Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:54
Static task
static1
General
-
Target
2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe
-
Size
1.6MB
-
MD5
9919f5cac21ac109d52310f6b86eb7a3
-
SHA1
8cd8d9204451a6209e79422888ffdc5b3b32c985
-
SHA256
c697b3b40a2115c5c7e2d3fb2da0b3ac26b6caff42babcb1b4522128f008818f
-
SHA512
b1a2d036c3b3b374b85e01d2663197a23b7e9887936530be012978153d1628009794e838b189d317a6ba7ae679c88d0cd9b487550268c6b5df1ebf7a80a4a0c9
-
SSDEEP
24576:6NB7/gE3mM/SWWsbT/cq3fNuGGC5SYCSNyBo4kx929bL3Hnx:ABrgE2M/yk/dWB+kn3Hnx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1388 alg.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 4452 fxssvc.exe 4008 elevation_service.exe 4116 elevation_service.exe 3672 maintenanceservice.exe 4628 msdtc.exe 4656 OSE.EXE 4788 PerceptionSimulationService.exe 4568 perfhost.exe 3156 locator.exe 4396 SensorDataService.exe 5004 snmptrap.exe 4976 spectrum.exe 2928 ssh-agent.exe 3144 TieringEngineService.exe 6096 AgentService.exe 656 vds.exe 2644 vssvc.exe 3956 wbengine.exe 4164 WmiApSrv.exe 1748 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3387b3538bef39f1.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92906\javaws.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026329204dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052949404dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022723004dfebdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019d43204dfebdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091d25104dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094a7a704dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067bb9b04dfebdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddc3a605dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe 1580 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeAuditPrivilege 4452 fxssvc.exe Token: SeRestorePrivilege 3144 TieringEngineService.exe Token: SeManageVolumePrivilege 3144 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 6096 AgentService.exe Token: SeBackupPrivilege 2644 vssvc.exe Token: SeRestorePrivilege 2644 vssvc.exe Token: SeAuditPrivilege 2644 vssvc.exe Token: SeBackupPrivilege 3956 wbengine.exe Token: SeRestorePrivilege 3956 wbengine.exe Token: SeSecurityPrivilege 3956 wbengine.exe Token: 33 1748 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1748 SearchIndexer.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1416 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe Token: SeDebugPrivilege 1580 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1748 wrote to memory of 412 1748 SearchIndexer.exe 110 PID 1748 wrote to memory of 412 1748 SearchIndexer.exe 110 PID 1748 wrote to memory of 3716 1748 SearchIndexer.exe 111 PID 1748 wrote to memory of 3716 1748 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1388
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1392
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4008
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4116
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3672
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4628
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4656
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4788
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3156
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4396
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4976
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3068
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4164
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:412
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3716
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD55b2ff31ecfda32d6bf5d9ca07ee3ad50
SHA18eb72a1d74677130cf2b390eb58bc80b6d929945
SHA256d0d936f4309e0aeace953c3361847883c6e4d18e3aa623432190a8b682033314
SHA512c796ab2cd3c710c19b341a254f09081bd7efc8acbdbf4e3457858de0d7827e23417d124a4e104d431def72fd0595ba4c045ed8a7414f113b519d5ba54a42768b
-
Filesize
1.4MB
MD572a8fdcfdc74fbf6fc2ea4451805ab2d
SHA12a621028b2fed19511911b82cda64b89efec66bd
SHA256dfff8e0e255ad70ea2e8df3fdc0a13566d420172cfb33b5cd17636b1c638d100
SHA512a72a58fe9b0bfa6b9b645447182f8f533e0a9357c1789dd75eeddc5920e5aff5aa0dc273c45457cbe90cb3018fd881c73d9a09a192d8e24b04fddc981215b229
-
Filesize
1.7MB
MD5be20d36ea13b9826c4abf643d20ac3a1
SHA1702b796f92f4bf2453ebe082d5927b587d3b8093
SHA256ec36a8b6e6d9e70da69349fe424a66fb5d2fdadee879d3db6f3ae6e8d0abfaf1
SHA51225dd3d7dc8da97f8c418cc38ba43384f9cf9f860d88c1d6ae0be0912410577f38f3759c679d5d3d6897b94b98e5c01530035aa8447212f1039e4aa2111d5cb54
-
Filesize
1.5MB
MD52bd7c5ee519ae2b660c5913208370183
SHA1d602216785892bee12d4ca48e42773b50fb8b4fe
SHA256486f4f3f1241ef8f6f4c542f20957ef4841301ae8c5cdb3c1d9a94b8bc936289
SHA512e4a7e6bc364a279cb1bb5626f4fa27edeb6b8b361f73657b7b2d6e9b9114a652e8e39926ff6b8f60a36e62ad019b5c23be68e77f8460f3ce293d43cda72de2bf
-
Filesize
1.2MB
MD5812b2940dd6bc0656531c02c04e28677
SHA12a322fd117ebfdd389f5a43f98ff742903b59e7d
SHA256a63151ac43c1ac89a41ab3dc74dc95295c03227eee3e9ecba14bb291f79923c7
SHA51227568cb2dfbf8224e98efb4ed70ae366b5938002070c591ad4fd824261c750edcf052b952e28469d05f9f9e290bfb7345099aea66ef51c4a5c3a7c5df3f79f13
-
Filesize
1.2MB
MD5029f51db55861bb0f362cb656cf77e09
SHA14f6fc14c46ea68a48d3b6a6514318d88ce610d22
SHA256e38f6d73721e8f2370b608c1c64d2a4e8bcdd45f025afa3d8e0c489dd2b22d6c
SHA512f33588206b6662b44a1c42be4bd24f8effbbc62f9270708f80ec2ccc9bf73df093e794573369a5963111ffc55b38d740087bc3d388df44f35ca8eb62bdafd772
-
Filesize
1.4MB
MD54f5a751576e31893bb7f0ce7a4a8c090
SHA10a6e8703b0fd66a349a203d6c6eca86a02ebff42
SHA2565807be0547680a2d95e33f3dd7b2e2395f9357f23da69d9e1647ac0df17b3498
SHA5129b81ed4244f1cc103fb17dde990f87d7304db1ad2f791bf41451b90d0138ba42b3a58a45379f2119bd0d1f07e022486bda73b4e157b4ed03a984b7702ac72e03
-
Filesize
4.6MB
MD574a286f754d5d0978470e061150dbcf5
SHA1f619f99de64c388549ddb151d5f26fcdad128b9d
SHA2560942e5dcbbd15cd7950780ce38e9b3077dbd2491c5930a9c141cca16a973f07a
SHA51245e4587176a1c1861c52aa6ed865f92781468799495b85af231b6e6287d0eadf4b9b7bc80ba7f118f90f1eed3441370d76a161fc59034e473d19ce8709584e67
-
Filesize
1.5MB
MD599413ce170dd77aab2385cfe59d4fc4e
SHA18d5f125992332fbbd159930f8a4f63950adce763
SHA256b7c10f79599c20514f56311fbc5b46ee460748daa324705855657c3e741decd9
SHA51275112d20bc48c5eb31f5332ab257dcbbbb81ed6aa24b373f03998b5afc77867ff50e8aa49d3e6ebc393f46cea22d32da8cdb12529f243a503de9367f2a067095
-
Filesize
24.0MB
MD57ed774b323e6ee480956142a5a7c7da3
SHA1d4db7e8b690c74a8f65574f5d4332fb1e5a6ca83
SHA256ce5c75275954f12b413a426ebd788c55d0c7deca85213525a0a80ea04079ea51
SHA512675a79f74172f50f4c5f3426c05873cadf6b0b627c14302e28f72377991d758c593ecc9498d39ab3c9afbfe21fd2f1af41fe0714142864c44a1da84df49bf1de
-
Filesize
2.7MB
MD571e78d74db55f68a13a5748ad85160da
SHA1000388479b575ed82dc0fa314444651a975b285e
SHA2565d5df67d79cf95340030c5043ab5491978a1d2d91b8af3d375f27dc9aaeae6e3
SHA5123bebd4bc9481263a01085653ecfba932f17fbdc79c06d177dd24f6ac60dcf818839bdd60211dcfde38d3515f2c385890c21be61e006abaa1acb7620f7ef60be4
-
Filesize
1.1MB
MD5165f490194ce64bca7c717b1c1ba8f71
SHA13e42269447ada1a5775b8b0b6e0dfe536e01bdd4
SHA2565dbb04ce5c5ceb4eeaee9da715cb9d6c19682e1fd03e4f96e25beb7c0c31db45
SHA5123d1cccf8083daa54d10ba42f2657680d1df58436ee84c85cef6de25548f288c6e9645baa3900bf7bf514d530d994140dba94e85a12ebc3fc25fbd7cc77139b39
-
Filesize
1.4MB
MD56afdfb0c48193572990f575824c3b6fd
SHA1092c8c4b41c62b469ac0fd3662e953704b02a2d6
SHA2563a7fe5947bafe38cbabf655c34d51013899b8b93350ffaf8a6ab814562cbc915
SHA512de1bdeed1b01d81101b45d9c15fe5e8b17a13e4f950c425494147cdcef259469e6d6f177acdb6287777cdee07a1cfb58be11679b2edc0f4895a124af0464db54
-
Filesize
1.3MB
MD5c4aa8d5f6b05c4a4709cf300a9692be5
SHA10369e1bab7377f84c45ab891fefdc9f020d58a2c
SHA25679241b59b01c71ecac00d0828be465d065aa33dd5b1d4920786415d8bf25621d
SHA512e707e8e4d9468da9ea2e87c94bbd532b05fef461fdd10593ed50fb41c3613b492cef58e0e694f131ea34784d50e899c059e2fc0f8f07af2549b52eb88058ef2d
-
Filesize
6.6MB
MD533ec870d960328ecb6126a03eb564c5e
SHA1612f4db5b20aea73a8f4044fc37552a2e585994b
SHA256b1babb5e2feed22696e8396c1f1f7149041a8256d7628a756fd75bc52dc55b36
SHA512a5651def36d45cb3db25d6e3eddbdcd4a0ecf99485dadc3050c12ba9e5927ea7e54d5c6d333863decf45e89001b04a1cab01e8e5419826e81371a99cb89172cb
-
Filesize
6.6MB
MD5f7b0b7b818ecef337258c6e44f6d638f
SHA1b05d8cea8a79d6bb764e765b32970f16d71b1c1d
SHA25635bc0f91ca2b0cb6103e3e39f7ed3d2b3c2f3536e9340c18afa4c0dc1250e59e
SHA5124e16e2d294eca35b7483d89b960a711baaeaa4abe3f1499d41d103ff30909f30e5b13ef524ca21ad650e88535116c817925d03367a35f56cddf923b49a3142a8
-
Filesize
1.9MB
MD5896917fd38f820a42f43e48ce52f38c2
SHA181d70f3f1156be90ba313fe3a0710cace7fe65c9
SHA25629cba1741c60b16c1c5b29b420e39fa63af5960f7390415d5ecfed4489413a17
SHA512eb06a7fe18174ffdcd83f6625d56a103a879eeae0a27aae02e7203a29b3565b254c7cbc6b68309f96dda9151dce3d37ba3a8b4eec0c5ef9faa29ee8bb6df6890
-
Filesize
3.3MB
MD59cfdf40eb172e5c181f25c1daed643f9
SHA1d3ece9c9ba4b8cd600bb3aa92b829516c1d0c23c
SHA256cad59a067df8dcfd351858eac1725171d8d0b6226089535beef87ca4570ced18
SHA5121ecc833c75c8ca2fc1774a2b993101f1f51e3569ab1ddcc910dcfe9e2f2bc2e34a6e5bbf680f0bb3986ae7691a1970e7ccdb22fe30c22aed61794287f886befc
-
Filesize
2.3MB
MD55188f499355658b0abda03a1dcbd0405
SHA1008920a556ee08ca7501bce44edb2896c14b4e39
SHA2568d4b1c12917b9542f593e6b4e1e0151befe3c85e65a97fe6d85f5c9d292253f7
SHA5120a20fe90a77d8cc74a93c13fa311211c6cde746c882cae59548d67dc1f5594ea13e17a697135c90e26b5c9d7d4b4e0fa400a5f1b1d0752096809026bcef528e5
-
Filesize
1.9MB
MD5f4c5e780685dfd8e2e2e834a16d60edc
SHA11f0f019b11450bf0940fa9b299b6ff6d0da56731
SHA25607fa93843cac08298d1555a32d5d31738c41efa3289ddaa23ba64c234738282b
SHA512f6a450637f9b88cbca32f6e0bf391eb31db010bf241664f41079907ddf058ea742782b2e65f4853a587232ad997753bd0e349252533e11178d723c6fcdcc63ca
-
Filesize
2.1MB
MD56272c377b8be53b1e29b3d6f4baa408d
SHA1336aa3eb400c664d38322511ceceeb3d1fe92aca
SHA256c3e2333f35d84e329e1d87356d3c98e3551a046b3c2dab2b89a2601f2505f461
SHA5127515c13f4dcae5c10ba77ac19cc7054e2620c664cd8fb1e7fca0e5147fc272eb04068dbae181da0a4aaf90c4168a872caffc0df38477085f01cfdd43f8c45c72
-
Filesize
1.6MB
MD565c79a697b6247331abfa801009cf1fd
SHA1fbdae286801edf1d97b82665f1b47ddd0d2155bf
SHA256a06283a72bf3f0f5dc07f93aef1756e6a6a0716d4af2eee9b66f4e139527e55b
SHA512efffb963ae385ef555c348a4efacf4ce5f3d214cc172ea74786c7deb373a56b9769354de2fc806d0d4f873f11ca67d11492644e41ff5c49922112ef6a759d076
-
Filesize
1.2MB
MD5e3ebd2cc227643343ba5d9d65385ee74
SHA12c1f86ccbae3bbd31f06134567a280ab116cd8c0
SHA256e4d665701abf7dea3b6ebc944664f5f97ea55f46b979a5a44a52dac7d2baa6f3
SHA512587ca6aa1ba04b36c43cb45d22f60a4c2a79475f8aa08f7a88cee64f6591ecfa8f6eb8202e581d4c0ef9c0d39e3daeb2516609550fddd7d47bf20cdd294b666b
-
Filesize
1.2MB
MD56e6f52b6d3c775c0fa98c7bb00068e2e
SHA18bd08531d6bbda19281d3d90abc22ec57520fa3a
SHA25679e6b20b269fb42b28de251e4e2dc8d6cc973bf9d19577a0a56a6a7a656eb7d9
SHA51259b7a1514eaeabe4b2be968adc2892267cb8fc39cc02f4f4da5d910d737667c20fb5062c23d5aa145adce011768e0085a132f13e3cfc39937c95f367bcf0b060
-
Filesize
1.2MB
MD5226d36f9e4f8463a3d1ca3882ff37c7b
SHA1cf162c252cc47756348e9d83f1ba45c20c648224
SHA256b5125b938feb5cdbcc1bdc4246a45e2469d218426a2031f7c9b1dc5cfb0a9c96
SHA512a494493f54419d057f4802fc76da592a68e4ae88739abfa90319c7b16a7e4e8f04d45735396edd4af18f16ca04d06f3b42a376399e9366b6a3ce2da1878eb18f
-
Filesize
1.2MB
MD5a0258c9033e848a4b85a26ccad682414
SHA10b43b066d54b3fdc1da61a646855087995bbd7a9
SHA25681f4121678dfbd70fe32c379abbe1db2e30ae13a6d7e9c41e160dd94b6b28319
SHA51210b2d50768da27fd4cf248e6e3cbca42d7ee328a12b7e00f0af6124e568be94afb1128bf2ddcdb976a49bae209014c0c4e0ddb1e637f8d5eeecb5bbf13d86528
-
Filesize
1.2MB
MD59c7130953d5553f46840f15ce3207ca4
SHA1a792da28383bfe80b70005a3820c0423e9d35e59
SHA256f2a7d3c47112eff0c8e598804c7298b9a1f8449590497395b4ee1a36a3adf80d
SHA51244c8a87831c7e694b6a61adbf1b76bb6c1ee6e4b3a461ae56f918d36a1db012e5be4f09055798625671a83ac0af6ea350f69e9f8ceb23e797b1caa34849ebabf
-
Filesize
1.2MB
MD5358f3bf69cae19271680780110a6fb26
SHA1789b5bca46530c98395cf1a89429bb1ac970f4cd
SHA256a1dfba382f2d9c6e29487ce0031921bc2c92f3e74b3ea6f784ae040c583a04ae
SHA512672d5c83224c59232d87fca8e3101192862ec38a8316c35efbe7bc5991aaf7d597ca7bf4ceb47855e22bc823b204fe4d599db46e30c6e22eb1e5e73d2cb04226
-
Filesize
1.2MB
MD5b9c9014752bee044e774adbd45fa2f3f
SHA1e40f1d6ecffa72b814e319e54b500febb690fde8
SHA256b5bd285f134d153297ea4ad27b3fda2e7bd5f969fa192308e5224b1592019254
SHA5122bd7db7987beb8ec94b7ff5f6c0e6ef917f985a95ef7eea3258b16600457ef7923f9c5fd1eb6f5a33e69c840e3ca168e9f6554145c559351841a0a0082deb4bd
-
Filesize
1.4MB
MD5939bd36e9bdbe14967e35c7c189dd085
SHA1b360dea793298925c34b1a80bd0c9f67389ead12
SHA25656266d4eacc57912e5ffe66467e2dc1c52abbbb64f38cc3f3fc572810779a741
SHA5125139915bef0b71f6bbffb6644e04c32c2dd4b266ffafee24ed65d18621c6698c207d47fd2504f8126101e4545d16a91d67f603f6d3cad4def9d5daa0ac7c9a11
-
Filesize
1.2MB
MD5a6662853c1f1f34cf5bdde3ac717cb6e
SHA1bcf3819edd18bc08257590b5a8f59b64151fcc07
SHA256c43c52de544b70fb490e06a1fc9e100d9e4668daa3e9fcd9751afd7df7706e1c
SHA5121c78fd0fb2f54e6a5efc896faa10c88a7796f20794e4ffb71f9677bc45d63b3beb630cd7891f90cba7f8713cf1c62e85812bb62f3fb3eb01a73e7d9d450e40ae
-
Filesize
1.2MB
MD54497be5a59d4ed7d5d727e72dfbdf667
SHA1405d8d47631018091ef1889802497850787f7c06
SHA25656e1c9816018f9934815591ec99a30ffdd0cec5f212573da1e7095ee0fca6c0d
SHA51265e7087494431c19746bb0d5914652cf6929ddec1af63de51f577455a986d8290f1df95cf2bfade6ef4ca0ca726eb087b6ade319946d396a56cd6fa3a5ae44a9
-
Filesize
1.3MB
MD577cc71899236e77e558fffa702e976a4
SHA1549fc0b11e321ef91482ea81b8b5292df0b3d0d9
SHA256d0d8137223b5ae3dbf0c34bec0ce33d46a41589b3d6c42923fa9e8ad4d64522b
SHA512713d3e63a57fbfcfd03e3ecea1b98d440b902f0b453c3a0777881459437eedbefcbba9972f151368d4cd7d92bd870ff24dd8826e4a83d5b0a8d5e1e2649ad979
-
Filesize
1.2MB
MD5161982de9ef951e6b7fc9e5b155be885
SHA16fa7da0c97fec2fb0581c053c0e406e9f1c1cd01
SHA256694e48d2c8cbb2e76a37843907d8784428cb2f98b15751fd4c8fb47cdeb002a6
SHA5128660fa5bda435d5909004b06d9332ab7f89952811d57941414756fc9835f95732afa0bb2aa3a146fe9749a7a10c3c8ed0589448d583169a76aea2cb67a6dbecd
-
Filesize
1.2MB
MD555fae27ac0425898df8a8371d8dffe00
SHA1c32e62070edadd1b3593d82831b8a4c70253d59b
SHA2569e5a8736d95847904684274a05f3dd9ef6534a2784164e77c4e40419a48e03be
SHA5128ee0bb8613f2ece94a6f9246b327f36cdb1784672df35c3c8c2bb3474aae41577dddd5ab7fba1f8a18b8affc6c1601ff6a95a0f8d3a4553f8cde5408858534b5
-
Filesize
1.3MB
MD596d35501cbe7c72fa656ea51ce4dc812
SHA18a216b76fadb6b1c9f287f6755072fabd0a7fcba
SHA2560fb2dca1ceca5286c2b4123dacc7cc33f779dc3b2149a4a00a12a035250191e2
SHA5120d26f2e4406302c9c7bd91e812f228f88a91153e0a141a0c5969c295073ef144241e19081bc27a209c9fa06337b29b65eddcc404ddd59fadab9b17f34b801ffd
-
Filesize
1.5MB
MD5bf9b4f850670672ab1e48a29a372daf9
SHA12b52f65ddc3ff25b8ba89c7a832c0e7b77f99a35
SHA2564376ea07cee1788c0b7bf162b3517af4c8667dd9569bc79a2e154a1766e75ec6
SHA5121a77716133211117b9a68aa857640f5eabb40f11f8c93203da664a3158d41671016f5e087daf9026eb62a7f1550de5a08d520ff000e99cd4fbf3eba6ecfe8a48
-
Filesize
1.3MB
MD5bdc2f7673eb796b1fa92e43e9d6d30f9
SHA19b6351f6caf1429d26d7be1b5124105d7f3563ee
SHA256e18de804ee2f4f1c56b0ccd0831a2b8a298d3831d01ec669a2cc6240aea2c71a
SHA512b8eff382dec263a66e150c4730fb34d10a6b31ed5ce2f4f2e2d911c970fc2c7b3bf978b8aaa0e934d89334f5f39c1c3cf52a0774c1a41ee865febe59823dfeea
-
Filesize
1.2MB
MD56e1a327b3b7297a48aa6f201e9d0020f
SHA11edcdf6646c5cb901be6ba1f70a3fc2e870cccb7
SHA2567e2739b0b9a2ce1254426f3f20a222ff9b64936c09913f2af8bf34c3dd10c6ca
SHA5128c5affe6972181cf08deb5df7ccb978e979c78e33877e18aad1659957f19e01e3bf8762d027a39e0039af8786c592db86531d94421864b4e1d02093815e09854
-
Filesize
1.7MB
MD5e018206aae43f8196f34b50b0aefc8ce
SHA1e6fb123225ce1dca9ab799b7b20c2ecc53da43e2
SHA2567a8269da4d44e68e370cd8439c45d536e242db114701c597e5a84c91efda4091
SHA512fd03fded8e84cd78916c560b38cd6d3b25dcde833adf40e54f1e038d5fe3a69de32232c7cdffb4a7f1f41f44097dcdc6ec3420120c1ecbeded0678b1b4aae21a
-
Filesize
1.3MB
MD5b9648ae6091b6f3265e12e3916dc45ec
SHA1c38a4f7fa84bdfcaf21db3d340859e06174bff9e
SHA256c16db618f623d49d535423e1df96a16d2be25b36a12a299537e2a8ab6b3a4749
SHA51255c3a54d9593ef980193979371a9bebfece9e35e9042513551fbb4d5f9769dd992fe7a5c97b10785e3d757a44d6a2b7b226c9139d11ae1f0c0be5096bb9be697
-
Filesize
1.2MB
MD5cf2ae184c02323b81da0c66f2fd9c28c
SHA1524a7ae65376e82282cc9fed21c16580d6360dbe
SHA256f3febe63ea87c2841a32a69879840b131106b1134a5e35472f9153e72283e7ad
SHA5128ac816ed275742cb1180cf9e4310b1a3dfa946c4fa63bf486d32d867f793a77734c7190650b64010860d0fbf1ed110640a2aba8056aafae7f6a3069ea256ac5f
-
Filesize
1.2MB
MD5646b67fff58617819f90a13ca7b67b55
SHA1b2aacb6cf93ff261782a9b10ff77a281ef9d3697
SHA256804c1117fa6a4af5ce44d3fdadeb86ed1beb91c487451f3e7e8a851e4116a07d
SHA51268c7d53768eeb5e3df72ce44ec77c4e6940418c0ef87dd4a25b32af8d8686fa68b28eed78a8a60e5045bd9e2600ef1602d65a31f1fb773aa54c0faa5dd7fb136
-
Filesize
1.5MB
MD517cbd7fbfd76f85711a30d2826064c6e
SHA196bbe5e51d55580b91154a878cc13e0473ea7f98
SHA25615d142021d5e848830e53c3bac37986e8fec401712530d7fd959e1b99a1b468b
SHA5127c558fb1d90cb1757c9f1a53ee2be3e10b2bcdbdc2382d194b618b5b8567a2ac5df92362e5c7884af3ba52659e0fb10a8d7fd1c8335ecc1ee205b1cb9c94d32a
-
Filesize
1.3MB
MD51e5360abbb92085e1ca3178e89fec51c
SHA1fd49e5c8f27cd3b5d990fba2a074000dd5d8d2e8
SHA256fde8193e1d38bdc3bc3ef8bf6f88a17f8c77c92519bbfed908f00f956b308364
SHA512cbc21a6b2dfc384a31458458232330f2f907512f4e9aeda7f5957e3d83ce02dff0c659a517a3a55be59d9ddde2f1864edacbc280c57d498ffb64f7454bb40d16
-
Filesize
1.4MB
MD55ad3b1b29fc69526a448b47444aa7848
SHA1bd533b8c92a8948b2e1083f6b978a4d4c065e18a
SHA256f9f58f3dc3ad08df175f0e9030cd5318424d764ffcb3dc54b662c792ac072451
SHA5129957def83a521480177b73803f8fbe58352fb9840442797b5ddd3b097e7fd6a6424e5a11714e8611ed70d4fdba13e88d853435b391adbafd92bb94a8a20e553e
-
Filesize
1.8MB
MD5f1684e759d1b905f6a8224ec38209101
SHA15e0862538953dcb94e1e5438b8fb34d7cafc9baa
SHA2560acb16e49b6cd6536cf63d6d366ff4019f9fe58fc020503f299c4552f415fdbe
SHA512a214f027c6ecd0eaa535134d1553c52241b3f55c5e36b4937982f5db60fdfde990976695bef2b5ab32460e6229e73f38e2b46cd381f46486103cd87981a4854f
-
Filesize
1.4MB
MD5fd7986550ec8c317605558678153ecea
SHA145004900ead973a29699af68084353c52be448ba
SHA25603918ec4ad8a31fc67c37e54890fa5bd8320f053cd952e3fc777e6690a86900b
SHA5126bc80a53098cfc244416509f3d3f58bf8a5125e7458db239bb6ca0a6999cbae43dda57f605f07068e798341aca7f8f6a24eb5fd6086be75d41e3c19fec5fc426
-
Filesize
1.5MB
MD535fa65d6b5e145b491cb95536e30a7fe
SHA13e675587ec3aad18e134c45a88b2c74bdcac074d
SHA256d730fcfef3228a77eb71a3d798be658534b1e84dc93ace0dc77f147a78ee2264
SHA512ed19604869e9d946c2982a210518193e7e938b7ca24625e453d8190f26540ff6f2bbb311d2be99cb17c480807e1f00faf86aa6211ef9a976413ea9de7f78a2ff
-
Filesize
2.0MB
MD5018cfa7f79043c1d64c2885521280766
SHA1e38d636058fb3504ae0b96fe1439cf93be270f74
SHA256885f9225e4c40d03e3cb32f72d3583fbe358f157677c9294ec56b9bf56b81bb8
SHA512b2accb0b0aacdba4e2db74517671f89dd2aa26a6756020a42c8fc8fb26463c9abc0bfd48caa973091609c3d41362dc95da8f7e2bdf45191a3c5883bb7ea1d77e
-
Filesize
1.3MB
MD5a0eec0a5da7a7b325fbea7fc63657bd4
SHA17c2428f4c0378464fa9da6a5efa6a002f07d053a
SHA25656a7e5cfdae28514340b79d381e2540b42457641c25b9cdd62f22751939868eb
SHA5128291220e134c8278422ea654f3d1a4905eb4647004ef268c36fa0f5d8fc4381b8e709cd7963c27a7ee0001a92b47244ab36478eedc8da7c62ceae073c3396782
-
Filesize
1.3MB
MD57d07e300f09072ad2790251852c89a1f
SHA12c6a3d89e28fa8dd48657bea6175d0d5ce4a7772
SHA25661d585bdf435a03cc3b6f4a4db7d7c74087fcee63896155217743f827c7ba78d
SHA512b3b5b96b238607c411d601b61a5a9cfe7770b5a563ec14b71e43200e31a0c6821100c39b4483ca67a807b08f146a61722b409a0c4b209c915567250defead890
-
Filesize
1.2MB
MD566666fda6f3c5efe1d68a06336f03bd3
SHA10e936d32405b3921c912dff3fb8a36ecf6a36633
SHA256cf616e545cfda039d3eaa5126559098cf164e477c0d1026eba40dba083568d69
SHA51275d322831922d20fefc3bb4a58c6c489ba9a69e3d2ae635861508cd42969062626de6676a7772b2e4e1131adf753c983cf6ea7f14fac112bbcbbdded0bd4719c
-
Filesize
1.3MB
MD5ab5883c3a0588d4de63ef37870ecb764
SHA11106377ae242b214fee329b1a5f1d2243aa7cc7d
SHA256d9e3225b65e42732e5d95560e96b7c52d50029b291ab2cbeee01cb88e3e968ef
SHA51253d9c4faa5570d93c9b310c6544feb222c6e357e5857e7a8a59be0fcbd643336d36fcb25540f0419dc886738cbea430b7d78fde3823ca763edc586036934f2a1
-
Filesize
1.4MB
MD59345c25456dfefc6a7eca8f091f7003c
SHA10cf9c2d9b2fee5b324a33ee07b2cba2c7aed4c83
SHA25693d3e4acee866bb66ba3f8f8b9452686934fadb9137217d7d91157e3593cf6d0
SHA512f7d4fe3752f0f647dae37802b949324a07fa72c6cd271268928c62e90c9000cb8a722f7c6e27a366b6665e8fc34bb030a46bd85c0c00c42e3c59aeab5e2e3ca2
-
Filesize
2.1MB
MD50f371479db2f2f54b1f035db88ca49f1
SHA1e7a117f82647a217daa254d8cf60d4a0f709628b
SHA256543a741f27906a5481b95ace0fc2aab27deaa4b832615bc940d087e9f94873e2
SHA5123101bc3eb11ad70426a6560913687660ada206767797941b40742b8942bd88742c5a0c89a2c52fd6077b78e183a9dc3b594646d00e4dd1b944e090837d48cced
-
Filesize
1.3MB
MD5e6a379497b06b7c0b6300e1f12f2fdc7
SHA1bf3acb8c890587919fe99c5ecc83959f15a0d26d
SHA256d24e4d0af3109ff51ab8ff9bb55a8264609ab664aa2788d14387f6f6b046624b
SHA512b2f792ec688ff051408550dd0cceca8243482f505449660c186d341b421db75010cac381cc9e62405c05af9e73380a778db697b97fac047819316da1454e427b
-
Filesize
1.5MB
MD5c52f11ba2fe2dcc89add910e8363876c
SHA103a04af97544c7a3b6341d9a2816f2d5bc03f738
SHA2565b12a2a5561b6a7282ef90932b915870d3d33cafda1f899d80b0246fde6248d0
SHA512382b11b958492d0093670055a85fe9de748136449c5529d55bd7727b55e04d08a87c6e98b122c6676920a9f2a088000c257523d3bf4e6589aa28f8d276e21d16
-
Filesize
1.2MB
MD50cbded6a9bbb8777ea3cc8f628ad06a1
SHA184ec2e596e3d57dc47a0e1addd10b9e6fde91eed
SHA256c933d84bfb37b199fbf504a7b4558d729f62efe97fcbfd1b4bbc76369246eb15
SHA5122b8063b4d1c0b82ef94fde68c90fd00dd98872b760511378023a019873339afa5d39decef9e287ecf9a88d37ff8291b209a7f2e682994eb2ccc995b053ccb4e7