Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Resource
win7-20240903-en
General
-
Target
2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
-
Size
2.8MB
-
MD5
aa26fe4f41cad4cd4da60958bd7b2b97
-
SHA1
e3cf645607e9ffc1d9f89ffbd06f485d03cc1329
-
SHA256
09ef9d5edd9a3a8f7e4a05a27edda0423f0ba151a6c843fa5599167af31b0276
-
SHA512
3e9814926afb60f761d4e3c2e1c65ed821d5640ad7de308e649a4dc0e8193dccfafcb47d175b6225a408384815b5ff23540b1e6475d0a20e05cfa3ca8f63cbea
-
SSDEEP
49152:ttbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wTLDmg27RnWGj:rkPbiHW6ZID527BWG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 372 alg.exe 5076 DiagnosticsHub.StandardCollector.Service.exe 1712 fxssvc.exe 3864 elevation_service.exe 2128 elevation_service.exe 784 maintenanceservice.exe 4920 msdtc.exe 4336 OSE.EXE 1860 PerceptionSimulationService.exe 3912 perfhost.exe 2844 locator.exe 3812 SensorDataService.exe 4796 snmptrap.exe 1680 spectrum.exe 3916 ssh-agent.exe 4088 TieringEngineService.exe 1588 AgentService.exe 4356 vds.exe 3988 vssvc.exe 2868 wbengine.exe 4912 WmiApSrv.exe 2688 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\276ad9f6b36a5b05.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000826675c9fe14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000488c9bc9fe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b89b0bcafe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9414fc9fe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c88617cafe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000776856c9fe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e02234cafe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081b3a2c9fe14db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055c6b5c9fe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c827d7c9fe14db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2268 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeTakeOwnershipPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 1712 fxssvc.exe Token: SeRestorePrivilege 4088 TieringEngineService.exe Token: SeManageVolumePrivilege 4088 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1588 AgentService.exe Token: SeBackupPrivilege 3988 vssvc.exe Token: SeRestorePrivilege 3988 vssvc.exe Token: SeAuditPrivilege 3988 vssvc.exe Token: SeBackupPrivilege 2868 wbengine.exe Token: SeRestorePrivilege 2868 wbengine.exe Token: SeSecurityPrivilege 2868 wbengine.exe Token: 33 2688 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2688 SearchIndexer.exe Token: SeDebugPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 2672 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe Token: SeDebugPrivilege 372 alg.exe Token: SeDebugPrivilege 372 alg.exe Token: SeDebugPrivilege 372 alg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2672 2268 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 82 PID 2268 wrote to memory of 2672 2268 2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe 82 PID 2688 wrote to memory of 5060 2688 SearchIndexer.exe 109 PID 2688 wrote to memory of 5060 2688 SearchIndexer.exe 109 PID 2688 wrote to memory of 5104 2688 SearchIndexer.exe 110 PID 2688 wrote to memory of 5104 2688 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:372
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4020
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3864
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2128
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:784
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1860
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2844
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3812
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4796
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1680
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:568
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4912
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5060
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c0e58c9fdaf855cb9c9c0b54aeea265c
SHA1ba291ea2985fa487340a1c85a9fae3d1237de96d
SHA2562acd09f330ce0c19d4f5ba624dedfe56111d0a61f62ecd66ef6d393af3385e39
SHA5122fe892d2874648a60dc5ec37152a0db0a345865164d36ad1f5e9b382edd4cfa94cb35a6a68097428e5797f6c3aab0e5b240a455b00f72d56e288fb093820a201
-
Filesize
1.3MB
MD5f5d7aaeac99ff6d3146549645eed2e38
SHA1c130f3a674d9cd2adf03998e7c2364763a37eeea
SHA2567c3f1b8d61cf05a306dbc4a25db5b22116fb4d7aab1d15d115d5d4590a2cf708
SHA512e65ca7472ec6e08eedc19de55539d2f49008a785c704160b277c93aca928c7727c8a8b4100bae7b3fe3403a5314263ed8c79f07098607a5792fc6366da1cc528
-
Filesize
1.6MB
MD5074a5a1b4ec9f7e0ac7854fa4f95638c
SHA13241770ee39a1e3b3d5bba5c164f46d8e1234b52
SHA256bbe0321d925363eccd445b2920888616f07420daa925cd3622af1c240d1cc112
SHA512a6fe689f0bf2fc85337e88723496bb0d8d20928ed8da8e9a87c86cffa23005a84dca9233511735bc8b55138980677ba0ca9e2c6120a27d5ea9f05b6b50d962d2
-
Filesize
1.5MB
MD5e369e9a682fb2f8a1224d69a23736a7c
SHA1d896a654cf1a90e4a52615777ef30dd94b5b8844
SHA2565439460490598e68f94d9dc1f9f5237aefaa99a25af97f5f7d44f5437e64ca59
SHA512021e0334bfbfd10642cf42ce06979f4031f8fefd9c66b640b84e109f8289510846fa6478255559a06537307a0405945074c3d8aaf001edd16f094669a117b7fc
-
Filesize
1.2MB
MD50ecd272668462d6ef8678ae8ac05553e
SHA16d7df37563c7efb3241610d65fb10295cd7af424
SHA256f7c2da6155162d175366df2cd1223fd63dfbe1f63afd45b3c7d624c9c4180179
SHA512175da491eb4cbe9d937467983b15ce5e595fe98089f629e62ca534a387456eb16517610bd86e521256524e9c4f36d39610a6ad45db1c26fa5e46b4cf2e07dac4
-
Filesize
1.1MB
MD521fd0cae614f1db4ca2d2054566ffaf4
SHA1d726400b2b95a0bb2d2b9644004c06267eaac7aa
SHA2567e2f9290651b82566c9b7aafc75cd89ed6cc21e6166644b6770ef021755e1c6e
SHA512c73fae74dc75bc8a7569aeff4d63bbf71cc59665940339a3e7fe1227abdf32992615d372cc5826e1f4007254875a881141c71314a2caffbd9dc271c95a2d2643
-
Filesize
1.3MB
MD5abb45a4659c824688060defced1b4e37
SHA17b664e0cb4a0281115e59275ba9eb9d18eb1dc2c
SHA2563b42475da5ae9995046fb2450044bb9e1ec25ab80829f7487ad7452b6201da07
SHA5122e02935315716e21fa527b6e7007115335135328d67956f5850c2c85f8c6bf4a14f0b7ec380392ebdec6e4ab748daf55cf585e2910b6474e39ac81337d791c65
-
Filesize
4.6MB
MD55f8a4ea37960b912b491ac91c3faa6e5
SHA127d91b4a497abec4e3fd5a53f07aff809ad2c3b2
SHA256909a2c1e1cb228dda05ee7eb7a28881dfd626b6cd6dce2660de93c656e7a36f8
SHA512b4b2df5fcab831c59b85cd8e086cf50fb3974f56eafa337324c1157d7325a1e777287854f951010448b78858cac3f931bf63ccf18d9c2bb997a73dbe0974d147
-
Filesize
1.4MB
MD59a969806de0170943128f2e0541abf31
SHA1bb44c69481781b449ca505996e98800e3d10d7bc
SHA25616cf004ad66b2eedf0b899133ec7829d8676d599b453ae4da7db8232129ac39f
SHA512831bb457fb450698fb9a41789930e3ff4f8dc46fc1ee0f366b6cc107b81d90ba2c6f9a4d7734575597f72960f864cb7757fcc7078ffa66a434bd1d72ca6074e3
-
Filesize
24.0MB
MD55cc807113e9772157a39f827138537e3
SHA13a383b15c714dec4de5c1b9b7242249e506af6eb
SHA2568b494ba102ae532e6186e5dd665d85a657c25c89b38d139c5d680d0a26ab775b
SHA5123db2315dbf94d4eb9b69db8c9ab7b6b2ef8240807b13d5e03af6550e36d8c995f931735aa39999e9c0b86eed4686aba2c1a662f96305080ca2846eedcf69c520
-
Filesize
2.7MB
MD578ad3341fd1de6858d6037223b5dc6c3
SHA19b69d41f0f225714b23249465ca1119ddd18a03e
SHA256dfb2c48738c6d3d9b66fb0518f91d3d8d74eaf5e1dca15e01bf1c51dd6c34963
SHA51250479e9244d207a8bc13f2866b8e09afa716d8f9306209467ea1a9ee198311a7a8050ffbf1c9837d2398ea7d3a085083f3aa0de054986bfe9b33cdf6d3b24c52
-
Filesize
1.1MB
MD5bf2a99a824a9fab1c0df4a216c0567ff
SHA1a3ddcd326c7d4574d60b1d289f254a468a8a41e3
SHA2568357ebc9ab391bfe849794843fa80cd75f1c2479182358b698454a0776e1e5c9
SHA512434753b277682de519c513c50191ae81609019fa0215d9d682a4a30ab516b5d180b50117171a3696b674bcf77ef541f8ed940913436780b22b029107105e6ac3
-
Filesize
1.3MB
MD5f6e2e65ae100c62dd9c46805714324b3
SHA189cf7b8012ca9873d5b92e791b658ac3ec56a235
SHA2566ee9716eceac3d8c009e497f3f16711c59370de0c08ec9c5c9a8565545929b58
SHA512e4f2c820084da84bdd2069699620f3bd196cb3df381f290ce1609aeddd55ac52a4bed1411fe122ae54ba5296b5f3900f1acdf3467ed2027571e5d6f5d163dd2e
-
Filesize
1.2MB
MD552c57ce0b985e62c6870c999e28e77b8
SHA16e5d7eb5c123628c40f184c0a9f6d1ec3e1976b5
SHA2562e4941c60baf7eac9c0b103eaccecc3e96d8ee2eae4c338aa7bd7bea7eea5b60
SHA512b2fca802c3932eb92404ffe4ed2bcb737e675ab10e30d69bfc4b6c4e0567002aa303426bb74da197a4d049af1d8bfdcf0374cf9c05dd9bcc35dd6ebe53557ef8
-
Filesize
4.6MB
MD5836d2ac52fec9a9af1fd218cfec4ad09
SHA126a1c12547a920a49489ecc720c3289272d1308e
SHA2568c18493f2123c30fd91224735158a839addd596e94f5485b2f5a996751c9f59d
SHA512b32532a933a2a3de2ec497b9c72b50fea77491f2dbe8a604f1bd15c1422d6010e1047c2733ac14327a7859af533af930cbf9469374ef021b1149b1297ed05f8e
-
Filesize
4.6MB
MD5f17f27a03422cc279ba50a1ac01c0884
SHA1779daa7e1b37dd84abfbf2ca2fe39b2be542cc78
SHA2562c1240617753640411c6a78a131941ebe861507a829156b7ed38010ccff2ce06
SHA5129ff8db1b44b565d2eabd72fa7a9ee5cd6379c530f97ed4b3cd11eacf2f000dbe2e4fce1812c084d398429676aa3b88c0e16bbb53e69769a905d3262869e1fd6c
-
Filesize
1.9MB
MD5da9502984c9afb9c9207251f99c95f17
SHA15ec3172c99f15c6360c6b5fa69c6534b05486b55
SHA256e7cf37f1c00b512c1da9f624bd31f458b4a2cf662322ad17026a8aa4f97e837d
SHA512b38417170c0918bf414a574756a7e412c911d4cd337f3e30479caaee2fbfcb9ace1fba8ccb42cfcca911aa9aab935c1afca20ae6afbc017ec97a139cea0caae6
-
Filesize
2.1MB
MD565cd942c3ddb1b85e802c0cac2c4a918
SHA1d355836fca24b90722ef01a75f3478e56c24abdc
SHA256efec2676c144dd605ae35ca0bc871a7f30967959f699650a92b120573ea2d0da
SHA512488fe3f095e15fcb386db175ff170bb34159b80b7643b28872e1b80d7bd215cf0a2c7707d6572172f942057ea1afa9877b1010cc984966711a4ff02a1ad239f3
-
Filesize
1.8MB
MD511ea5a11c40d7fd017fc7cbaa08bc044
SHA169300da310f28ce00ae158826b8e5999af970c45
SHA25652a2e5de71674d05f1cab1feeaf9613e089d88012d36dd365cb8564fc55eabd1
SHA5124af03dddc1d9112afe43d02a48b069ce107023b3a2b86a7266e2b83156bedcdc8c7fd5d01748e347e33aa7f29b8c3f9406e547e75424e32f82c548cda17a1a69
-
Filesize
1.6MB
MD5948cf7daeb242140cd56f0f819c798f8
SHA1935fad1bef6a26e759a60932308fec92ab7ac841
SHA256786c91f1f7fec24ced9f5aa13531bd62a9e2142a23260038d9f578b5eb4db311
SHA512d637b55e585f6d396ed83179943890698f9fb64158c0b40f94102cd33bfb90a4433ddb6d4286ab2b480774a84cfa842cc2b88cec981296966de247a811c85694
-
Filesize
1.1MB
MD5e090141c73f3f6f92422e0f480dce37e
SHA1f91ff62bf3e0e0fc1246cc90381edbded8272bd8
SHA2569c09ce3964bb9b5158022f528a20652b0704cc947adabbef41bbca82f31c0d26
SHA5123a62a38f477b1b4425b45ccbc8cb7c3f9fad504c87ad65221bbb9968b2436cbf361bd52b2122a1b553bee9f058e7428d703806950234fd4638f32f6b914546e6
-
Filesize
1.1MB
MD5393be9b5bf186e1b5400160e67cd67b3
SHA171b343b8bea5dff97550a90cdff6afad8db310e1
SHA2568a6b80d1d33ec328cc7d8f17a8af8ebe354adb32f6f75ee4618cd5aab0245643
SHA512f6e5d848ff4712303153bfac515860a3ba3cb9818c58cee01e03b927842441835a1fd04f13982baa4b0db1fe38be0a66f06a72a9cd09c13384cb7ffb560572f0
-
Filesize
1.1MB
MD571b99e58cbb812e8b1d3c20d125689f1
SHA1de64bf008552e91ae2e86cb85d26b326a1586ddc
SHA25615c7fef860a8c21bbe882628f0933c98cf5264cbe015fdbace78db97188cab75
SHA512720c59d300aee40e317b2b0091cbc207eb065d01767cc6babd150ae85bd8050da452439a149daa0c805cc5faea702c5c235f203f76259074de5d122eb83a078d
-
Filesize
1.1MB
MD5cf4f82642d5cafb47bc3d5f271a63eb4
SHA1130c5217f1d93a138e40097d58b634215663e7ac
SHA256e374c63fddeb60b95188ff516487c8e376fa2f0ea33055fa3076a52cdc8058ad
SHA51290ffb8a6e8754ed577ba3cc7359be6c5b4488012bfba19c4ca5722ee522ae92ef6b2849dd0747e4d67a2526a850b89ef84a22d01223119c817c0f68d322115f2
-
Filesize
1.1MB
MD511ac87d75964373d8a5d2f0f49e2142d
SHA140119ce8e831e7e1ca75d8d49c0074a48096e237
SHA2562518b21140400f11e5535ee8b3d4b45f6f3c0f6d726aec1870955d158d8416e7
SHA512bee0c918949a742ee3179f10abb00b5e4824a690dc4b456e2ad77e63aba8c80238060c9d5fe264dba60c8d34260fe074943a47a2c7a6795053d17d4b4d45ec98
-
Filesize
1.1MB
MD54ddc362f47734436c43e0181d76697f6
SHA18b3e782c20eb1c8db0c0414fe83fb97a3a8dec7e
SHA256f5abe55302ee5e9b9a806b265ad2071539abdd86fd227313cf5a4e5981151d97
SHA5129a55793c4f7833e50cd619314a171d02c2816c991afd108c3e6baa324760d0107a0029979080e9249bb2bda24662dae715d836c5e4b358ef1344a8b2ec223d3c
-
Filesize
1.1MB
MD5a85633ed325a8ba28bbe3c2573ec5f48
SHA1abfc8bd089d3665bfbe7e439d0489b878b9d0dbf
SHA2563253d62da01bc9cd45cb953f4a47e61766420d5461d472914a4835118f4fd939
SHA512966a4f3d45325e6593fa15667f60e6b73e915bf91ba7eae5658810775e8fc3998d68d32c060d23c4d2982d1003663f3470ec3fae49718fac95e4cc1f8a5a393f
-
Filesize
1.3MB
MD50388309ad38145c0ebe5253de6b0aba4
SHA10efc221b93413ce9c5326fc0ffa2f891cd955fd2
SHA256b05903a9a96d716e13a872a51ae23d342b99646fe828401bc79b4277f737977b
SHA512f4e8e20d7c9cbc1896bf873cc0367622903c9783c37e0cb1e09745c22568a9029279a9da7dedcb65b290c436aacb525fdf654bcae8c0b3baca92df04547c0bda
-
Filesize
1.1MB
MD5a15581901d2a32f82aece2ecd4f3fdd6
SHA1d2061f50d6c26a088397e6f0a7d09a07b5919565
SHA256aa0a0e33d6446bbdc51fcf94c397b3e4b1515a7e5ae57ce1566f63342997ebfd
SHA512b5bfaca363e5cc4feb4af0bc0ea1958e5cd65cd295f329663676c5202ef2c638401a0bfcb122d2f9fd31c6bb0908d480c1cd86738910cef0d3f7fb3eb1dce85a
-
Filesize
1.1MB
MD51b251e8f0d1fdc50583e4fcb6d4a8398
SHA1f374033157449682aaed143e6c2c1b0b5a06a627
SHA2561cb4d2f81228c567d7aa471e71f01eb5ee33f48d0c72c0dd16e98e049f0ad8c5
SHA5128346bb40203df96f10406996114b9161c15880002edbdfb13ebdb7f148eca40082eca8786207089ae3eecab1cfed3945860600a35bd790a2bee5766a4a00d071
-
Filesize
1.2MB
MD5ab088d9951edbcfd4edbf73535068809
SHA1307474157fac692778ab14caf447b25a8c1513bb
SHA25662058dbea59c10511ffdaeffc6d1359f04497eef40097e5b6fbbbc1d8c71bbb5
SHA512b107cfe46d51b73715908b5dc85a41eaae3659bc35311e481c93e5369da967161172ffcd515029acd5a7bbc0b4c6f5a52dd8f6c74a36fe62d2aba7190e8924f3
-
Filesize
1.1MB
MD5a82b662f2fb0afdfbe35463336f55efe
SHA1a48093ef33bacc01586c2600da54a8c208e4d582
SHA2560092ea8724fa3241c0dd2c54c2dbde83162466ede9ee56ff132472534af5369d
SHA5120a90e84ca8763b0a3fa808b059bdd2df9a876040bb92fe80894403e8ac5ddbd1c32e07d8743315fb15a7cb6b79e6c7bfac918c60264f215cc233d333cf940b98
-
Filesize
1.1MB
MD51cd37b87efe02e95c44b75fa22933f59
SHA17b41fecaba590615fec97ead2010136214a98dd7
SHA25644d1697f5be5f4693e67c47ce1603b35a582a5a911da89bb0250e9f8933e5ba2
SHA5123f14a2a60ee85b5195baa5d9af6e0c69c470f6d0906517732847dda53dfbedefde77e1a5462255359c016a7f02ac0052784ddec6cafc8edcf682458eded87e89
-
Filesize
1.2MB
MD572182cae2020f4667ccfae54e58940ae
SHA1edaf1bd23cdae6e4eaa5a6d3c7268f8fc0f4371b
SHA2564ad619dd57c9bac1683beaa9ba33e7c25fadd44d02371d3b40fb82a7390cfb2b
SHA512859e8affd97487e6bdc743266f10e79a18579fc4cea532466ed682a8a07363485601212ebee4ffbdc1404823097321a3364af27546a9282a7914d642f4f5b27b
-
Filesize
1.3MB
MD53d1bf083afbd095b649d56113f7e725b
SHA1d15cfd5fa206da8b1ce4ae18de03453745e9bbc7
SHA256e3c991f79fda4d15ee1b9d2eab7b167c4bce9f5e698e418450e7aaaff3396ea6
SHA5127154b4d17032c61ac1a7a9d13db9862042d56f3eb8bd3324297967c3eecaba79daf61f40832b24a1275d2cb271e44f0e467ebba23f13cd1a9399dc297ef7a473
-
Filesize
1.5MB
MD56c7a3da36ddef3befb4cc7fce679c5d0
SHA12865464d00c6556a0691b981b5ec5c09b2a4c11f
SHA2562f1feb98cd1ed3b7145ba0b3dcdbac70fabf00d9da86274af5dac1858a6f6fae
SHA512e001a1a2c4ed76d5288f3f9d55fc191ebeec1d0c32dfdfc0a12cacde8ef05b51df23a468d48297d664481b88a107bf5c5cd88bcd7d8b36a470751e72f8d07a1a
-
Filesize
1.2MB
MD5634a50882ab2cca10e5d16c1fcd8755a
SHA111c1e3673e20e675277995f420335fc47a9b8880
SHA256d370acc1aeb62d4f030c343963eedc066f5e9a3e80230a0c9d7ed71714a5f153
SHA5126fbe305f0fcb33d491e2ebc3395d7f3759c5c7e84ccf2379111094f3bf50f9886feeb7b44f3f3117443d080a2a735e6288860b6107b640e1105ec128380a480f
-
Filesize
12KB
MD58b21719a840ffb325bf4fe1a82d0ce5e
SHA1ffc474f428e584ff800c2d130cfc471df7d002dc
SHA256b2474cb4dac85b410b25e833cec1709b1ad66ce8a4040bd843d95140658cc6b7
SHA512a737e718dd7b236db6c7f61dc46198c62e22766e0f04bc3806c4824b4c575135419e72f420018c27c8e04bdc0a2678d18158f833f78c7baf6118f6ba75357aac
-
Filesize
1.1MB
MD505b627d48663ecf6b80a2a6a8aaca2b0
SHA1e66eec6e0243265846d408999e4364987600e86b
SHA2563992ca83ba123038df4c0dbe50cabecc51637fc29cc82320c411326b23e96f26
SHA51295e4a18153e2ba18a518156e291b4a6afa2f60adf56a0868c4cc38e49d7b7186f45d02da4fe7cad43f7004aa8c9ef6ee3d105f2def7f264ea5bacb1a592b1945
-
Filesize
1.7MB
MD5b895060bf9f03a0adfa7c48e63e336db
SHA1471135b3c17c94b807c42e20881c270602007355
SHA256a1bdb987e716fecae542bdbdef43db6f54afa08764e8cef5572d888ade0770ea
SHA51284bebeaa692d156de82935c3f4eeaaae4934553db3b744d18c1123117eda2357392613891b6331cda81ae2fb5fe9d9e14de5d4f58ef21f4cc32c7bb88639a1fa
-
Filesize
1.2MB
MD53fa80cfd0e78f45ff1344119a40502b8
SHA19e6ede9dcff88bdbcaa0dee4d877d7beb3c50e4c
SHA256d4d0f60c452c788f4c475ef5f47102445a5cc254d82ac4b90e856ed821e09f1d
SHA512010c9a408c861e7603a6a3c3987a8dae48cc366d35b51795f1fd86c55f54b212df76428e520396e5cdce603e8989d1faa065a80b4b5db8be5b29e672b9bef45c
-
Filesize
1.2MB
MD501ae589f1fbd322ff357ff3df0abe0d1
SHA1100359db08b08bf19f925bbcb7eabcb657f20712
SHA25632d608ca9d5e3ed02d456095d9a25e0fcebdf2dbac8ffe5737146130fbc8a2a4
SHA512fdf47d452021196a2d5bb704e2018781618f60418b8b5d5c9989e68390841a11bbffeb4af38820b426f25e252d633628b779ce14dab26835f6118d45c7ce79ac
-
Filesize
1.1MB
MD52055c2f0208215e9bea1ffdde0540908
SHA1e4bcf4b411ad1e0c9387579cb6737944f750fd4b
SHA25695036c194274c413c259b28c72941d4c1d8964910b481127a9568505ebf1587a
SHA512a31ef0e2224aec4f19240bc24b9725c0c35dc292f2d177946ce2bba1a4abb7f006e9dab403c88af1dc3a31256e98077cdacc1ecfe643494f45099d9276f647ba
-
Filesize
1.4MB
MD53121a6005d11d8131b34276ca446910f
SHA16d867574c8067a73fdfec4c2242a20da47834fd6
SHA256362e76308691bd30d04e6e087ba2e5b19cffbb09f25977e505c1bf98967a03df
SHA512db4cf388507ebf32157bd5846be9e7d1cc743516c51d2116b487a474479dd2fdc21d2a35f75a22db45d3c7fcb2b4695dc47892abd823c10131515d61abd25d79
-
Filesize
1.2MB
MD5aa4d2397a171af16b92e7b2f86ed9770
SHA1f995ba12743d00e63d527c28f99c4f3f48421fc2
SHA25646c8514a18a71f5073d6616923e7640cff61bf2a11dd7a1e44a3f441b1a6041b
SHA5128a266f03cbf3ccb4f27c9c90097502e197413b815fb7571e0c00599adc098842f0a3edf2ad73611cc4a1a1acd6f4c0440f3fac5b97327ebbf2eadf8019c56e87
-
Filesize
1.4MB
MD59c14bd524524276b2b17d6d3595639df
SHA16704555d0f9cb579fa9a2193cbf93ef27dcbba38
SHA25610b43b6d3ca6f1bac40f4a4babf007aa5904589c8cb367787dbe02b2c8742403
SHA512673ceec71c80f9ee60ca28acdbbc37a08cbfee8f84af1f96933a4fb8f1576f184b99fd9b08d78d8df88a17fe84a8c3c900890cc9458522a58191b8f36d770ee9
-
Filesize
1.8MB
MD53c1d167aeddf82a29ca168f5b9dfeaa3
SHA141e009104ec427091249b6714ee6ced210fca573
SHA2561e0b42e29e239f6dae33dde571f41a14db27a442fe758ad5505b12b86a136e82
SHA51246bdcb5e4cbc65598a4f9cdae4d785de35dbe8f61ddc6d29225046a2c4b3b42841d6919dcb8845a835302eb7cd08fbc414d2c78e4dd21ba0af6c0e340563f06c
-
Filesize
1.4MB
MD5259d655424afae3ff0d985a1aebbb433
SHA1a51a4f8cb5a3b6e6a41d61d76fe3b868fd10b5e9
SHA2565175298e7885be29b66d4ff54e11b8944e2e9759fcca6aa8f34d5cb71e7add67
SHA51299e2098cd76e51b5257ffb7553510a322874e416d1397f739dd65a46d06d3b811aa0c21ae5934dc3329d05016ec569d908ee9046b246bce0f3bdd8107cda64d3
-
Filesize
1.4MB
MD52f3224d85b717ab048dbc76f80e07552
SHA1e0c69e5183b916b864915a58d57c047320a66456
SHA256c55b841d18630e9c225b8881baf086081cb64b64476447d885e83c54dff592de
SHA5123cdcb6f5c05935c30788cae3b6022c276ccc05b91841fa7b4f65821b501df1a5864cd450d974839c320ffd63677c860ed5b02d2e539c29cc57251013a18eec9e
-
Filesize
2.0MB
MD5fe4355dbb0445b7c0f0831653561431c
SHA1d4553c9e30cae249f72269c62dc5572452e42ab8
SHA256aa363d8b41bcb724c35120b64f1cd0d6182334c3a10c4fd1f92f73fa1fea9020
SHA51211a76f078c60064cd9ac439cfc5307294bae96be42744afa0948d3173cd5ed91ba7445fb634b1509a26fd91e5f4ea4ed39d3b077083b2fb2b7f53862eb72e5bd
-
Filesize
1.2MB
MD5074fbafc48ad0c0658b2392af8cd8ea5
SHA19b265cf3d22676cc6d1e5bf8391832964be8abdd
SHA256a3e9c44e7414ae5d400d7570145e59e5d44fa8267d6ca0e2f373301dccda418e
SHA512f82a7d1f6104f2de457fe2e2fe6258221b4d5d0c08048466c1966ae1cc755cb0aa05613a1d256703a8e786dc425b492f17d00bee7523d96a9542d5350d1638f3
-
Filesize
1.2MB
MD54e68440d46914562dfd67787633429f3
SHA1762c2566b5edca91f2fc1c7490e5fe4a787ddaff
SHA2565c2af8837560b776030fa05c82a2bd688876be969a775d2a44e8b6f258cdd292
SHA512b5464f6760042b8518cf87c2df7be821ff368d9c4be6e7f78a367c6daf508cf6ce85cb3e0806749a5c0e4aa0c8e5f47f01a341d67e9ef79240aef3166df1730e
-
Filesize
1.1MB
MD50e4b25a27d9827e2b5326e158d2f391f
SHA1c05ff67637c59789ea662508c2634c9420977362
SHA25686fd62cadcb47180585b354b65726469cc522818c24d13293ff28295fd2dbd4b
SHA51218e02ef0658344ac4f92880085a13a8cf41d1cd661547e4fd5a445f11f28e2542f65d8f1913b6b0ad3c0772478119c40904c8f15e767009771d4d46a3b910e8c
-
Filesize
1.3MB
MD5da30da04ac4229f56b4dc37de68c3214
SHA1a387bedc766fc124e7c67e2d9a2f7a5af3516057
SHA256772f254194b80bbbe4c12a0c1a8ddf4a23f0eac1227f0d8c91cd5e2bc4fa8036
SHA512864019370ba30fc90601c841d85804e6619aee4abd2a443f05ddf616ba07bc340b77002c536ea6b46254533c3aa9075d1fd463e2192cb759eba1499ae838a4df
-
Filesize
1.3MB
MD5a597f3d19cf52195156fd2a03e0ea306
SHA1da984cb459248295cf1b79fda36e392bfff34765
SHA2564dc3b339d9986fcd6c9c7b10ff8d55bf8dcad72b57cfc2d341ca26c8ebafe3d0
SHA512ed2c015e7b170e9d3c15756ad89994d49c9a864cf9a40d1294fab036e2804fb50f5e7b3c08afddbf87767daa2af7538b47ead5a373b7549c024a15eea22b7825
-
Filesize
2.1MB
MD500ca20e8a4cd3d8a5b770d3895d92388
SHA1d7ac6922e06a22c7ca965e4df730bb78ade6fe2b
SHA256e232adb1c142e1227c94042b92a31635e00f5d4e3b90742536d4bac2a05c9405
SHA5121e254d8d855bd56ae3018c45d2d4797c9abd0918cd79017b2db2ae9659de879d534ff6c112b875c303c0368ea3519605efbd40935442f214f07f5efc4ab240b4
-
Filesize
1.3MB
MD5177ea3df027b69aea1a98e6c6dff5968
SHA1c4db4dec382ecf9ef1fabde367046989acc5f9a4
SHA256404d2933662c7bb48fad23f425328ad4fc2c1c861c3fd693682afdfbfb9577d7
SHA5123bf6fc21ad8db5afd59e8839d04a0a98be1df818900cccc225f47f90033a78bf80731562b835a835fde53368268659e1f170e0061b3a186943a965e86e31bf99
-
Filesize
1.4MB
MD54991a00369dd78c4d167dd93f0e079c5
SHA1404d297a24076d153dc44a35521b64a389fde472
SHA2564eeba75dd8dbacef5eab7bb6ced33daefb990e3ef0b90ea160bebb5634e4b562
SHA5125c57cdcf579411d8ab43c1ffd42768ce0afe150afd11c556c90ed8b2da0500e62679b97d4d416e8ca9764b2764f5cd5ac234c78ef070a976e5dcbd282a12400c
-
Filesize
1.1MB
MD530f09671e3fe3c524ea2af4a84407af3
SHA135f221a91924d1b0c9004641ab7c63222061c26d
SHA256724b6506ea82253e8bb336ddf050da37c08d7af6c6870e8ad350ce0ef548222b
SHA512f52d7d337cf8e0c264ecbd30c4dc6e5ba8e218b266e09a7dc21d14ae0f96330c1f821a8c8910d7ca684192420d7a3d81df276863b42d497b696a5d4152ba128f