Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe
Resource
win7-20240903-en
General
-
Target
2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe
-
Size
1.1MB
-
MD5
b978c1b041c6f57195bfb898e9b4ff01
-
SHA1
062ce814ac551baf14e25badf4d94fa0df66d606
-
SHA256
2ba398a91a6742519c16e1f9172b1ed2c471e04cfe7aeea21f8358b81fe010b6
-
SHA512
1692f7acea6087c3b91e42490789fcc4c01e46ac314e0197d56523cb63f391a7ee5f0afdc008bed73e17179bf70a24202c6bc4ddcc9ebac22d9d78d4a1f0c27e
-
SSDEEP
24576:USi1SoCU5qJSr1eWPSCsP0MugC6eTwSkQ/7Gb8NLEbeZ:8S7PLjeT5kQ/qoLEw
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3292 alg.exe 552 DiagnosticsHub.StandardCollector.Service.exe 4060 fxssvc.exe 3448 elevation_service.exe 1628 elevation_service.exe 3160 maintenanceservice.exe 4860 msdtc.exe 3596 OSE.EXE 2248 PerceptionSimulationService.exe 3224 perfhost.exe 4540 locator.exe 2936 SensorDataService.exe 3936 snmptrap.exe 4996 spectrum.exe 1800 ssh-agent.exe 1160 TieringEngineService.exe 428 AgentService.exe 3604 vds.exe 3172 vssvc.exe 3220 wbengine.exe 3160 WmiApSrv.exe 2988 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e557d7eddb05c3ba.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\java.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000114e0126e231db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d3d672ce231db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050f4c02de231db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000228d562ce231db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ced962ce231db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5c9512ce231db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f138c42ce231db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe 552 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 756 2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe Token: SeAuditPrivilege 4060 fxssvc.exe Token: SeRestorePrivilege 1160 TieringEngineService.exe Token: SeManageVolumePrivilege 1160 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 428 AgentService.exe Token: SeBackupPrivilege 3172 vssvc.exe Token: SeRestorePrivilege 3172 vssvc.exe Token: SeAuditPrivilege 3172 vssvc.exe Token: SeBackupPrivilege 3220 wbengine.exe Token: SeRestorePrivilege 3220 wbengine.exe Token: SeSecurityPrivilege 3220 wbengine.exe Token: 33 2988 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 3292 alg.exe Token: SeDebugPrivilege 552 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2988 wrote to memory of 5068 2988 SearchIndexer.exe 109 PID 2988 wrote to memory of 5068 2988 SearchIndexer.exe 109 PID 2988 wrote to memory of 624 2988 SearchIndexer.exe 110 PID 2988 wrote to memory of 624 2988 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_b978c1b041c6f57195bfb898e9b4ff01_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1944
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3448
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1628
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3160
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4860
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3596
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4540
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4996
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1800
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2164
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3604
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3160
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5068
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:624
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54be4bf1094c60e978cecfb40e40f699a
SHA112643388d7215e0a1431328ece1b351e321befe9
SHA256eb6fc2e78a060232958cfff9924c3f1c24b7dcc77d901921cf5e5a355fabb9bb
SHA5126fd48cb4fab60e4c725f74d3fe9834c8bc29abc5d45054fdd266053502e56f2c2c91129043c056c42df5b394d9e23d367590b188f88e01cfae9777a44c6bf84b
-
Filesize
789KB
MD5db294544326c244aa342b4e4b0d0100a
SHA1908f24526e92b481e17edd8978f50ae426593792
SHA256fdd6017e533c1b149019c4e049d8904984dc58afbdbe8d66398b09708428bd3e
SHA512d6337b0eb40aec5ec5850ec4a2a9d51a41e68a286bf14249399d31cdd950e1e3d399babe6ec300cd2b406f39672a7d8ed7cba4635deb5d72715a89af83045943
-
Filesize
1.1MB
MD55053f077688cd60648e1669746088bf7
SHA1545e160eaeef6317fe1681ce904ef9b3f815c7be
SHA256ceead5eee3b526d623cc77d779de19bdb803e3a617cdea909c5c6847efe357f2
SHA5121f2ee31d0e34bdb69b70ac53764809bfb4dddf9cca00a6dc076447e9193e235bd65a5aba9b113b6a46e03238882a30e32651eb31aecfab8538bc3bd844866591
-
Filesize
1.5MB
MD5a4f64e0322f1e2de117b72ee8cb3dad8
SHA18701b317684140052626c14b8b484d13fc5abfc4
SHA25683a9c745b6af3b3b25e0382538d1647a862d1c5d5d4c86877888e677dfe9bb96
SHA5128f8dc49b00f1707f16ccd42b90971f4d4581cc898ca605527a39b26176a9e1f9bc80c3d4f2dcbdbac12e585f122cf690b108d6b2e20906b4b09e15a333481149
-
Filesize
1.2MB
MD539cad9d50950183f9ebe82684386b240
SHA12f4269a0031ac6f1def73d6e9d353f00354e0eee
SHA25681744c497851614c3ed34d8d298e28759876b7efa6335800b27618868eeff285
SHA512f7c26f9e1f3624c406f5aab5fb9a33ec5b1bfedec0fb4b9de6a2388340e5187053ce881f2810ca38944a4c3db704d645b7f607e2e67bc8f4129c8223075c414e
-
Filesize
582KB
MD5816e274fc979853c928d9b7c4c36f5d4
SHA16472c46a8800c2c0ccfb596f6abfc118faabbbb9
SHA2561d28bad692577a3f27fba7371c1c84f1fa8171f7766d3194be60a1c63ded9567
SHA5121e6f4ba8c444cdddb9b574f01ca31df2449da0f83845a5e34b835a1321af89232728555bae7443e39c886622ccf790c5142f1ae6bbfe4e59e63b2a9fdc6d3ed8
-
Filesize
840KB
MD5261752338604d76fbd98edfdcc778469
SHA1612bb403e77e426c6dc30269e15b7555ea4ff61c
SHA2567acdae19db334f95708318612068bc2f61aabc8205ebe21fcb0cd5a0587547d3
SHA5120005d45b9ecc5aacbedbdf6ae49d18d7b0654f5dc676d8251921b5050232526d6052c847726d63be4ddf76d7b523fcf3b9c24f26b4a7106e8a87c6140c0538d7
-
Filesize
4.6MB
MD5d569415a42a1416b741c549973c7a877
SHA14c7eb945aca9466d371f3ad4be266b79c950fff7
SHA256b9edeceb6d3bddd45e8034bfa626570ca618bd36a46f337e2f1e2d1eedff3263
SHA512500b8e725bdb4ddeecc53040546f711be14edce3ecbfa21ec81c10cc2d0a02abb626a0294026337f48add9176899d8bfa6ca4c0ba9200baa062e264385c29f33
-
Filesize
910KB
MD55b079a24acebca0db632933537050b8e
SHA178a4985675e6b364115aaabc563af3dd625354dd
SHA256ea9c0d63c2187a9c8c6a830d3edb02bffb8af9dd64ff2a6a6a7010a1062f5a9b
SHA512290be55d8a43e13e51e42007d874697c60c2e847d70f03359f1e050b86f9884caa07f8b289a9decf5a3c4447941205553ddfed7ee1bd3d211775cd1ec19c54aa
-
Filesize
24.0MB
MD5bdda32b3572506244f6e4649e9e9f885
SHA1bef5d64e1bf18517df31de9ca5f28903d393712a
SHA256eb4df529ff27fea0ec08d2fb32a38f2a5dd7e299455caba6f69b27e0c5277c04
SHA5125464e1b4b54e47175513d2371c1eeabea8f6a434b88658368ef5ce8bcfd8e3f8fc41366ee44b20b518b0bbce6bedc00b8c96743c3b78f903330b3f85f75c6a38
-
Filesize
2.7MB
MD5737bbb5f9f0f7d9c376a923a14f49d9c
SHA1cd76052b259138f23a467aa039d7b209a3309f1f
SHA25684837c20cbc44a6402aa754be5e7ebd3cddff370d35a58d39c869e50b9da12ac
SHA512835f6e4b881588ffe2ea193dd13dd0a93f04a29a3a600c862c68f6e5445dd8cc56216ac5bffa6265579ee42cc376bbdaff59aebb3d1e070897e3834ed0caf63e
-
Filesize
1.1MB
MD570fd6899c76ab614149ec2650ccb2605
SHA19f22176d42cd5f5d3dc307eedf93e682cc524319
SHA25655a409cb022f3f6d5260ecb396256d9c1c9c4000d606557caeac8fbf33637bb7
SHA5121f632f54192a8258bc6174bb328dcc09e04964a38be45424080df687be69b7d8ead7d44e8ca6b94d585ca2b204c780ef003a70bcd2cc503ed5ec52eb56529db9
-
Filesize
805KB
MD531ddc6b0a5ef1bd8f2ea536ee58ff035
SHA1bfa475ef8424df9ecff4333d0039a89e98fd3b1c
SHA25614ce01477e0f87ba3fdd87cc937a7a4a51fbb317a11ea2f71e0f50f03369b437
SHA51272648b1ca5bd82f4a915a4d03c8294bdb528d6d511f20d0e6f8a1aebdb01a3484cc04359308e90af7d30788688a29ad6bd8530644ca57c48d8b2e81e73aeb0b1
-
Filesize
656KB
MD5c53d9c9a4070195f9218ae03822b38ab
SHA15c903557ccee4187804e380b1c05031f319cb4e4
SHA256f34389aa9416911a917a5f8248a14b5842a57a0e62f8ae4dad22b6acf86c4d89
SHA51230893189a61e0b4670d6f0c0c56a0ce1353d23b8a2982e75c7934cd284ae506e0c3ffd56b4735ff1c8d8fe2716a2ad7a1ef94a3af43bee0e0ce3914ac3064fb1
-
Filesize
4.6MB
MD520bbf1bc01959bf13a535a462887e06e
SHA120ba3f3fa0ed559ec6ecede76b253050de3d4871
SHA256196ff08fc96d4edf78d57b3eb3dd74045e63696bdb8d9e8b3bdb7871e90dafbe
SHA512fc9aa488e2800100d59aae50a22d29a6d304776c1276862acbe7c70c2b2d9b77b79ef66469df64b54f5f349f66da0209096205a0c4531668d07fec7149f05449
-
Filesize
4.6MB
MD52d705d0d48876c8245ee01a4e9f587de
SHA1cc36b2dec0d35ed36bfc172c466dac5acd46e0f5
SHA256458e6aab270e41d13b2462e30dbf5fab4f596107f63eff6c2126253ec81f511a
SHA5120a6c8d38121896577ffae0b3bde8654262910ac86a2a64a3fb781248ff840b498648aa25e833f0c7a3f01025f558b8c2f608a4d52b46c2fcdb1264594a9a0c8a
-
Filesize
1.9MB
MD53135c20daf3a1d607ac4a93895294b8a
SHA1b8b9379ffd6185ea237cbf574f827da4c607b7c4
SHA2568b11620bdbab5267b35a48ddec75e1d85896cd7bbcd3d9578586f42c465f4412
SHA5127fb46b03747bb973d1d66a3a1acc736873ebc8b89ac581910973053a034350bed916f53371a28e9fe47247c8a83ee96403d5b42bf870fe31dff4eaeae7c50e15
-
Filesize
2.1MB
MD57e439e7fbabaf8c58a6dd90754731e73
SHA13823916106910974d60396c1f789cb1f29cf4c48
SHA256468cdf5dce5322d640193156d9c740850850c9fd523b7c0a306aa37c4f5a9651
SHA51298d342c958b9199229480acc3c94a1ba6988529dcfa09ae846e766d3e72460b5179470eb8268224bb081eb78152f0e5d953f0fb24829990dbbb6eba16335e13b
-
Filesize
1.8MB
MD5f57eafc4209f54ecb531198e5a20af34
SHA17b42b91b13763af7e7fa18887351936152ed6551
SHA256c9fd45e43c68458fbd51f600ff365e5624f7cc1db4592ccee861f213dfdab797
SHA512294b3dc9bc5c6191cfc0abb5bf04d9759df3c1f88e086dd269371f995b8217e55364fa4e724bb2cd9daba2ef6a036f1986426cca05a24897ae9045d013d41a48
-
Filesize
1.6MB
MD535459d4d8e6dbaef3f23dfd36a940938
SHA1e37d581d1eb1313387c12bf7d89d1dd6eb65a6fc
SHA256fb96619a38c53656b787fca9c9f14138be3db9391596ced4c011d5f3ce80fb0d
SHA5121a7e27e9eaeb8c00f7f668f4fcce75d630f529182d4793cd4e36c40720e66733c3d4e43e2b0c09552ae3082740e9453128841c77d044e0167c3d4abfac569227
-
Filesize
581KB
MD59dd21d11c2621fc5e5a142b2480044d0
SHA1c2d06b8ecfa1d29ecd95231fe0fe89f54cddc718
SHA2569633277cb7d48b142d5e81e936afb730ce7cc552bb8214ad7e375978cd6e90ba
SHA512162efd3089705217d822db1d0cc4cc142b47128f81d74cb0d8f956706298ef493bdbafbb2af80ca3e5540c418205159ddd54be7dea616c422543055807a2f4cc
-
Filesize
581KB
MD520462265f9fef5079243655cc8066171
SHA1c848c6b2a507f660208b918108d0e9260e057f2d
SHA25690c261c90cc0d81bc09b642800cd3e405668cb8bea8ae17afc78d1e88a6af319
SHA512d76a43b53c8aa52e98677390caa32839f4b526157ba9cb6e3bb397445f4d73b839940999602ee2683105147605f5b241ef1ab5d20c2799d1bd3d9af85a3b4ba4
-
Filesize
581KB
MD5e0aaa192c9331c62a286a44414466312
SHA13221ca55321a1d7829da11efd0e20f7eb70e82c1
SHA256d9b2538beb46595830328b430323663b3f78842398b730566dd36610556f24dc
SHA5128236fbdc663f0efc370250879acfa5eb549909fd2913b5e42871b0d52a46e6f054d4218be760db1a6e45e025bf0383f4cd455978c573a95d298bf33b1574fa4b
-
Filesize
601KB
MD5b2feae9d7cd60f9f564afaa755a50194
SHA158f4c1a792aad1085be5d48fcd2056be28207f50
SHA256ac5863c1802f328cf269564f106cb0b1597c9017ab01922d8ce758fa826c5585
SHA51203e62ff87f5872adc0f7c51f88979110367ad631a2936fafd6fb5529be9e69fc90055c3fa386d248366c0d6017c7de0f86b68bd798a4ffeac38b30cd8f7f98fa
-
Filesize
581KB
MD59aa0dc6a0fb55e68867e971ca4a6f927
SHA185648c7801a45279d609a3d9b38a1490ddb988f8
SHA2560645e5f2b3f1e8a49465bdc9339c1e2bb251d3e5d33fd012185bc945c4da2467
SHA5123708569cd1444d2483892f49738e40523b9735f78e026254af800595579d01bf338f28bd8035b24dbc59cfeff3a9966dcfcde86f321d90ffb8fb13cc000dd582
-
Filesize
581KB
MD5692768052f8529773400d8440accf7a2
SHA124edeebd12de61a8e4d5e3f748c6d31b19c951d7
SHA2565109eebfd565c58c1a109e08d4653a1c8ab7542f48f6fb1f4bc9217934769f5c
SHA512b5dc2969517ed35eb6529b1adccb4da759653972e788a7de5be726c6b6da71036eb31bdaa5a991cd1c2b21d1fb7b39be3744a3bef57a8c6472d22dbc85f3a561
-
Filesize
581KB
MD5e8a6516d34f521e6298f66d64b328f02
SHA18fcfb9964bb4d04e8ecbe4de5fc4aa4fbc97383a
SHA25620d9d1752d8d3be8c81b5700192a7dde4d3e9385e301b0b4fd48dbaf9f5372da
SHA512745a1d83c5f72c0a48b85da664ded52105a58020473eb465d3f98b782f380cf82a693b2c1fd0570c9784baa835385cb75a8da027afb9208ebab021d5d4120090
-
Filesize
841KB
MD59f3dbe1aa6c0c160639d7dea4c26cb15
SHA184d48f66c190905f6dd22b1ad2b5d5d4c913b8ec
SHA2563a814b0c591d67c53d6942b409b6cd6160fabfb3c147b334436c1aab97b55dbb
SHA5122a2eb8bd7537915ce0e8673f2c58ffb173cbbfedbf52d5330bc56c78ffd905772e0c265fac57257e1c40995db977cd5d0ebcc426a3287a512368dcaacfabd176
-
Filesize
581KB
MD5dc573b75add9a1304b1cdd05b03dd1f8
SHA12ec77d8765762ebdea6a9ee582c961a02569e42a
SHA25636e0b957ddf6cff68c113d988e609acfd43949d43391503b861914b412fac649
SHA5125aceb32069f471fab746a7daa8729c532b77e5e5fb9171c7f52d3cfa14aa811ed7925cd256f14b87df57132edb53c68044e053a17898d420adaa2eae8c407641
-
Filesize
581KB
MD56d5279ba9707a0bb3930e07179a22128
SHA161667197e61df6857ef55b378cf1f29b1a0cb558
SHA256fef3042da8c61eb2d99d69dcc49494102875767ce59239b505a7d27b673170c3
SHA512a69a5aab4070ac1e802f493ba9a4ae6be0d67ef9d8f528139da798527af5bf4c790b44519a0b334a5d93c6abb83f65d833906eac61125ad86af6e5b303c74ed7
-
Filesize
717KB
MD5c68d92a065ab6974f125ac9c8703f72d
SHA1f01884855be6f7b463c1a8cfe14494012aa4b704
SHA256f55756de1477bb0bbbac3e87a0e2fbf87236f4f83278cc41508eb04292f89989
SHA512e474d8c4e5a52254f24ad043d710956a00299b48785bd7d478c1e2de6dd14e08eedb225ef1b6f6c0c9495cf9164684a71e8dd1f56698aab4dc29959367b1bdcf
-
Filesize
581KB
MD5cdcf5b5e9781997759341adb74c1f21d
SHA1738701e8b93679e779ce95fc930fc17b0019bc6a
SHA25667c1a881adec42928e8114d5a17c731b8927bcf24b0dd4c7ede0ce5373e4ce06
SHA51290aac33fe63f771d747a9b765f3fcbec8615df4a3cfcf73ea046fbbb44814940bb9dff213b689ab3327c073a86735099dff13d009f1f5be77e6c461d582b2922
-
Filesize
581KB
MD5bf4b7242a2ca63480635783980b13074
SHA1d5920fa25746ca2438e1b2a5d312c252fca89b3f
SHA25606a05a0d088179d65991ab9916377d5aff5ea6925f9ccc6233abd7d76cd2ad3e
SHA5125263dafc51369ef2b326333ec3de3593d32833c25dc1b04b9f1f753be2002511b0dbec53da0b4f6e6bbc5b981a1b11f991b8ec9352a4c31b32cb969171bf175a
-
Filesize
717KB
MD55cec7e3544f86ebe3c16136e4347dfa3
SHA1a8bec06ad7dd131a7b8d12ecd53e6d7766daa650
SHA256f007d2166db6b39e01cb5d388054f4c0f93cc348b23d3d042ccb9bea0103ee60
SHA5122560afa43382592b2fa2720e86d27aff7e82272bc4d3651e0dff6e20e3344b0549fd7e11223056e4281af196baf121e3b5cbac55dde8b6289318951d896a7f38
-
Filesize
841KB
MD52f72dff3539802101c04453730e0f046
SHA14dec55da11da7d62d04b99d01a8d632851af0016
SHA256539f6d4045108087e1830fd7beae0ade9eb31b93e6258f03b7b8163a67078740
SHA51293dcd94a743b70759b023eed18e3a9e2cf5d2095e8747300f23ea5c497ceb445b92762b4b98e597992afd462ee88fa62ef86e1281b541e6114e53c38f59a01b3
-
Filesize
1020KB
MD5222d5d0599df8e936df4eb5a5a454983
SHA197c9a35178eb4d95b2399fc7d5c30b79b33ed709
SHA256486f86d8678b6ce43aef8ae539ce92cc6361fb1ef3809b5cd625a4644cc84173
SHA512a6f6a4405a06c645183454e166f21a9f9d44c09ad1edd0cbdda6d49c5e3c07d1eb8c21c22aee6b32e0008cf3339a365b9740c85c357619d960865cbd0d170c40
-
Filesize
581KB
MD5f911bf189d2006529a396e5e95f32632
SHA1bc1473e9d896d6d7d89c6b80f620d00a537b6569
SHA256837a1cee344e9c11020b83196407f8a68c0b9e4f35dbae02a0cfab8fc4035e17
SHA5122dbb427b16d601eaeab6eae739fdd6435543003cf51b252d0439f6ebfeb29febf8b507fc04e0537344846e00fb24a6c32c4ccc1e9cfed401eaab32027b421264
-
Filesize
1.5MB
MD5692417cbb72d7c9421cf642fd2798e02
SHA1b252569130c4cc39b7b76120a41095053490d5c9
SHA256a4e7598f8dd8ca47eee9d2cb3f706b96264db73ef83ec1acec4a568a5d90e6bc
SHA5127da3a4639ca1411337a532182ae193472130cd602a451c5bdece7cd793e1f493246b5cdda3358b5764e6d508e1fbe3ed265145253070f4794e7c813520695730
-
Filesize
701KB
MD5d06d4062db329ab471fc819fe8f9aba9
SHA17a48e087869298cccb51dad9ea205870b7729cfc
SHA256fe85d68e214743d457f543ba8c78557ce86fa6e84fd5e6a42c90b31809979879
SHA5125d8a338417a3d278c2b6e1de3b5b65ab3a7c047ef2eae395983237f9bb9249e2ccee0a3416f859ec6c052131f44e161ecfdf3ba9eeadf722151d3edbb3183b8c
-
Filesize
588KB
MD57438f909f7a1f72ddea3988df54f5962
SHA19f8a51d9ba6f562c53c7e57827e49fd1c7295988
SHA25649f8b5ec778ebcf6a60b43787d67c0156efa83e864e3b7a80ed5519e4992ae06
SHA51230616ab659efdaf23af6f8d1d49f6c7f01f03ae508268c041765206911d214e3566bbf30f2a6dde56844080d8d6a55b86021ad1e5d905e4bd775d7ddf2c60dd9
-
Filesize
1.7MB
MD5a83e5e48f148704b772853317d77fbf2
SHA123f3151d28a7fc38db46cd6895606fe093a16266
SHA256336bd2a8e0aeda9b5ba3f5ebc730217ae965c7d480f07695685532be0d403cef
SHA5126c6a4e311686ef883315b136fc884c073a3f8b0e7ab2b5cccab519686d9154642a910467b823f057b209d2df6a134133ac9fa9acfcc7ee20bdec2014df619e86
-
Filesize
659KB
MD52ad7185976625d40a5fd684c1be27e3a
SHA15296be1bfcbe7b33029719aa714d1640e17ad7b0
SHA256111a8b1477e267fdbd53f8421c8552dbf5834faa84a5b75c69001d93e54da6be
SHA51205e706ad654227cde37781d5686ab45f8c7cf11a96de182e203aaa09ad6f7a983e61548b996802677e316d9f97056cefa205ac018caca63fa7f608adcebb932f
-
Filesize
1.2MB
MD5c38c72893b07fdb4dd78a3bdf2837efe
SHA1320352b4a0977afd66db597e56d9bf423f1970df
SHA256f0308f834af535164d8f822ec9cf381d6ae60fdedb222f63a8dd611d2cbcb593
SHA512f6956a44464da4fbba94f20e9c9df223d7157aea8d006c2335f34baf37d804d70e526ed050e24e5eeb97379ef94f85cf5310fd06c62db6fdd855ffebf1703d28
-
Filesize
578KB
MD5635164b87a18e525c75b49a74d59e743
SHA1c865dc7c6110eebeaad648541c10e0b6a4b26baf
SHA256c2c03c7f9ec6e185bd84eea7609d1dea26b4defa028a7cc49fb9b03625351adc
SHA5120987fef678cff99525911910199008029ab5b41a2c3bc9daf17464d1c924fc44cfcc78bbc4541de102cef36cf7d1fca5707c323f4c8ef49bf4d5bda56d61fa56
-
Filesize
940KB
MD5856b9de73d303e43219aee7878431d4d
SHA17c7390323d30f85876d410a86c178f4c4d75cf8a
SHA2563320b1ed7f5f077de7f12286e9e725b908923fb78eea356379eb84c557ea3d42
SHA5121aa342ffbfa6e1ea12ffc1269e193754a981ec0dfa81945734d5b6669d2530adbdbae660021ade2284856b4cf9245528b76d5e73e364d02722a390fb225a55f4
-
Filesize
671KB
MD56458be1e13735a50fbb6d95b78292cf5
SHA161a8d404368691699fe325c8a3b09a10f01ea87f
SHA2563456f282aee43291547576e3bf6edef6aef6bd500fdfbfab18e02b0213333b48
SHA5127e4c63fbdce4235b379e43fcf020b568c8d63a207dbe6b1c9bc331be2f20de94d5e4d03a2e0c576386016fbd42b91e42abb7af3a7303491101bb5363909b27cf
-
Filesize
1.4MB
MD59f52b6de1aa4b0c8071fadecdb20224d
SHA151ac23f4132b0b30ae66c74985415499f0abd821
SHA256aa7c1bf751985a32e3e5a07024d7b87ecd6960eea0673c7ae83afb4dde4bfa7d
SHA51246336d5d95f4719b4e970dcdca9b04bc08003e53401fc6f9361ce1249ce575a2794ab628203812a82b257579553796d452a80f0fbd6564166e9a29b01e39ec45
-
Filesize
1.8MB
MD5ef7dafe0a49dcef691027c26653e739c
SHA1b985bd37fe88953eda25e040cae857264b9823fb
SHA256306b6d3175c95b66c8910297f832956e665453cf558ce236982c627ef21336ac
SHA5120fb2e8b02154ded554f9adeb5fb3ea358f101544466f20ad76744a2bf8bec26a6fe30b862621a1bbc2a7dddc160a410a39ace565f7016c3a5cc49b1e870105de
-
Filesize
1.4MB
MD58adb53a4fce13089c2f6344ff4d8f8ca
SHA12855c2b99bb4cb450f63b25aec5904d23c24e8aa
SHA2565769c95edda491715733510b721fc14585b6668e761334325f386b462c5d725f
SHA512438631a3137ed0782cafc1c40461ddd9a02f609ad530763517c8dd3dc530b4e5decee64a526dad3f8cac2d86ac31dd6916c1c57eaf2623af490e6da76cc4369b
-
Filesize
885KB
MD5bb2810c8a6931bf35d689c1c5f62ad7d
SHA1d5f9e9d673baed13e44f56e606dcf5a79d7a4bf2
SHA256cac50d1a4c2f1d45fbd037887f259d012db782b65ba1d9d37ff3c5aa613653fe
SHA512c55937fffd688333ab1f9501c2853fcebfb3b3126e7f92705193e66bde4e1025a432936a3b631c430f9d67717e4f7b64541ef375d80d2bbd026dc6292c8df90a
-
Filesize
2.0MB
MD53a8ed87652bcb5c365e20b32e7e00cb7
SHA150de906ec21c854987ba279d2c0e7122683b6381
SHA2560335d45c9ee52d297f5ccd6fb023ad1194aeddb7b82f876ec9954a80a0c0c4d0
SHA512c08b71d3383a419d1815e51e4e7de0bb61a63e760570a0edbdd333aa2ed26f4733e81af892a17c6d90576a825d7b3dfaf5c6bd89fbaf325bb4066b28b6e31be2
-
Filesize
661KB
MD53112028082f80063278fc36b2fb04c8f
SHA13f028e7e8678b7cb8e21d5484a7c8392e000897b
SHA25675833854990e662213400888f71156d56734bf109409bb0d7a180d7557c2341e
SHA512dc563395b57198549658e909a41d77ced9aa8cea9514291304c1fff9f612b194ab536bf517aa9fd8ff370f075374ef7e2a2baa88b4a63bf9140a96db216b9d99
-
Filesize
712KB
MD55f1bf517935925d060bae643e4d6e98b
SHA1dde0e396b4c44e512bbfb29a577ff5e8bb433fb3
SHA256b95dcdae639f8ba2f073fec1cd00f38511cdd525f30e91041a9fe22b3b8acfdf
SHA5125b671bd48f5ad91d091aebda88f64aa5e92184bdf8b745e63e869034e7460a2e1652d98a333471f6d44e1dd7518ab45f9c01748cbfff11f1489c4f88421b28d2
-
Filesize
584KB
MD5c599ac7c2bf6e6a6f9628e4320465d05
SHA13074a35eeeaed943e0741f1717b5a48dbd5903fc
SHA25678c0c9da2f8aebd8f679f6e326d4a10fa3312b7dc30ff2cd191ffe1c4b26bd95
SHA512ad2f6a40a9ef2c6ef50df608768902760291f5c612f89232e5dff9e6c5b71aecd18b6c37bc0cc15ac423b08a7f57b9e178aeed0cf12ec75e6645efd36346c346
-
Filesize
1.3MB
MD59678497b6b7bc9f7c3d4f1719d82e5bc
SHA12a407332bdcdac3dab7341d7df202ff56bb7e3a9
SHA256d01f862076a1e6a45dbbb5cd7e2a30e9a83bece7b6060246dd2a95b9150972df
SHA51226b746f04857b259ec0df146de2392a6a425288c2e9d5727348e6f579b08ea77c84ca8e8ef79ffcdeacfdd4a32cdcefaa0918dfc8fcf9a3ebc6a63d59198375f
-
Filesize
772KB
MD5646b1e2a6e1cd0555c1da4fe39831600
SHA1cb535187637209d232932ec6f7426cb7ed7f736f
SHA256280379f24513d71b9a9c2965d29b82d8facf3f9d96414896c95d72cac6b18960
SHA5126acba5bb040618a3d163ba43ec8351a7cf22c3fd47a69f18183bf88cd4be4f70d5bf34549e2926f080d115503f0f92067c9f9cd74469b2764d54db335734ce3a
-
Filesize
2.1MB
MD53361a552ffecb976f2254ad5e4363ded
SHA1e445b8367670a292637979a94c31d432ea3e6fad
SHA256b485ac6e6cf9ded10d481ddb07673281de01153e6f37d5eae1fe35d357b45375
SHA512731e4a46699d1977ca27f732b79685caf1a7da9c86afe25eb4eaf6f26c5ffa546a3e06edc4da4dae9ad8fc3a133ac0e3c40645c473f898273fd7a8e1aa8b454d
-
Filesize
1.3MB
MD581ca94c1c3d2b5e91409df614edaef17
SHA12521d14c7b31d87d894d0daada9a287cd0cebe38
SHA2569c93182af543bc7776dedc0fd7b49c0ef74e2c1ae459827aabcc14b95406b535
SHA5127d8a6aa8b7c1da31f5c8feda54503e8ee862134b4d98e1c899fd4ab32b577e5744aa7e78f6133f5129370d1ed82d72d3e30695104b7f591f72441405b9653e09
-
Filesize
877KB
MD5e7407b267fe59b951868eddd63813b3a
SHA15600b4698565bce5ac8b0761d54cf729f95cc40b
SHA2560bc4997fec07251f00f8477bc7d803128edc01900138ffcac56fe48852d9af02
SHA51244baa9637ac5d84e1897e0d0941242cb9b14371c05078db24bc9f2aed0a4db257bfd55bcda92d81c340d21c17cb63e66a5f09fa736c4bce479351835a4542bea
-
Filesize
635KB
MD541f9a42b2dbe20011d40520682b0d76a
SHA199d630b4ec5d7aa14c3099cbc5fe2b605985d260
SHA2560af213286685f907199e84f1b3d5cd0d6e23f4c5bce71a0ebd771bbeab6485c7
SHA512ffa8ef92e9bd9166e504036267695279095ef45507457c87c2e9b52db4de03a4a027d62d6703c0c6fdef8f5b4dd96706eb6d4d13450d45b01fab73c834186741