Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe
Resource
win7-20241023-en
General
-
Target
2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe
-
Size
1.1MB
-
MD5
8f0ac873b733bb1c5ea6063057e119e0
-
SHA1
f9b42abb789fc037dadfe7fd625387e01e9b0551
-
SHA256
4346f49454355a7e1f79546d8aaeaf05bf3c3c465940ce52116a9ac3eb9f1760
-
SHA512
5fd97d273aa874ccbaf89e07faa6a6c3bff1f376118302e9373967eac796e2cba577aad1c9ef2ab6ef7caeea32c65e9a12194af728a743962cb13d2829f71da1
-
SSDEEP
24576:qSi1SoCU5qJSr1eWPSCsP0MugC6eTbSkQ/7Gb8NLEbeZ:SS7PLjeTmkQ/qoLEw
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1160 alg.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 4504 fxssvc.exe 2232 elevation_service.exe 1304 elevation_service.exe 3340 maintenanceservice.exe 2740 msdtc.exe 1220 OSE.EXE 3656 PerceptionSimulationService.exe 3496 perfhost.exe 2772 locator.exe 1932 SensorDataService.exe 2404 snmptrap.exe 3116 spectrum.exe 3944 ssh-agent.exe 2980 TieringEngineService.exe 3596 AgentService.exe 2176 vds.exe 2192 vssvc.exe 2552 wbengine.exe 2820 WmiApSrv.exe 3820 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8748dbf1e5a029dd.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d729bb93732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039f23fba3732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11deab93732db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000696cf8b93732db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2e3cfb93732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001796c1b93732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010745db93732db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d4410ba3732db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe 3156 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3196 2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe Token: SeAuditPrivilege 4504 fxssvc.exe Token: SeRestorePrivilege 2980 TieringEngineService.exe Token: SeManageVolumePrivilege 2980 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3596 AgentService.exe Token: SeBackupPrivilege 2192 vssvc.exe Token: SeRestorePrivilege 2192 vssvc.exe Token: SeAuditPrivilege 2192 vssvc.exe Token: SeBackupPrivilege 2552 wbengine.exe Token: SeRestorePrivilege 2552 wbengine.exe Token: SeSecurityPrivilege 2552 wbengine.exe Token: 33 3820 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3820 SearchIndexer.exe Token: SeDebugPrivilege 1160 alg.exe Token: SeDebugPrivilege 1160 alg.exe Token: SeDebugPrivilege 1160 alg.exe Token: SeDebugPrivilege 3156 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3820 wrote to memory of 216 3820 SearchIndexer.exe 110 PID 3820 wrote to memory of 216 3820 SearchIndexer.exe 110 PID 3820 wrote to memory of 3988 3820 SearchIndexer.exe 111 PID 3820 wrote to memory of 3988 3820 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_8f0ac873b733bb1c5ea6063057e119e0_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4836
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2232
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1304
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3340
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2740
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1220
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3656
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2404
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3116
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3944
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4104
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2176
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2820
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:216
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3988
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53a0104cbbfecadf099f599ad0d2b1f96
SHA1f0df167faa6ca6777964e7ba04711562c6c3bc0a
SHA256554d3fdb72a79e6064c66c6354d6b5fea500bab74d64ddfcae36d3ad476fc931
SHA512ca712d6aaf737ee59ba829f584358abdbf886a89ce9ae6138b5b60f1f7ace8856570484dab592fd40db6504322980bc7a7fb219fb4ca1511ea922dd945a9191a
-
Filesize
1.4MB
MD5bd4fbb61a11153bfd4e8855f68b00db1
SHA18a93afeedd4df8c76476bc5cd408f88c292eb4d9
SHA25608876014f2b93675d84b3adf9cc42779f6f230fbc487f089ec734f84c2c2c019
SHA5121d76a33ec545fd8628de3f13a3c4e0b7498a6326e3806b9df2795fa192c98d26ace23c14dd7fdc32062e89f4c85c2d0ce8cda69ecf5961cf01832e034ff42b81
-
Filesize
1.7MB
MD5d5b8a7b83baf0dbdfde4ca525eb45525
SHA182224873a283b7a00a420cdcf638d12901516970
SHA256a0aad4503b3644b5cdd0a921f6862b069bfa29fa3d7b12990a18e538a0ab4035
SHA51207276ce579859e1c86113e2032bf4477c84d355ea94c0d99e18d79108f8639651d7ee82e5ab616871bd337eb6eb37a865e0f1601c5bed61859da459ebf1be36d
-
Filesize
1.5MB
MD5d4b88868113777a67821d50662ad57e6
SHA1bf0abacc7ecff12bff9cb7d005b51388558916d2
SHA2565763669fbb6ec53d0fb7abee2a7139dd09b614da6a08ad7da37e64868cadf69e
SHA5120e5f5fe9f18587c38d3ed877502ed42fa04c776405dd1387ab022e6b44c56fc605188fb8284040c18d56c49c42377f987449d53c95d2b36cf2899626a1be322e
-
Filesize
1.2MB
MD514a9eaecc6ee108f899d9a4b0a8873e5
SHA11d7899c558661b8cf4f2cc21f1e05961ea8cd8cc
SHA25611616f4aae6766d6ca16da66b396edadf9a0e1e08035a6117ebe68ef7cfa128d
SHA512729a310746ae5ba13d193b1bdc6180620a7652c6b13afef15595bf964af1c575607e8a926a152d7056a4611926454e1bb94020301418f17b09045bf0a6566a07
-
Filesize
1.2MB
MD5f193194a8b3255a2a0d6a98fda7b991b
SHA1504bf369e1dbac20964daf3bc5a3dc30f48cbdd1
SHA2562b6849f1c3fc78e6a2b342d28b94a88211f89afbdf31ca8787317e4ddc99225f
SHA51289aa98a6ca052cc52fe963f635dd91854ae3868994a112d1a51846cb29a128876228a80760038422ce0ba4650ae73a4efc3dd4d5b1f865b023266949652820d1
-
Filesize
1.4MB
MD5bfd03c13a1708f97d0ab3e40455301cf
SHA1c484de3c25746c695ee04d8730cc895acc628934
SHA2563a9c3e3531d5aeb6ac60035967a685fe82a6e0eefac76587c20147c46bf97338
SHA512eb9dc86f4a6627737e9e46c056f83c80b71ad312891c9b073d1041563e6f5c9cebf471c4d46b5f3a401949792f324f0f019d24a958df3e8d0a736be0d74750ed
-
Filesize
4.6MB
MD5282fbca74e62890445c5bbf20835d90d
SHA1dbc5c10c3a7668fb8dd3eae539385682bc038c61
SHA2569bdf7f5c74da3424735ade28122e413e5a1b66c3ae964f4d85c911ff331c2416
SHA5124ac7b76f87ec967b39ff06c5bfc6650ff52e485d1c3f3ce988d87c862324a0c5f531c5903b33e737a231c6b33c11bc3d170f26bf34defd063acb26a657e379af
-
Filesize
1.5MB
MD526451795c37dc88f7a3c77a7813de71b
SHA1fd7a75db54c5b3a25022a55879f3a8a0a6fbdf1b
SHA256d5dc2b6a93f0cfff496f0373b6637a770b10282ad4a51ce02053f0eb83a1d5a0
SHA512ccdc59af006735871c20082b95d31a304b0541c5c3cff2e35a51c14c90302886f3ad7862694bf1100a8ae28a6eb457e4735e78eed55366d7784bc5d9a015a25c
-
Filesize
24.0MB
MD5b0569af3665f53110d0c369ac242d89b
SHA1626488736e0618f86fffb6795a3ade1d632e3fe5
SHA256fd79c17fc56370d27a758fa4534ab7ade833d3721884f56e1c91aa65a9299a3f
SHA5128711dc29f05a92425e2518b08cbb61747e925429c9032901f87bc9a90b5644c0ee505e8f2257a613eacd55b449c48ab2765337bd037c6ee704426b763b2cb300
-
Filesize
2.7MB
MD5aba0d4f038d714b1b722e42ab8eb6ad5
SHA16563f167bd27565b1f353216c9fb0d3211dd3fd9
SHA256deb9e2fa92ae0d55253c7171b235d401b243ac70993dbd8b8dadbed1d33bc351
SHA512bcb11c652daae1725379afbd60c0f156bce89bb2dd7b624215ed97de0c29c94faeb407c290283f86a5fa716b03b0c0d906e3c6cdca04f6590dffbc09a66e4c90
-
Filesize
1.1MB
MD518fa63f0c8c04f5eed976a8485fddcbe
SHA1269e6eb2cb9cbcd61dd8b1e549c3dbfc1a02679b
SHA256d61e67a09cba49c4de133794ec3cb54941f349473cb686f571bfece7568fdaf2
SHA5128bc4c4d95ffbd89ea3ee8bdb0df51f2edf067f4c8f13e7badff4a55c54303f3cbbbb9d91d6228d5744c669bdd78efa70c35eb28fe3791be3ea740a33d452397f
-
Filesize
1.4MB
MD50ffa7f8d09f293a7d350847f0e0d287f
SHA158d9552a94b1e866477ee7eb89f299f8b2e16aa3
SHA2560edf186e32766dd539d3e699783462e38432504478b532eee3f9f184a805cfa3
SHA5123b77e3b8021aaa94e1d44885d2561cadd58d02442768dd882f9f7cb2335f65d98fe6684d773b3d6907f102341fbbc12eb104412f7b03670f26446293aa13da54
-
Filesize
1.2MB
MD521927039e01156ab206ec2bdc88a7ee7
SHA15db923676497d47f70bfb29456cf94280cbcef9e
SHA2566c018cbc33f2e0dfec3fa1dce5e28f42680e24c2c6e63c0cee813e9238bc771f
SHA512562d751f453cd3e6ff4920a5de8ad4269cb2a9ca9355d11e853f702ac5430b2ed03e1d3d526835df2d3a2b374548ac4244993e6db657cce5f94e308323624e11
-
Filesize
4.6MB
MD57acc38f3b14b13c4562b5ed84d74b818
SHA18fff54887a1fdf5507fa97e4e06cc4d7dc7e96bd
SHA2566ec8c52b9109f76b0238128044f8f04759d6d94f47f464f76e636e98639963ab
SHA51254f8db3c1ea0ef9260334c91daa8ed479b28ea72a3531549a66705e6768be43057cc213c6e460cb41ed0afbf87017d4944549e953672cdfd33736b6dd39fc637
-
Filesize
4.6MB
MD51ff617f0feaa9494a2df9883a987190e
SHA132ccbcc2a660fbd126c7ab1bb117c5853cf18595
SHA256124f4b2217d0f51d3ed82e891c1166727cf35fbc692d023d9453a761e36959fa
SHA51278dd8c279c61508a021a942b5ec8256706a8c5d76fddb2e9e311f4c2667c4a6bcac52635ed9b0331094625782282a6a3c6ffab3282950f3cd1a5eac6a67a87d8
-
Filesize
1.9MB
MD5e1e6ae8ba92ba3d51cc7d73486354e9a
SHA1b84a3e2df3d9462a2302935ddd79df2177b55e98
SHA256cf6f3c1322fcb0f3febbca0e2b854d4f366b7553db8526ef302c6f3a58d32a87
SHA5125147f2001e6a4514e530d36bdde66a1f3cb7aed109480bc2628e161f218d10cbfa6d75ab37c2a6f1bf7925fe35b0444b18109ffabfd0649a21c30bd710bac1be
-
Filesize
2.1MB
MD5327b16f9e5c20ad039eea4c994a9c0e3
SHA1b0818e3780b64a6368068049360b5641640a8db7
SHA2566f94e69237162ac89e9c0e19873745eb4091dd8b9e5cf29b2a58373f9c812cf6
SHA512daf34df4feaf08877446014f3f9ca4c6ab8dbb6e34effb9a7a0349a80831e709332308b4913e185613e184134c98de72600d408e9428959695a4de01b6338875
-
Filesize
1.8MB
MD515cbc703b303a30e4dfa72613d061109
SHA1af358560dbd99cbf75391eefecc29eb2d4108a86
SHA2562a63119934b3586cea280a271c80b11f630bd1b779281782b473114fc0e45ad6
SHA512770b478c1388db19c9ed64de4284b8929acd64ed0d7341bfc0d2e1ef8ffa592279fe3db0320ac49154d83778e542126c5be119e56c1755260f70c41d1dd4b28f
-
Filesize
1.6MB
MD57745bb820d7669cb844269be4108aa31
SHA14cbd5d1f41df433f625b01a7d4477ca7616f2778
SHA2561813bdbc1d7aec1f1c8adb27af7c5c524b7c1168d3f204e4efc60f2302acfdc9
SHA51208ca61960ee0ebf6f6f6c6a244daf04c559bb79d049381dfe88ef20252b3d6c477270cbdd49d58a70ac8f0932fc83d3bbb5ce96e6af0526f35ef16fece268ced
-
Filesize
1.2MB
MD57d8ab526f201e136b2d061af05668c2e
SHA1ce4b7954d78ba48774d536237028adb8552f3a2a
SHA25608d52a11b14ed0ef4907068610a47ddbd94d105bf410a4b7369be5f3feb722d6
SHA512d239446e4c0f32550436c4279cfb2aa1726de0e2a3b1d702c2fea0fa98f83a71786603b1aea3db50d049094b0c9ff941cec7e706e491bef59e27c59919c8ad61
-
Filesize
1.2MB
MD5fb2902a606b50d43f498290b5c47f7ba
SHA1b80580167fa7997e3b149eba03ecc5188ff33e5f
SHA25643377bf11ba1ba22b1e263e7d90911dc793526f004a5ab442961a56d95617780
SHA51273458b2bba696f034bb1c5c1bb589040c061e944311f7807d96d878e315458aad415efb51f92e037a99d837ac3127d1ed4112595158a6136febf8df46b5eea56
-
Filesize
1.2MB
MD5b26bc0102112ef4759c6521edf379bf9
SHA118cd1dc9e6a8ff9e63d474bac210554a328322ea
SHA256d8e83e803a55558ec2a7419a4c6c26750934dbfb00eb0f200a08a8b03438868d
SHA5126b751c5fc3a7d488d57904d0711765610e7f96508e2990646d146b2526997a242ca333827c80470fed592dbd6560651a3a46e2e12226f33caed0626177fc6eed
-
Filesize
1.2MB
MD564cd554fee02058847079accbd3372ce
SHA1c8495e574f86457b5fe56b81f55ef6cea5935237
SHA256c5f84d0443616246c9fed2ab3062490d343794202b9be73684684cd0271b56f1
SHA51206f7c8714f26019cb88026f45808a63999971e21304fe13c10734d84c44d409d6cd9453c2330ad51fc1a5c8b786affd8a862be727ff75c05c30c416f188f914d
-
Filesize
1.2MB
MD56fc6f098a7bc9ba14049bcd18d96838a
SHA1ffcfe302e34df6931d0e321b79229ff07a0a0d11
SHA256297da9d778d15b5e17f20c975d03bfd15f314d037b807b2e448287564f7850d4
SHA51264e106e7b21713e72e9f2856e895523cfc39de9d96a33f4a774eb52576032bb02d4659de1d8b49a67eefecf3bd3c7f3f2134ea095294ad709b4cab0efb96eebc
-
Filesize
1.2MB
MD5496e81d4035f6c5f395bbdf79c64e0f5
SHA1c17836043af9a58d3dc608bd37682bef87d0845e
SHA256553c5e390d1bdfb203d53500770eaf8415053fcb360cac2b3ebe57734860b829
SHA51216fdc7556421039f5032f8e6d97c08628323055debdd993faf2f5e2398b4858efb444692283caec00114bccc4c36fc3f175d9b7e825ac94e6cd02cbdc3d4051a
-
Filesize
1.2MB
MD5d4352e62bea836df11b9949e139c8d03
SHA13a3df7f2d218b123a9661174aefadf914272916a
SHA2564116b157b38b4f96fe947e0a7e4804a9691dc0b0d720928b44d673c31ca01ac8
SHA51228bdd4118135c44574c0436004f8aa126e2e4017d6ac77f5d79fc997b5202fbe0636f570c02ca0e9797a8fc4d00da610960a89a84174ceae4dbf6d555813ba6c
-
Filesize
1.4MB
MD5ca33923884df1fda0883b27809845b9e
SHA1194bdc45e96fe0584f85c06ee56c5b8ce469da46
SHA25608e01e1675c88ed0bf5c110c7e42537b54e33225a7967514a9b0d37df8826db2
SHA512bad5a270c073f93825d1aee217a26d528df3b1ef2dab42d6503caf8f5769b4506d7c4e12e74b71b0fdde61e468c905098afaee90e0effdd2d17bca3d2ce5d089
-
Filesize
1.2MB
MD59342531d2800b621d67a2e75f37011fc
SHA127d41e5be1476238d0e8ca54367bae6839cf8d56
SHA2563cbb7e08bcdb54a5b6a8b2c20b6997cf85d427dd4d5d50541b29cd1680464d84
SHA5125e23ba9b21a7f62de07b47b3d43240ae737951a0c54b29a193bc94e3325f9d44a195eeb40ae96f16d91f7eb80704958c5ee4458bfbd45cc807203f81c1c691a1
-
Filesize
1.2MB
MD5a7a949ea1fda83aca76117c850fd2ce8
SHA1e46396f1b0fdd75d4d6068bf59b3dbf83fc298be
SHA2562c818dbc06be4ec5f4d7346ff6a440ef4c1b7ddb75b2c507b78728109590e65e
SHA512b7cf1fcfe610941f979db5d6716f493d35987819060653d058c199bc0f4e3a0c43ec98e539e4c3a2b27c26aba827fabdbd495d0df35d6bebe12ae1e95d75744a
-
Filesize
1.3MB
MD56656bbfb3eee2eb0a1189a8372b2b2ca
SHA1630d6a7d55cefae1bce51f323a0be7845bc34502
SHA2569d889962188efc9eb34c0d7137c89775076b74c1d0da84e7407bbdef82e8c24b
SHA51235cb3d98e2e316e12ec61597bd2c4f89ecba9c09447949d07474f3e5fdc702077d10a3307802a74c07427469c1083ee80e642ee0ea0a0387eb82ce227bd89d5e
-
Filesize
1.2MB
MD56daac282b9b5594dc88473ce67a7f04c
SHA1cb9f5b00eb961db4d5ec9ceccb11e877a5ff7b35
SHA256c7c4f0ff1d914caccde66eceec2935bd27a1d41b55fb03cfcc74568f283d2d16
SHA5122f909cb3f7963da6c1018177919620a5e80174d7def94cfc67bd7c99ad7d2fe8b24b8a9211446d097462b1bc632245889a01fcb3f3d698421078894d41c78539
-
Filesize
1.2MB
MD5d490eb213c59021f6fe717d8cafabd8c
SHA1618a034d0c65e9a2600c46f845d4142913c145cd
SHA256b04d28ff2834cbd850c9f8af0928c70b5b4883be9ee5a033cd66fcae677794dd
SHA5123316cd7f1de50c550eb8e8edaaca3c0136ff14ac453c94902bcdec217edd3e69c46f67511b14fa3a1ef905c2ea7b4433fce9bb535599058c5da59246e1ed9e40
-
Filesize
1.3MB
MD50f6d5cd8d32af4c0b7e5de36ce0a0f8a
SHA1ce1317ebfa317311524b4ccbc84ea73895fb4a72
SHA256c0761ce84e43da09f2bc888ec8bf865e5adf85aa34aabbef36a66dbafd7b9b0c
SHA5123dcb24a29ee1376423d6da5b8f8bb6629a24006c0c5345a0f165759c2300b7f3a38adb402369b705828830901699340e5547cb25afde7005b5a5d250e3f4117f
-
Filesize
1.4MB
MD5f983a18c658fee488df2c4967e98c603
SHA1f557c0ff39f57cbf34079be51277833ad3b1f375
SHA256d20eb69a384a60d25803bc5ff2baf1fc5fdc5da3ad719948e9253d7482b85e27
SHA512441fd04ebbf6411c3a83f41313d5676a5fbe9d05ddea42c9eb7aaaa6b6317e43e87917d8eb07e1204046442eda668ebbf33eaf612e12683b626aea16e53d12b9
-
Filesize
1.6MB
MD5a8f2d778898a7613ab2950d39f31e87a
SHA18878581e215e49114db47e7e555dc118ee8e91ca
SHA25659b23b35a292d4173f39a3e1becc76d9894b08eb37b5c11449bf8e3a4fc75c01
SHA512e34d273aa80be344476d6145cc0b3644f7d577fb059a7bb8a73dd658554338bf749681af5147db9826f8500125e424248f6affe21d0ca17dd254e7b2c1ae70ef
-
Filesize
1.5MB
MD5b83e07faed77dfc2c514527bea205401
SHA12f8d2ac8e7412f7aad474406127c253fce776c54
SHA2568f30586f9e1fc545970ba3f0946112650a2ba2f88cf9659c79d54ed87e7b3641
SHA51237f5e51b42f4284215db9c6621db3bebaabf8cf0180652bc03c4c48bc4e6a79793a2fa34671166b658519e65095ff20996b40352a3f2c2a10aec108a8895fa29
-
Filesize
1.3MB
MD5b05040f2fbcad5f524950bdcddf0e476
SHA190f3e35904d2096bea7d4fd8e5c01ce7237392e3
SHA2567f47457e9358610e71df3698314af11ad6134bbe62b6801f27b06a1d4306ad4e
SHA5127786b1cdcafc3b70b9bc0f54d021d0fa948b5bffa73049f02501a8cea8008df47606f97f0a082ea8a6848c72ed70c88f2ab3faef1b5029c3a3388f99320d218c
-
Filesize
1.2MB
MD568ecfc5f2846faf8d5e6592ddab8acf5
SHA169111d9005ea76bbc0cb7d5481510c83bccdcc5b
SHA2564fe1a9f3d59a2d4b5119424f3fb2bd3b91da909865aefd02b21776e8fdbd843d
SHA512e30efb8701204a48a8ae68277f3b8b28243084edfb4f9b8dd8361ace51cccc867bf71db3ccaeb8eca4adf9634cb93e7208c9eb6f6fadfd5bda24ab4391a95539
-
Filesize
1.7MB
MD50c6a3a0f62595d8ba0e98f642b6cb216
SHA1a984dfec2150d9557b04681df2cdd6627c5c515c
SHA256cdf43122c93fa8e1dbc152ec4774a8ea0bdcf4f86c0807c1152adf122bbf9254
SHA512bcd52928b5b9e8e4b53c61e0b0027b3f2f7dc1851165da5b575f7d1414bbea07de7da65d2bd43c0fcee79e2d6b88c998483870fbdafa4e7d9b3db0df63c60c08
-
Filesize
1.2MB
MD5f849aae3dca534d4db914f7a6a6fb285
SHA11bab4b57916da86bb27d63eb74f2b924e0f5f4af
SHA25652dba5c917370ddc3dd24070dd94d64ae73fcd4f7a7792a5fdf6e5477c01ad23
SHA512d00de77b94a521c03e98781953daa2dc3ed187dacd7c5ae030af74dc67a39c1fd21f824555b6006f2a0db4cd968de8483d60f666c5cf431d730f4dfa04142e0f
-
Filesize
1.2MB
MD58bd116e85df248848890d547c2b26cd1
SHA1ee5a1df2f6092b3fa710b8d6a94a2948a8ec6577
SHA25628698a42267584c6f1e9032a5c7bf16df1217ad645606d47a14cd7fbe5dc77c1
SHA512664cf2e52ac62191f6876fcebaa678f0f7f8609f4020ed3611f55b8a5c81c0d430fa972dc6409047876cecb75b96186daffbc90253691a5158fa929eed385321
-
Filesize
1.2MB
MD5451318db8ae89b84803aad80b9276c2c
SHA1f39a8f086e4a00e771ab0cf0c3a3ad38071fd4a6
SHA2568f18411ab053d2e74f452c4ca3ba1b37c153614b58dad42bf90fc58d3eefb8d6
SHA51237eebc1146244bd7398918e3ddfbd598895352e974c872180135815befd42e5a8a0d95e5bba919378984893169913def01e75f5ebe5f850cb340aaf9bb734016
-
Filesize
1.5MB
MD5896c2dd01842db6731dfcfae99667ae3
SHA1001d67815f7a0fff37d7d63ba8fd73c6b7f6a74e
SHA256f195d8dccb4f4f3f461803eedffffe522bf453665088eef67fca357cb9b34acd
SHA512779368d61a8cac9fd231c8d9099a16ee42ddae481311c282251406a45ff47666d51e49c9286f68cd59e29d38357735db4623395a84939db241cf538a6d120e6c
-
Filesize
1.2MB
MD53da09b689a45d6136cc040b8a033a40f
SHA17dd89f56503c6a4124b65f8b76e381336d413b47
SHA2565ab93b69ec617c2f020aed518ef39cb7b34a2e653763e55724a1f027e25c1fc0
SHA512d6b5685050fb189ca663a6458acec648544c6c5b6cacbc0d3cc762f95a8b26b7e36ee5245633c30b59018188fdd1cb59fd82d31a71e6e8f2322b813df7816a1d
-
Filesize
1.4MB
MD551cac71cf19b89270432fbe1bc35f62e
SHA1e23611611af34d525673dbea9f1a04fe0bbc26fc
SHA256b1536f3f7de1c6541861e1809bf4fbc4832c44a41ed11c90e8f6997d34279bb0
SHA512873ec388511efec071a1c48c9fb03d6db8ce37a642789012a8f84c9fd40e4028bd5ea58ad74d3cb5f0157881914a46b10f8840a78265e6cd4d242710c588b97f
-
Filesize
1.8MB
MD5d85e570a8e32df0abf5effb7e5f7cf83
SHA16fc0b1658d0f1012bf5ff6d42b5051ab7caeeb9f
SHA2568407525c0cc1da7fccdbca8982a502c4255164fa9a1f21934951e7ec9ae6e506
SHA5123c158c3a6bcf901c82fde7c9e90046b4a53b4298282b47992028e5a6a09403e3d112433b04e168c2217b5b6abf482996a0fe27a82773a3099625503d30f196b3
-
Filesize
1.4MB
MD535685c44775dd47fadcb452037999c19
SHA1d926a6d9ae81bebef5514748f2c39a960633ce61
SHA2567f285668255a3b690c6e03a665df7cb5911f17a243b6bc3aa0a295976346b98b
SHA512655827d1e398a5d95a32bbf61005f5553dd29d47a802fd87de717ea69aeb4ffad43bbe947630c5efab30b31470752642bbac6c4c46c99fa4690c65538715e89d
-
Filesize
1.5MB
MD55fc7f96195e27b92f1bdfc2eebf6db50
SHA11b76b6cde2315438ba6d37fe86e75f3780a4161a
SHA25685a51a17a20cd0efe064b4bc3c61c7c82b99cfa11957627d94cd7b6863ed2154
SHA51286518a2b04e8276ccac203ba628df3ed29b17f2da3c454b6355898c9dcb0812fe276f05f542a4af783327ffc523e18b1e9f5a14258a69cdb98ef82a0507ea02d
-
Filesize
2.0MB
MD5c18217cf6de343aa67d4afd01cf684c9
SHA1de35a63543f97b2315f80b871cebce54224843fb
SHA25693e6ec1e54023a46c0c731c7754a5dffec54d1901557e8edddb2fea832920e3e
SHA51262c8bb703215d1e35271ce875b9ea49201a407338cdb1b2b856a618e466c5c4aaf3f77d7825606a005d0357e7383c94498dd06de61b23046858796634ae41352
-
Filesize
1.2MB
MD5004d34dc638f2bd12afcb6b396c625bb
SHA15bee28494111af859116b622994c3b1403b01f04
SHA256c6962bf4d34d7e66d71c5149ad6f6049d474cd3680c6f45fd426ed6de005c0da
SHA512fe55b59936ba3633b0b81f92185bbe08865674079d808bf0ad39a97df78a3c18bf99dafd4f98ad65c51dc81117e6a421799251b22dc6157f836503e2b38db3a5
-
Filesize
1.3MB
MD57f324a772a66c8a6ab7d81e6bd4d3795
SHA1660890082ccfcdd0c56b6e8c0b14776d2123c619
SHA256219bc880a0d0718dbe3d71a70cfb95e60764bcbe6677ae1637aa32780901b6cd
SHA512e32e15141975deb4ebf15e35cb8adeea7acd9238266e8432c88d2ab2eff919e148f6459cdea0c765c123f5f77a08f03ea3ff70494be632c0797e27999873295f
-
Filesize
1.2MB
MD5b213c746bdbd1aeeacfd8f6a9e8c5170
SHA1ab924883c8dad8e60dc06771d6d0bb34519664c4
SHA2568addd22b7e1cfdcff627bd62bff30daf8cb239d426d0d710d05dfbefb1c0b0ee
SHA51261cb30634c53ad64d3b9f72665d7f7bb1f31ca956df973df8b74317ae8fd98c9722d5cb4384c701bd18c831194ec300b13cd2082da9ecdaab4ee6da01d989ab1
-
Filesize
1.3MB
MD55d2858c904a8f16d4a6b216fd5110dfe
SHA179609fe4b425b69fd2f0524cefa86e91a3f6b827
SHA25627ea97f45514bf36281403e57524cf566aa89ecf9aba6b74d21d25da29b4c45a
SHA51283193298819a9c0b4892f8a2496f5f54da7e4570f02d0116339e3cfb7c2199bd45203df05f7e69639c42aff40714458007f9779a27015194c37e7a951e5f1e21
-
Filesize
1.3MB
MD52c29d09e46b8d29cbecc99a5304c9ed5
SHA12ea0f7e57d18ad45e63cff5fbe3a34eda09850a7
SHA2561b4b7289a0cfbb8b26145d8e1b1ac3b2ab3c7be73e9807f01d88411a1af8f9c2
SHA512cb0c6f8fd150bb2a65842a8d2694d39e953957fdc3e42686b7e7fda9653bc78afebed435474bf2e051a3b4852bbdb6cb213a03139953bfeb74430217db225c69
-
Filesize
2.1MB
MD56d275fa043dbafd4f4a30b72b060f267
SHA1ced6e4818e20d5618062f9a9ab33320677f57263
SHA2566a9620468b93ef2ae5e7dc9b373becc23a1f08013fb90480b6d9dd61dde3e536
SHA512ea9df900450075a95efa22ee71681998c6cc3ab792136f1628f420f0dbb0a94a9550d8ae18d58c67769be5ab9b97771011b89dd4eb848ade9c0e3feba3279c4e
-
Filesize
1.3MB
MD5fe9773f2925b379b67c1de3b49d4dd5f
SHA135764e8521ebc3355acbb5f4d26924e44b0aad5c
SHA256e8a912f38e2195adeafea430780b28dc3df94397d8df25b8ebb31a2039884ff5
SHA512d0a4015e5c9f1cbb193ed2e53215dc0b2cb17f2b8ee052896aa2f6dac48365b3ec0d0c1ca9675c7a7b1981edf9c73c361cf89316875b37a659127150ebfbc65b
-
Filesize
1.4MB
MD52f389b3a9a1e3d34243fa7d23ed40d2e
SHA1c4f57b74e1bacc1da4734556eaec0cba25648678
SHA256f06d2aae9005b8f1d266cde3e381b25a523f0df6fbd510d0b95ae1729866f28d
SHA512e655b2c0d2bdd17b580c72224e117faa782d90784e182ecf20e0dd5657ce67acc8db5d1d9166994d438c3e1b8c6ef05a7c0d3c60964bc78b045ce28953b4300c
-
Filesize
1.2MB
MD50ba908f07e88109bcb643410e2af9b32
SHA1b5d7d34e812fefadac1f26f11ba918178ad23faa
SHA2569890ca6042f0819922e9cbe8ea30649d6c51b5538f8bcd82a1f0d640e24b7a79
SHA51268d7fa41917f26238841e2172de00cd2f1509e905189a7d4c0fdeea7b4d4477d887d7eb0155a6c0c2cdf3e0c96a49da2f7639b41819b636f22cac3ce5a12d4a9