Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Resource
win7-20231129-en
General
-
Target
2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
-
Size
1.5MB
-
MD5
263f9520f61b359f05878c6397a3e7ad
-
SHA1
5b167dc4f7ac8c2d2264a6012a51b9ad99d2b553
-
SHA256
74629c617726b3af414ae498a723f9b939dc97c5fcd7946301344cd371544264
-
SHA512
71f8d4c5bbb774bdedf3563d12eab0e8f11cd60e1594cd4b908d75a3758fa899657fdee00fd46b970898bad9badfff38db9630724d3edefa051e0ae6a59d1426
-
SSDEEP
24576:V6BjRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:ABjRVlbnXf9gPTTW7H1GXC
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1528 alg.exe 1776 DiagnosticsHub.StandardCollector.Service.exe 624 fxssvc.exe 4072 elevation_service.exe 4948 elevation_service.exe 4528 maintenanceservice.exe 4212 msdtc.exe 2308 OSE.EXE 4884 PerceptionSimulationService.exe 2644 perfhost.exe 3632 locator.exe 2416 SensorDataService.exe 3712 snmptrap.exe 1784 spectrum.exe 2948 ssh-agent.exe 3104 TieringEngineService.exe 2004 AgentService.exe 3816 vds.exe 552 vssvc.exe 1724 wbengine.exe 3676 WmiApSrv.exe 3856 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\63a1a3d992be0f3e.bin alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9bdf53f9c99da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d6a63409c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885eb53f9c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff0761409c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df49e03f9c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b385479c99da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f869d3f9c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9b2473f9c99da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeAuditPrivilege 624 fxssvc.exe Token: SeRestorePrivilege 3104 TieringEngineService.exe Token: SeManageVolumePrivilege 3104 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2004 AgentService.exe Token: SeBackupPrivilege 552 vssvc.exe Token: SeRestorePrivilege 552 vssvc.exe Token: SeAuditPrivilege 552 vssvc.exe Token: SeBackupPrivilege 1724 wbengine.exe Token: SeRestorePrivilege 1724 wbengine.exe Token: SeSecurityPrivilege 1724 wbengine.exe Token: 33 3856 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3856 SearchIndexer.exe Token: SeDebugPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeDebugPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeDebugPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeDebugPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeDebugPrivilege 1012 2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe Token: SeDebugPrivilege 1528 alg.exe Token: SeDebugPrivilege 1528 alg.exe Token: SeDebugPrivilege 1528 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3856 wrote to memory of 5028 3856 SearchIndexer.exe 111 PID 3856 wrote to memory of 5028 3856 SearchIndexer.exe 111 PID 3856 wrote to memory of 624 3856 SearchIndexer.exe 112 PID 3856 wrote to memory of 624 3856 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1752
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:624
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4072
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4948
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4528
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4212
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2308
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2644
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3632
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3712
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2728
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3816
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5028
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5540a70cbe929ece044535b65c80583ce
SHA177016890151dfb892b43a86417d1c7154cce64cc
SHA2560c5f0b95604d583439e478a6723ea1e10e9f5d9a7cf8a498e568e77e23154470
SHA5126a2f3cd727ad2616ed999da7f8f91fab925d9f13d8937169df4de060425e9ec6882c552bbeab89e1c2a099c3138218af3cfb4d3ac61132e583bb28a7cdd0649b
-
Filesize
1.6MB
MD5d837ccdb69162292e812df71b77d855e
SHA17788833b5a44e4de8478a6f854bd3b35449a413d
SHA256c9c29ae2ef375831cf75374fca637b5f485e9f7f782598f62597851bf35fa4c0
SHA512c146b6fc0ec89eac9ed54bce05e4f683d3fac24c12141338d5e27af5e3723d899c358d258cb6f403d37341dbbb436c93f2f343b0c12a1c68d9459bfbb3e90223
-
Filesize
1.9MB
MD57a57e188fa347e6ad9aed9a22c42dec4
SHA185e90765b641b1ea6f7035669cb7b21508c5ab71
SHA256cfb127335b13fd55500a9404f509e927a36a31c4516e9c65d6308b48f9d5bb90
SHA512d4316fe0b7dcec0f9b7d0cff96c839ab08acd0187baff0e1a3f1fbb90eff547aa96f629ef95bfbd5f021c1c3d3b881587dabee666cf79da92000adc6f5b25f85
-
Filesize
1.5MB
MD5dc67721971a185cfe886a2ae17df0e42
SHA1d2a1a050dceeda314615d0843289b8a16f2803b0
SHA2566777e9ba0927b9f86c074fb8d143b985ef105e67cc92209e24eacb10d73c1658
SHA5129651475546d0aced85ea8a0c81e3605c3f098d51d5c0814d87b003f36976a583e25e37799d73f23c3b52997b4dc183bf76205cb043e813d40bc1f8e61402d934
-
Filesize
1.2MB
MD58afa3f3e6d394b40d15319cb480df31b
SHA1bcf8d67597588bf8f9595f11ec2cbb9640bf6862
SHA2565e15292a290af5fb32d2316305def22a5d20e0a120a6a984d73eb25e0d6302f4
SHA512f396920233b74667d8945f9e0f7a44a11ad15b64ea7a753afa30eddd79032a5c2a2ccd798aea3fd0176a96407d95a1e82b54182be33eeb93f4331e773b280797
-
Filesize
1.4MB
MD5fa3482c53e0807007f94edbca621f171
SHA17157bab3298fb8be9f4cf13c9ca459f4e6d75f74
SHA256279bd548871023de3fcacac3b1c750b67d26a4fe880db31f09ba6a77ab4099c8
SHA5121cda77b97746c950b64c6a96cc19abd392096f584174177762b6ee10e3a482cd7b542e9e6e0d20b81057cad0e7cdb4c89991f25eae8c14b4f10f1cb2e610a4e8
-
Filesize
1.6MB
MD587457872f0aa2e15bd82517c56d6c814
SHA196181ea92f689c4ea09ea51d9c1ecd49d325eb88
SHA256bba67e91087898b25d962d59525a35c9a5d09cdf9d996b2ba7479abe42d5baf9
SHA5124177723b48bbdc35913a87b22dc710363f102308aae48869fcf0dbedd1c2c477d609a1160948d521957a2568da9e31413836dbf623311b13c1b8bdae7c249e7f
-
Filesize
4.6MB
MD56f6a7ff431e2556cda6429813a3ee9e2
SHA1e3bb81ff15d1dfc52f7f6866daf34936dd4dd1f6
SHA256644f8a1ccedafea8d86a502e55f18eb05bbb66676aa4aeacdbfa19a383eff1fb
SHA5126aff73c8dbdcc22444b319289c1d1e44a7917000056a23db8c2044831e7a0ab99b617fbea03daf25b12840494712856bf4e39b374238f4a0730ea94e5d4feb07
-
Filesize
1.7MB
MD5ec1b23ea5e0556df8ae7900b659103a2
SHA1406e7bce312b1271bd40e1e997f2f4f199eea876
SHA256ab1202f810009466914b80f44a106e6611bcf2da45a3ff5ca9990cb83a3f5ff7
SHA512cbbc5f96ff58845107417c9f118d6078e0c4a01c9ef440da56378c8bf8b3b162905caff85d3c0641900d75c6dbf3452b5e34e0becb221fbc8c35ad2a54967453
-
Filesize
24.0MB
MD552725f7d10d5a34ec295da2eb9199884
SHA1f06576198d8a3bb3d903e48de7bd9dd7a68ffeb3
SHA2569451cab07458f324509e1b65114acc521ad1036aeabc50719e090472ad0268d5
SHA51290a39de220f73adf41740d12bb2db0e251d3c34213950b7008347f469763bd1098073bab1b2f7f6fd58806ecd7c04733bad60b27f803159ee72cf8a0a9acfa92
-
Filesize
2.7MB
MD544c8b059315893af8d0016b06cf46d33
SHA1a57f57925ce1493a3b777f5aefc6e345f01f970c
SHA25686d63fea1a071a20bd2d80b9c934c57bba123d8d4095ae9d6e4b6dbdec872e11
SHA5121774b07616c702360ee5446dfcfb535640a1185d16e8813695ed9b6bcc99c9472949dff8dadadc1a435af0adbd4eccab2baa7b6bad21c66191eae34a936974af
-
Filesize
1.1MB
MD5befb5e53319039b371ba12ee2cec1cb9
SHA1f47354a5799da8779fb539fe4a8f605e18a00f75
SHA25656e631f52c46803327ebb19748c9ca0bc0342f168c9092f154c28468ab038062
SHA512387459a9298b11fd5cbba6994b383dba11a9ebc01d833b4d83ab4b66dfaee0746e8349472149ff7ffd5eb84106c6efe66fa3e37812b6d43567a78b9c0cc6ee1e
-
Filesize
1.6MB
MD546992e3b35dc2639cee9d9829fd4cb03
SHA188a5b1d0f11f720dd0efaf82ba6da45da5daddd7
SHA2564eae92e9a21a6253d8d7d45f676394577f4a04337049af4795419d3b259b778b
SHA5127e9a2674d3330e8793438deb8a962d4f259cbf6f0b04e0be3a2849300ee47a08bd7e3c50934e8b8fb280bf8cdf753195ceca2186b94a87e64d85972b3d7c40f9
-
Filesize
1.5MB
MD503bf3227b525711ecab41daf656aac05
SHA1def6f31ddfecaf5a04a4e5137cc0fcc13e8058fe
SHA256ea323eb6bef49efb6a90ed78def4b5d9b4b638444f0e27ae99c1b8b6049d7274
SHA5124b969b46f6f01229e22b5c703bf9be1e0888fbe7e1f4cd290be11d87d8595e6d8a24a30c78bfa3365bfa566ac7561678296288e6eee40b854020ae431da0ab9e
-
Filesize
5.4MB
MD574639cb1918da093ffc61779324fa654
SHA12ab153050eb5914777346e05322b4cce3cadd74c
SHA25682be954fe6739f65e26dd7735a8362ecafbfde900cbfc1f734c57557bd8410af
SHA5125e6ddc4129d80a26e6aea0a7f0d870f309737101dbfea751969bbefee15bab8b9bd347d35ae7219dd933f37f6422033578afb9762c39d8c10b3878a815f4e8ef
-
Filesize
5.4MB
MD5b09f188e739a423b9f56c25664879afb
SHA10c7ab208da264635ab90bde0ef2b8091f009d09f
SHA256131ac126fd60dabe0dc015c80af7fcb88e5fb17feb7149f9601be3a9537f3f65
SHA512bba7f0e61613877a7ec52e2ee56b14a37d53c45d8b34f1f9838f79f07e94d1316acf2639677b92f1d543086cdc3ec13e3cbdc66b30d54181b78793e7b3f5fcee
-
Filesize
2.0MB
MD5c340aa56ba28f9c682c578f46ddbbb62
SHA11eb4248ff01fab6b3735e92de0c8dac4d34b3753
SHA256ab29d01f8ea59ec5debe9f8e2f8a9b63cf8387a71b8fa7e77a100eee31fd0fc9
SHA5126d1e61723588274794581c451a15b1d38b5c15840e23a795514e60364f1239c093fbe5e1ff6ec7821a358ac2c20e25869ebf586fb488fe3cba67515a4c85f29f
-
Filesize
2.2MB
MD56108670b3ea8b69aff67a2e8662dff6e
SHA1cc5a7505f674e66db02bedd31cb0a246bda2ad47
SHA256544bf89021a58eac20d731a15dc15b32e5343269f3425d592852bbf0821f44a3
SHA512cc9574361b4ea403dcafd1faa890633bf5380381c606b8b3a92a06e75b7ec5a948de0d3078fb1091f0455454bf8cc69b2842d933d09578afefdf3c346f140dbc
-
Filesize
1.8MB
MD564d986ec0470befb8d558bec0263498d
SHA1345c92b2afb77b7f6ae0f05793e433467e2955a2
SHA256c1a28f5f1cd5d058500f751ea78237001824ed8d04a3bdb2d232024df868652b
SHA512a2d44b62b9d2d7cc663f1a9e8b8ae3d15632055681408cd58f0645aee61c9dce302e03999a92de3e34820c06d26ff051eb984dbb9baea4f7c083b0a254ce1c13
-
Filesize
1.7MB
MD5435ca88c92526d90ced064eb142dc20b
SHA12a840cedc2e0f794c87c81d9ebb41dfa1945dad8
SHA25609ae5ec2dd958915a641dc57fc3dc061387f586ec96f31fb8720d52b7064353f
SHA51201f6a1cfbb5851064377b6b5c5f49034259e73c9b24cc118543b477e8575a6f6f3435a7450e1802af799c44b90da233fdb7466ce29c111eb4d7c3e1fefbed991
-
Filesize
1.4MB
MD5bbe1c1473daf4e56ac156f579b716fd3
SHA1f2b8f31f0194c37b0ecfa3f207f9aa5138078838
SHA25612ff1800e8678eeb01b747a63fdc941218eb5ed1f2a3fbf69668bbb7c77187c5
SHA512dfd55c9bf13e74cf09910101daae2d09e73638d845583bcd0a7662039cfdd3f5ad5d654e33e943dd1b18154d2cd4ec21ebfc4121512d7c08a67bce5116e1788f
-
Filesize
1.4MB
MD566298ecf2228bccc2bb4a06818c3dab3
SHA12135446fb16da6126c57c467ae13e30558ba0528
SHA25664a983fac5c315fe0efc35ddad75b3027544b9921177a17223b76a78162351da
SHA5122f844cf9510857cf28f4eda73d5b6a7814d101bfa5ea4d0ec78779226ad4401ed11c5ba7d352b9fa104155f849996ef8d3823eb512c7e9c3cfede092fe4c5d65
-
Filesize
1.4MB
MD5c2b38d9441240a30a5a529e8c4d9388e
SHA15f2d5db8205638b87d37e06a0fb70d439f880874
SHA256d60ee80e08af26dbc58cbde573e8fc160a9153bd363cecd6c55206d17b620b9a
SHA512ef45b16bf8ca0410a2fd9916e846e549b1484145d7569fc5703246d69a392fed36329f536a8d133867404460ddc5cadc1981a4202f01439f45d04b379dacbf90
-
Filesize
1.4MB
MD55e294a4ce436fc09caeeaedd7a51fb9f
SHA1455124065ba80d5e00c672cf5b0748d17e18f73f
SHA2569cdba429c4dc3c5205de65e185cb79204e83b33f32ec0fb38cfd3ccc648fdc79
SHA51248bc94434142f01bef6badb8105fa5a58db6b32003524e1470988ad8277fa8d32ec566dc508af6c344c11afe3951344a9ea2b8cac11ca25b344ce54650b7769e
-
Filesize
1.4MB
MD53cdbcdc5b95f939177e196a69ac1c668
SHA12e03241c1631e4a98e4144f6cda89706c5e69002
SHA2563e972ab2085920e103eeca772f8c5ce9441faf157dfb25f40ec487507a06fcdd
SHA5120bdb5ac6e6c782bb17250ec26035304f958da44c811a7a5f71147b25847a4f51d2a4f52ccacec715ae0b6b72c150186340d9a037a30c9d3d91ffaaa95072b080
-
Filesize
1.4MB
MD50338a7c973125ac93a5244056b2f6d79
SHA16e61000ad978717b066e257567545cbc9d688720
SHA256f3a8c36f6cdff378ef63ba435bc42d2cc77b8c51ad851584243e5ab99b7a306c
SHA512a6262df1cb37c32c93e80af25d5d287f90de7513d414d6b13e42e4868521777d7dd334f7cbe479e9e2f7be2b7496b477a15ce8c0e7ebab327b510cf140da53d0
-
Filesize
1.4MB
MD5e41ff6c5c901a39b06ff4d8508a5d92a
SHA10bc2caa52caaa59c1704e29b3be86e63be940d96
SHA256e66353faa279b9d2ce4b8562ee3a400cdc0ac387197ec21a5f1e745def183b9b
SHA512e2569577f967040a61abe19009df4c12d6a5dcd5913bd59ef32c2b75fbe22a519ce97fe830de4843ae4a4287a8dafa1767a62ce03a70d9ae00dc644bc8fabdb6
-
Filesize
1.6MB
MD57cfc084dad43ee62cea0738bed5cf66d
SHA136071e03abb0048f401171d8fc64851ae9b7ad83
SHA2569ffa4356598c76324d6fee41fa2492edbda77217414ea64b85acca0a2ebe1a52
SHA512cd6313de944ff704602358ab2334f135aab1890780f9a3731a4700fc041855e9cb4face4d7fd509e159ee6cf5bf044aefe16d7eb5b6a575121c2856911c58d87
-
Filesize
1.4MB
MD59be355a0d711c0d753d7b05d37be7828
SHA1e63669f9c6177e9f068836af72506c6cd1147eed
SHA256ece2877efe4b0bb7fb84d91cf4dfa2386218f213db0d87f64c778232c2eed5f1
SHA51265657546661a0981fe6914e1abe0e65793f2cff0f96f184952681f5451f6a8776c8c4aaa5fc734ebe5280a05dfb734b18ee724d7e54905e91a692e4f622ecdc3
-
Filesize
1.4MB
MD542062076b394d78c26b4516b719c7353
SHA1e9bab7351f0c98b636b57a0f16522407f82bc6be
SHA2563a99f18a054ecfd1a3ed4688362ea1f33368a1fc0389e97d9e9c07b3ca4e15aa
SHA512f35fcc1c58cb5cc18f04cb09a3496d83204da2997e7bb01f44f84288fc171b8360f5ee33436bafc55fc25dac828b98ae702c40f2a95f05656b24d1dfd6e6be1d
-
Filesize
1.5MB
MD5f8c14761a26425ed979b18308c9f059e
SHA18712a653f873d796015106ffbf983f6cd85c2543
SHA25687451896090b3a363ccc3b8127fc1d373e28adb3a2d7f8339c25d15c6e5f2945
SHA512bf56d9b19520d4de36b062b56d8e953d9caf13822af1b7d6d21b838bdf03e1c92b8a5f71b4c3dd0e27627539c42eb0428eea76b25060f879183214ba3b900c0a
-
Filesize
1.4MB
MD577d9abb77d2cc4061969af45cd63736b
SHA1a88933a568f0b31743da5269e6f009903677b772
SHA25618fa4fa9920cdbd8c705af4933475c86096ccd3ae490b23eac31fcf4aec85f6a
SHA512ce09bbb4f7bf63041f50960f593cbaf57f8ee2b00868af2413fba68778346ae46a1b3bbbc377ce639b4aaf8fbbff1e890c2e85f2b5ada78bae824ed85d8a4c6d
-
Filesize
1.4MB
MD5c18f047db8a19171d5eff71c12ecb6ff
SHA1533087d583780a5a7bf736224a0e9ada8ff6d1d3
SHA256215a9ac97f82586e1fac7de56ca1ffc268532e80c71cd3f4b5a3e3eaf0eebff3
SHA51263fc64c33f6efda4ee8425548dbc5aac423b87c21ff283cc20b1e1e3a78b1fa0038801dcbf7e83c9381dd450ee9d586edb9e6818368c40f93ac808f12aa81626
-
Filesize
1.5MB
MD5dfc774c71f2a1376adf16e3ce0483e04
SHA1e56dfb3ca1fc56154fd03e664d9ec8847fb93eaf
SHA2560080374e50cd639e83a4482e12a00a552e03b15bbe0d5cc70952c2951a380c01
SHA512d732529bad5a340671587970008a80e6a7e9300b4a3b932e10b108c8a6f25e5602544fbe28add2def023f36fac44f374eae09b96684760809f49d83b8cb79c40
-
Filesize
1.6MB
MD57152cb6b376f2b49d4ff96ed859706f7
SHA11a7e37f88d85aadd33b64b2ef66cc424e9114497
SHA2569d03d3fb90f9cf888038be61ac6627ecaf52d3e59a304149d001bfaf76ffcccc
SHA51275be91e3765129e553907aa36377da0d765c70b3d30d378f7ad494591325ce9c5fd3846883760cc206f632da231b44a0fd1f3ed74279a33897c1ac0ae28fead3
-
Filesize
1.8MB
MD5902da66eb26faa294f1b82f118b78bf8
SHA1ffc04d7f315acd13974f92b9fb7b58885773de58
SHA256266764eecc7208561d2fb06091a49d278ef540b0fff082e7f3ea55091521a609
SHA512461f89f1346bfdfbb25e104ad0609e8db7a6537dfc4f33785b28b7c6722ceea1be13bb5d4af5e34b2bd1d419088eec3a1b85fc456a44b0de8cc38a178edb9e05
-
Filesize
1.5MB
MD599c802c75e1f484955ba09d9644ff37a
SHA135028790fb6e181e19daa3e9a129a3fc20d316c2
SHA256de138ae852fdc03461d21ca8ee128d32b2c8dfd8bce754db3ef0adefd9cd93ee
SHA512eb8c7af47f770778139ab24cb50d3de6b802ae7d604cc9382c787784d49092247b7cbace8e4036a9207c7def4a1f21fb8e0e9b49370345ab9df22f5cb55be981
-
Filesize
1.5MB
MD50108be02714bf892b4a5cfba1dc7e654
SHA17017b37de3a10870d2cce7e7b74af1b2f02f4e4d
SHA256c0c923344caf777a82968bda0c1dc01fad172320841bd8fd16b01cf7d4ce99d7
SHA512917466033b14bbe28ff1bedab9999e1df8c5de0894c909ccb49b9cda79994dc42afb7b9bc995d9950e36a244b644b485bac62fbbb7920e82b7f18a2ab9f1bb7e
-
Filesize
1.4MB
MD51bd4f1e14eab0b1aeb11769a619c7191
SHA1eed7bfd24999daa0f16261b6752452e1ff2c5912
SHA256fdeba38e37ced6695938081b6d6dbb61990b1ac67e189bf0493351245819952c
SHA5126a11844302ee7e9c5becdc0c42110686bf3481952a456c7572cb1f57b13a7df268b7f90d6295fe6cd0d05bd513c43fa84c8a5fcad96733f0cb56b0ba1752d14b
-
Filesize
1.7MB
MD52fc723eaa007616881715ee4e730e659
SHA17e125d01e80402afccb6557b56dbfaea76c208fd
SHA25653746639c5daa2e9d76e60788ab00b738390a40eb367d0bf2631cca123398736
SHA512653250d4f887326fba52becffd7423559827f9d60013bdcf063711b25f4b59fb00942459c31fed87533a4d37291ef3b91a9c459fd3951fe15a1ac6adba31a54a
-
Filesize
1.5MB
MD594abbba6796cced4897a040a4473a92c
SHA1be9cd0831adc2064a60b62a14879525532140ba0
SHA2567593a9bad432bef0806fa78ce2a98c68bd90913400d03c78654831cfa458ca09
SHA5124191cf290f5892ecd9e82423d8099375acb685d77eab60f64c156e89e963a2c8eef728e565fd463c1cbe8bda2e2bbee8f6801503732b299702e7fec976afe3d9
-
Filesize
1.2MB
MD5900f3051603e4397299dc3783feb73ea
SHA158ec098affb15d1bf00f6d89183e48755a067075
SHA2563af212e49702dcaf3326cdeac85e6b5541831b51542d6fffe5324f26a3770010
SHA5127b41411ac06e6c278bc7eb2050b91950640ff0c68700b47c83112be6704448dbf8c36a91ca12ed400a220a49130bef2a0ff057a8f2e076c9c06532080cc0e744
-
Filesize
1.4MB
MD57f79bcc9c41f54ea1f618ff551460971
SHA116630581d3712313ffa5ac6a80369a8b3d299e2b
SHA2568b5548f072c2d6e3bd4f900355ee421af2f1f99c5abe59bb054bd14834064fdf
SHA5121c3b8bda421f322ef3bd5e54141d77803d3a7b22d9f334180f498b51d6fcb87c728185597b9ed05c93b0709268d06b7f137cd248a40c84c7560db7da5f40faf4
-
Filesize
1.7MB
MD5415649066ecc60a2a2013a6c69021389
SHA1e6571ea8890db03f700300423506c0f8c146c2f6
SHA256155e2bb3506620a80a16f888c7821d8605c70faacfbf1a6b4f9ffce9be630408
SHA51267ef2d94d5c65dfbe86fb224a097c6d9a31b5518ba4bb3b37c1df254f82996b3f7e42497e0c3db435157562d7fd2df2da2b291e3e8543b4dbc8fa3f407929f70
-
Filesize
1.5MB
MD5d64f382f2b31ae70815f16a0515ed821
SHA1c1d6fd476eece23d895980f1ca9c8e8798a2ad11
SHA256e2938ee5d11ab0150ed4243f22443c81f617069c632e90ea51522fa3029fbf8e
SHA51265d81a725100451bc77d903101c0285e724ead3465ada5ace5c5b41f093bf73aceab1ccacd09d7a3ab4ff911d941500cc6f0396e32241a35e9e33c77b68c1e3c
-
Filesize
1.4MB
MD5b6632dac6ca89c65e359b63442e806c9
SHA1a4638cb9fa138b30d46a021c0f5bf2f6103b5083
SHA2567e8b16661db5b4398e5c7d4ae0335328b7cad6fb63cfedbca9a88324211aebe1
SHA5124f163fd24ba29a831d2caabc689c876e94589891abd9fd2b5d5347a6652fa9320523dddb2b0a21c076e4e38744786cd116b652fecceced45e7a689edfbe59ee8
-
Filesize
1.8MB
MD5a1bb2a901fcf27771f6d9964f298cfc1
SHA180f5c683caa0f92db9ad877a287df394599e595d
SHA256e2af5f9f1683edc6c612bd2026b033d78213ae12afaa171075479e9a6a5a7ffd
SHA5122f1d7f9c36372043b211ce4989312d3cacfb773953f90642ec6b77c60df4ca1e7306751fc0d06ce43378fa68ab116504d8c3d418149fe993a20835b33a52b317
-
Filesize
1.4MB
MD5a4e8e282f720734ce5585cabca028b21
SHA1412d2a7015baca42da6184f9d0989cec2534d4b2
SHA256e4f6cbd1f60dd91144b20819a6c3b2dffc95f6c75adf5309f3eddc32450ba35e
SHA5124a05d5e66c34c868a01281e0e99e9751a1b51d5f6e2840b192c8ec17529f68325a0f83fd8146cb4de01bdb9e9bc7c286168d9fd03f598a17c05d26d7f81c5665
-
Filesize
1.7MB
MD528dec8a8c1043242791f5b335510bda9
SHA1db45527b886350ae69abccfd582a9afbf4025912
SHA256811f10b1c554819de4daae40ecc6e7288d0b5a500d9998a50f8f7398ba6a3814
SHA512d43cc0472dc02b80115e18bcde817661087d40fdac63dcc8514c216d143d0ca91f01f301bced4150913d05fc4d3e5942e7b8f4fcaa6a5079a90d628288d4b522
-
Filesize
2.0MB
MD5fb797520766276965b7c51c5f6bbae48
SHA1b1a058113250d1d9f25f3e508274c2fb7fd8d1af
SHA2562477ba61c102d2cd239ae5f0b540fedb8697af6033ab1d59fcea93ee3f804eff
SHA512d8ba46bb1143acb999f49419f5b4928b8782769d07bed11d7162a1b45e76579a72ed7aa79c751759e56526d3e1a7fdb46b6c2a8b7baa736714ac7b28ef0642fd
-
Filesize
1.5MB
MD5f3c3fbebe493226633d8f23183062995
SHA15f73d6d1cf3adfb63f63e149fd1771b55254590f
SHA256cf1d962792a19e80d76bbafef838f93f5e220df16adf9ec136944ec7c0f451e5
SHA512fb66c9cc3aceecbb3e48dc1b1a6c219dff5430392cc606750fb50f75fdf9d9bcf09aff9619a0680f4a69f97977aff8b3d900e04285fbbea1dcc72d4a75a0cabf
-
Filesize
1.5MB
MD599984fb6030b80236ee1ae6f1734320a
SHA16a5a2a7171bd5cc28d53c185f3e7b929caa10bcd
SHA2561a994ec0e4d9cc2558b27a1971b1d559624a30dbfbdf9749b148c74fd59d2b4b
SHA5124bfce9903931c55069d9b4e1a78d21441b6ea0b456085c36cf2c1354eea64010b486554aaf5acf6889aa78cfd1cbe174f0ebce085a89190c09f59f09e114b5d0
-
Filesize
1.4MB
MD51e3f718be9e57aeccfb94ce2795e01fc
SHA1579d9b19b525410bfb16f3d4557c067ff4a097b9
SHA256f2f92ee8bc347675fd2aa8743a0d8a9754b2786edbb485ffcca14b18be015f02
SHA512d7c1ac946f65a4ab76a5549e8ed0f6526643c48115d100545d8afdbb5c641fe6a4cc5920282ab412f86329ddfb0f3276c412e2682c00800d49365dd8dd228ce0
-
Filesize
1.3MB
MD5b3274ad4bb3adac72b6cc04b307c8adc
SHA19499d43214e2844dca1c21b8b753747f6038deb8
SHA256804903389767cca7d4b1dde487a5fb92998b88212f72566895cf86c44e110748
SHA5127d736c0ff80c85f7d39ebf04953ad399b01b5b0f0226ff51dea824bdddc313188e8d6c970873182fc0fbe9adf572e7011a4e82fc8049972571368a054aee5422
-
Filesize
1.6MB
MD5a730c0fd31a9b2513b6730944872609c
SHA142a23e39095d702143773ccf9dd9bc4ca4c5894a
SHA256f36e1b397a2bd72325df5b979b68e3d2f1b729256b7140335186597c751d7643
SHA5127e89f60008d8cc421ebd25426c0c89970f37d03dcac9bfbfb61b854d1c5c52bcb14fa6d10a69ea322054444025e3d8c2ba1aa3fc9017d7b462cfdadab1f5bcc6
-
Filesize
2.1MB
MD500b41f9cb34717e5dc43a64453c820e5
SHA1e1ce59dbe939cb06ed6c5314a495a568e8869eef
SHA256feee77446ba18ab151fefb5d2a1f22262979b03d1ec77fc5f879d3020d786b06
SHA512c30879380f9924dbd7168183022c3e5d0258089111384db5c03014f3cb255e0630a3e994a5d5db4050226a0ee07085bfa8a105ff7941e45a338f532b3eda9e9f
-
Filesize
1.3MB
MD52d88f7380c870c81a4d0b9810a5a63ad
SHA140a3bb5be189f6d9ada6a3640f086fcc7af571c9
SHA25616ec82069f1bbd67c7e59e6689984d7339b9b6e0d8bb9125c484192a9dcf2cf8
SHA5121bed24fbb4e5f186514728d3dd1b92e0430245da8bd41f43e69fb4656fdce7e192fb8f6598214d63e2b78fc6cefb139db4ee98a34630a984a8af37d5c969bf9e
-
Filesize
1.7MB
MD5380e83906d999574749300e332cd1ebc
SHA177dd96a69fe2705ffcac1a7f7d3a18a53cd1ac38
SHA2565d2a28b0143ae5bd4c4b9b303c128b24c14cb8657678f67e9049d02111943da0
SHA512bd4f64e7adf01eef3f19007f073862a99852ec229b39d09b5c09bb7cda4eccdf9cfa2d0a1039567d19897ad75ca6f889bb79e74e707ffcef5f2203922aed025f
-
Filesize
1.4MB
MD509d8036c43d23490d971f64aa3dc36a7
SHA16a5f325bc3eecda25589063b5c271ea4f68c8c80
SHA256912f4bfeb3092284a39b13e635692cdc03a4913d0eff003b18aa7d87ff5e1be4
SHA512fd1ec53f59ab955987c585da93ef08f061688749461db6dfa9c86625d6cfcf79d136bb2f30d472a931e771267de752fc1f63e120ae6c555bf045bac5200611d1