d29a6d68fd217f756485da05078178240f35968f8bc87845c7787bd7be9083948adec7bcfdb4c7e2ab7aa6e8b4ba44cc3dcb34cfa96f0
-
Filesize
2.1MB
MD524705f13df05435795f11dc65cd9bb55
SHA1aa6450f97c36f2846dccf8cc68726729b84c98d0
SHA256afd5589277396638614b203b23b3b9bbc68d6c5263dcd09bfc7dd5997c27f7b9
SHA51209e9d29af0f0f3485240717732f378625fd115663070006e353b623dada62574355e979ded312dee6b7b661332e296bc488d40a642a9e78e545580fd2590936e
-
Filesize
1.8MB
MD5ba35fd5099889b34f9e4a323b5bb2fef
SHA1d9b85625ffebbdf183ae9b53049d0f6ea30f0426
SHA256f2281d1b8591b367e2bcda89b35d919780bf433acbd085fecaecd2eee950425b
SHA512cabb576cdd830ce6b9dbf5604f597935c497b9845b38d6e9271e1db97ff8444a27c86d68ea969202ad3f188a6c69d2eaac8f91c332880a2cf14d558849193a41
-
Filesize
1.6MB
MD5b44475af5e42083b746bbe196079071e
SHA1eaa37492baa73f67cbf12fa65c4d0e0d71c4eb54
SHA256e3defad9d206f81df6aac58be61409d927bffdf7ac9a8320a01642d297c64ef0
SHA5120ab2e97d9fb0332b882cedb5c362fc45fbae4390a207a80ac6ee65d808222d5c91358a192850e3d9d362d205de4c4e84dc1c68abf526f098fe92df1c86eea476
-
Filesize
1.1MB
MD52df3087746e61f5696d0993ff1b0ecbd
SHA160745f0932fbe45122e54337e59962f6cfdd5762
SHA256d4c6e758c1030f50f2a89b2f0f710dd9785dc4811fbba9557f614965145dead6
SHA5129ae7c106f7ec28a79e2e7f1b9ac7a61fc4b45aaea30c5e3e3aaca4da8c7677c335fb5f4457306be662f8d394677f60d04a0e0fd0a43b207731b0420a8ac66ead
-
Filesize
1.1MB
MD5336d2d0456b8bc314a4dd347186a04ba
SHA1c61bc60f8839a8683721afe3ef33fc5ed636cc01
SHA256fb57ba03fea0ff4bf052dba48a6755edefe0408715d11db4db677552d83e0999
SHA51284b1bd02b0457e92d641f5e9e1e708df7a1609c456c28ad9db4c14c5cda024c6defec317c5e545a5850032de7494ad0bfd0ce81a9028251619dfc8ab76301bab
-
Filesize
1.1MB
MD5fe751dda81fecf1317fcf17a2e403f51
SHA195e7744510430919df2778ef2a68bfda0490f8c0
SHA25686132dae032f04f40be06e731156411d6286ef5f171b505d1f2ba43eb3bf049f
SHA51286a00091f40989ea56336045b8af8932de9f72f91364cead091e8beb83fd669428356c8a407f1239e8dbc8ae714eb98adc822c8970ccf93865ca18cd34341ee7
-
Filesize
1.1MB
MD5c48c451602b8a4ad9a0e895487a6869f
SHA1baaf226120848af20ed0031efa2d9a75a4268a37
SHA2562370780cd6a20042822ba854e9d33be248993da805cd3c2ee2d716beccead2fc
SHA5129c7c0f0ea2079ed49e15940ddb2c78d0f6b8dbd22967e6f5e97abf49cd5036918e46b396a5f3f961db4511aa4a1c710f4a565892f7001b62b42ffde188744134
-
Filesize
1.1MB
MD56eac588f6958079d6e4f3350be21a799
SHA1f6c326493fd30501372d3128b7e7eaf7da3c0658
SHA2569d9dbee00252d1bfd48414245e7e9d19562e6893235ff80d92517cf0365952a0
SHA5126eb81f337a88b2abbe6e183742f94024cb639cf01bc4fd2520884dd5993207c08f5a1cf84373561b42abef266732531d1e8f7c85a405fb1c6ab9531e39fc4bb7
-
Filesize
1.1MB
MD55a14fb2da210c0cab4f798a09c69bb35
SHA19de5e5ce182e258bd95421520d18791c1505dd6a
SHA2562b555eaf7cb40a84c12cb54320dfa81c4be5f9ecd1dba878ad91119999347c77
SHA512130c5dece3a9f45325e245a4f1a3e6b222e4899f47c20031f70b595d8ed2c9f653fe62f5ecb2c09e9c4ee984367b055375da1057a867146743f860c28e651513
-
Filesize
1.1MB
MD5b4d158136c4b95d4c054bed7e1c432e4
SHA1124f4941d606d18f8b254dae10518096f37ca625
SHA256c9c2715c55c0badee40897e8e4e3579d81898199aab08630e6e25bd61c4a113f
SHA512760923f811365c6d9a44ac135ee84b6b6dc9c69af26ce37fe24eb3d63c909b8dbe98302042ccb2c62f44f40c7dfadf14171fde9086c895e3953627dc6f2c3049
-
Filesize
1.3MB
MD5e62106b22470a7f569915bc5a3dbc3d5
SHA14ff3b58a31cf677ee53e4684a115f762e397ce58
SHA256802628245ae4e86d9e2eb8a59e22a98a6d417e9d697456de443770a61edd17b7
SHA512c2f53830a77a142ee6af4fb4a26ddfbfa4d4619a3659b5fef5d8b58494f8fa006828dd91679fe965e6b2f304eb93d7950ac618ed6113eea05a054c63d234fd58
-
Filesize
1.1MB
MD565934403743629de4c12c5798f5bd739
SHA1cb812b8ab2d6188095c6c47a76777ceaa45a7d8b
SHA25663609cd3729a6caca9d9a870a414f3f38366cf5dfa6d1ad7746f659d3712a759
SHA512bd656f600cda7f9aba75c0ad7bf11146cf4ac7644c127812e47b037df7baeae97e516b489f4eb1c6b3d63ef1c532da388cb6cadc43c04ecdb395d0b0fd53887d
-
Filesize
1.1MB
MD52dc582c29895eea868cecaf0538652fa
SHA1bbbf2753367f8cef46759dd41c9a0a7dd6fc83e4
SHA25696646772ef26873c26e1b4e6a60d3ca2619bb335e2c154228bd78a9573a6309a
SHA512dc7fdead58c9a93cbd3454ce317a901c6dd2b17e78a93d4756740b00ea7d6385e35d9001b49e14245d28fa15160872e4fcf090e0c24d28d7478eca0b9f5ff9fd
-
Filesize
1.2MB
MD59cb705ffef34e0e92b92a9c90a6b0c3c
SHA106f0f8663c519af251c7b4805f2aedb0f5140b79
SHA256ce6a0215527a3aa6d9533323aea8de42336acb4815af739751d761c8bd23ddd0
SHA512a4883dd91b79f2a36a733d830077ad2a47528cef28277af923935945fbb7bd6ff566086175fc4af6eb707b57b6c24df62497747c351994b0c71542d0a64e06a9
-
Filesize
1.1MB
MD52efc39dc7258aee4f2572b6d2564493c
SHA11a0fecf058ae9683cbfb5669f0881bfb7c7c9b88
SHA256cc09b55af0f75a3041983e1e43b5ff90d88308a3b4664d4695f90847f041ed9b
SHA5124cf660bd8a2e531ed52ee5ef0a74f5f95cd7311711ead87ffeb8c6c8d1153bbbb2c5db969711c5db3a040bb19cc14b2ed3381651c65f321637f1257f6386b6ed
-
Filesize
1.1MB
MD5bed89fe1bc6782cc98500f703ea4b26f
SHA1e27d972e2d89ee5a14889af0ef4e642d43def17f
SHA256b4317daed2d40b726562de83638218bc5e1b90791c99098620073d6a530c06c5
SHA512f089f356220659aaf953bd4387ad099be3688beac5a0c14f03eb6f21ae90aaa210cff7575173b6717e0d9b8d447eb3129f70ed3b47926684ca982a055e4c2026
-
Filesize
1.2MB
MD59071ff7db6fd0825892447fb34c979e1
SHA1f6635bb2719f6d55e5305cf0f69ed754d49b9bcd
SHA256568c1529fdc8374def0875c7c4efdfff0200eb50a73722ebd5c3a40118c7e994
SHA512fc24d1ba316a42d8ccc9d17db91fbeb16c860906e55241d903c49198433f2345372a6fe22d3aee5978aa9d76234db81703ae0762a97e7e77bfb21f1874b21f74
-
Filesize
1.3MB
MD56bb967e859bad42a1eed9e48cf2f662d
SHA1bb4087fc621003be6a3687de43d6e7fd54dec567
SHA256c725a193a8824161bfd77fcdb55e12771f69867450d5338867845092f028a7ae
SHA5129fd911a5d60c6dee45a9d41858eb3e7bfb26dc4b3b58097c138d86d9a2561b11de1a9b6eb4be075d5a3ecdab9e9ccff41f76b587d3473e41a7c34a3d38da159f
-
Filesize
1.5MB
MD5d3ba2a9512ff01654d15c6ce5f5d67cc
SHA14963de73ac06e0cba19e3e477bdc9a373fdfe588
SHA256e2d014deeaac9c1e3a1279852b527d282bdb52255c16dfdf57ef4ccbeab352b7
SHA512469eb36058f24f59af2c323163e034d9445b433b0b48c7a6bddf14499f5ce5afd2d64a0dabc5c3e9fa5d5a95a78108cfb95dc88a2dd9467e7a015f48573931ec
-
Filesize
1.2MB
MD5bb510d8f2e618f6a929b8901016282fe
SHA13da41647277eeef15dfcc0501d5bc19ad1f6e0ae
SHA256c1a08042e3ef2cbd673eec8b37c747e8be0e92a6add539ec5eb397514865b346
SHA51250b011a4057980cf866e1e0fa5522402a86ff3dc30c571f5b15aa166a6abe12815a6139bcc979402f1caa72f3526c41c14b92793f0762f4446c3ec48a8e86752
-
Filesize
12KB
MD50d8b7b064a4534527b8fe4debe7d24f3
SHA179b9fe12f90a58947f92b5d67b58a6d06fc4b2fe
SHA2567356700c1df6561dc3faf91a49d8c0571b14a8662fcac226715efcf72bb00139
SHA5122a8f64d5adae2a59792ff989c4d793926afd3045f314a43acbf7f5a08444003e26f87d4f880a89c1594c779c9963426bf0822f3383e226476b8b86da165b3157
-
Filesize
1.1MB
MD531cb84a58de607d52fff5b56117bb793
SHA1c45f703ddb176bf0ca85d739fbc1d04b6073e3e9
SHA2564ac3dfa042b39112594e806812bd2a94270472d436ddb6d28f8bb908a95daf5d
SHA51246f7a68eb3e0f2a4edb37ba55b035d234b75713cb2eb8a48cba73e0572f2a3f17fe51f7f59d7dabe995d2df084fb5ef3be29e66ccb217de5bb8c1c054b7350b8
-
Filesize
1.7MB
MD54eb38ad8f8c163b5394f52356dc67289
SHA1835fc92817a1717942c55f5093826a485bda0b40
SHA256f138321600ccf81e2f9a5d4c00019b63b010d5c864572388b24d57cfb69e6de4
SHA512e6d1f7caf614c16793dd14045ac57673d996a5d81b20ef5b14ef97d01c00610fe1e1d2ef33482500b7d020465c84586cff744e3303547ff30f1b46d9ebbdfe2f
-
Filesize
1.2MB
MD5531164e348e000540564578d8d6dae97
SHA1420a59cbe64ca04493449298e49e8bdee0127eec
SHA256f87a42a2945dd7c0c304620c66a27c0ad43285ec7dfccf7e3bb9783ed12609b1
SHA512b57d7c0cab4d653381c6aa214643043cb298d6ebcdeb8470a5d04e2b3a14cac8f959114856c821a6d47d6a5a63d38ee7ad5c3f731d589bdebe96b11e4cdc5a6a
-
Filesize
1.2MB
MD5f8f41dd4d3955fa33dbab0d6c5e67940
SHA1d444f90126d1654a50441161071d254871550341
SHA2564973c7efc2506e7585fbf2d6dcef606d1ce969a2e06a3ccaf084b5903f16ef0e
SHA512827cd1ac7da4e8d085a2d8229a8bb66d7496e0423d6dbd5e638853717f0189b3c363da114463e258f246a70428d7d524346df2a6b4ed5401e1d91856002d0e79
-
Filesize
1.1MB
MD5acd1937970f1739068cc9db830f8d642
SHA1cf82fbf30a9ac4da5722030fbde4ff9cefe76047
SHA2566126054adfe3d0ae49e8c468668de482ff37148999e370a0189471f361ced16a
SHA512779aacecb0bc197ab2066dfac6d5c100c5304f1e97fcb347021fb700e241db6a635d1e00c1811752570754b2092ad8d0c70c11d6160bfb79129dc62217b12b73
-
Filesize
1.4MB
MD52832ca4c42feba0f634ca42c4f109ed8
SHA1d66ffe0c2cd358f9bd62f3d9eac3b7b229b4f639
SHA2561b352afb1b0271d5ce0550261ee07fc8c188b499149a2c00d00653fd246beb48
SHA5129c63c9024173d72b556ea88d56c4153cd98acd6c6d68cf226358e7e1d7634c21e669e890f1a7dd0772c3a7971eb497ea54454c8d89850eeef40bd021b36a0ea5
-
Filesize
1.2MB
MD58dd957c6864987f33f7e2f5b3c272efb
SHA1a925715afe258e1c4ad8558ff72c4cb98ef8ff3b
SHA256bc0446a7f5f821ed1103caf6d2a5c14eee673b4ba0e58476461b293bb11c3caf
SHA512343c922b8b8f1f09c14784ebc0dd769de392e6e0ff8ac822fd17c7916843df463635076b8e69736e1d86e09cb751aa5c81666975d4def8ac0db36312035b1527
-
Filesize
1.4MB
MD586ee6757569198fda8eb8a0dab3fc79d
SHA13bb05e80aa1de576297a4739323077d793eed43f
SHA25636db419365448a1ee94d1b75466a2012f7491fa2206e6610445f594e9a22b8e0
SHA5121eb2b505f034a26052f923011be3372dee9ae489454c3c5c47b1d3b6d3b531021deb9374a4a2808e4abe7cae7520138cced7bd1462a5ff97b7f5e7c9623c6f34
-
Filesize
1.8MB
MD5eca87444e9771cbfe9faffbb29aecba0
SHA144cdfc6895bfe3a1fb1ca6d09f29eb8f7365016e
SHA256b7c49081122461a08dff199340f8b65b8cb60ae01c2da1bf173779743e2cd8ad
SHA512c28436e675574193f14862279831a96d91388c33776453e675bdbdc921939b2f4b11f5b78cbc6a5542b95e7327da1635699c6ea5401453b057f2375ae696bf96
-
Filesize
1.4MB
MD5e6f25fd4cbb2927dcd94510fe4c78082
SHA148e2d5e24df215110e859706974ef90318a4707e
SHA2563d7ca102d4e273fec28d6009893f2a944ff605b933b3b9643579fa481dfcfbb8
SHA512f604ee4722e1cdeb3b9b9b2fae81d8c711366c6312f7c70cd3c34f44e900c9ad0ce78f78d108dad27db11d1ac526f726d9c50d9892778ee3c69a4f403586cb6e
-
Filesize
1.4MB
MD55f7f261946fd5a51b4bd413944b27922
SHA13d515edbd85a1c08b5e0ed2539d4a0cb5b3221a1
SHA256f1ef799c3071f1c323f439eb868a1a5cfa3b3eacc7c93831204b7e374ebba9af
SHA5121881724bb300d3d8e29ea525253fcb755e66ccf46344ca08b8f7b5ea74e91e95bc03fcfe9855b49937d61483be596e248aeb3fd5fca41349ff46cccdbe68aa40
-
Filesize
2.0MB
MD5c047a2a29ad6bc9ae000d7172ebc0fb5
SHA1f36ed1a1a97c8a139dcd9145870c84830ea89362
SHA256e6f60f094e90ab05768baa8f1d4b7e62f96a49f6b8af243681c4676349bc17e8
SHA512bc34586c48cc2a42381084df6f5c03ce737e4ac9f7bb97f7dd7f14a4fcae5e423d94eceb71c5f27d36ea7993d20dbaa4b43bbfb5f06cf8c6ee457df4569dd473
-
Filesize
1.2MB
MD598dd3406e73a305d7a5ac4a95b8925bc
SHA186d3f71a836e907a319a217554676cb7ce74d867
SHA25628f71d42e971772f31a28a8a43b84ab80a1f8726304dcd823c7ee168ab00d29e
SHA512aac4fc8cf27d2974e8eb3536b0e594a276a8eb7da09c46f44b65d95bc07bf79a47f794c5463fdd18ac84e84437d1a0bf46447618a4c119eda23c709cf98c2d59
-
Filesize
1.2MB
MD5e96e0108d5ddc08a2dd7622710187c52
SHA19897ac0c9026f29b583a8f5267c16928b608ee40
SHA256871519c44b9544ba4d1b82016520aaf5d48c360239612d3401b1e179287e9dc8
SHA512b3774ec5a00c8813160126d9b0354bea6187535504c65b92fbe33c06a300eed928ba65dc9014fd005b51ee1aa3b3b2865d70e48e27c2fbd742fd442d11528726
-
Filesize
1.1MB
MD5a7ba573c812ca4e17c8c681460924cb7
SHA18973662864f0867a20b138ddaeab85a556ac009d
SHA256b2192c3cbe12e9d4aef25b818e93ba44da20c57963023fd7c5ea9ec2e43a1bc2
SHA5127e109e3f317a6d298fcd424b5532968f4b8414d18d904c6dec812d038d49ebb2d6a882f53391c8c10642b4200ad3946a7dc25b0dd66ab5c955c7b11151b4cdaf
-
Filesize
1.3MB
MD5ebb6bfba627884c78c0ff73a2fe46801
SHA1b01732f316f12cd65af30c82c9b6875aed288ffc
SHA256198ee7a061933660f6f0fa1b2fe2cf2f8e710486d284d5161a553378a900fce3
SHA512fd841224e7f61c619d9defbd95618cdf78a4baad8c4909723fbed47af44c00d87564655d7c3ce30afd09f51eac13a32ed0ed437262bef2813ecee030816b7a32
-
Filesize
1.3MB
MD5a1735bf5e1fb6c81962de9c5d3e82244
SHA1b43d3c75ffd439e10b4b31a9f7d37e8a6bd4bccd
SHA2562472f87347f9c75fca41c485e9a379bd9c04d3b87ac946b36bd36aaa13b95a08
SHA512b265ff614d08aed07054a9895e6ba4119941ad845d3cf53583ca634f964e8c15822039af2b43c6183789c6da361f1d9c7a9b3fc758407e717c34f2174fa12633
-
Filesize
2.1MB
MD5d9cb55fa790572129b2689169f094cbe
SHA19f09c6846371520779135cf5c7d627dd64bf15ca
SHA2568ab98ebeb4235a745a35c2ee3ce06c6f3d40c832bd9049d29d50c8d49a604aff
SHA512d9328ab4b99900de0e11fac0599e7c71a55ff8c572b30b13fc1882d3575b568912229f7be3eda222e34d3922bc1df43d5d33acec18e82da257d211fda20707e8
-
Filesize
1.3MB
MD58065c137237c39252b7abba5184fc65e
SHA182df694955d93b0fbbf7d09b3f3ad9f6be0da2eb
SHA25698b08cfda21ff862bc1bd5300ecbdd5f4dde92c05ded31e9af6ed82403b6429e
SHA5122d88272eb1cd0d1d91b109e4c68e3f3631bf36f0a89936cc53f0db052e8e31205c391dcefdc7deeb57ec2f097deaa2d8fe65f061c0aaa19a6dba29eaefd254c5
-
Filesize
1.4MB
MD5bdccbcc2b2dad9bc7fff059a1a65176d
SHA1cc195731df262f622a877e19da8e5f6987269f86
SHA2565798547e671e66d222f92c57f8384f520e3435097d3874d769ccba51ce845e71
SHA512441759ddc8f6ec111fec33ec65ba7596882d53ef4f7ccb8405ccc0499a9941009824fd9c31dab619f8526700ed50c8340e0cc7af3667e0fedd1310178d3dfa6a
-
Filesize
1.1MB
MD5763230d5ead2c0fc2a7b1ed363c9c9dd
SHA15c319e22fd267957e4a7732657c8663424cf8f67
SHA256076c96a853be9da06cbcc0819b897df0a280e4c82012626aabcbca01daabd624
SHA5123acace5e108aa75372fc227728b78d08d5296651f57ff624c237e6d603b4af045095570ec1cb5e548a8cb1604e98897a4092645f700866fdacf7f8ac96cccfc9