Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 11:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
Resource
win7-20240220-en
General
-
Target
2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
-
Size
677KB
-
MD5
1576c7956bbe36ed8591988b429b1e8d
-
SHA1
be65cb41cb7f13866d4fd03daf89f68898efd0df
-
SHA256
9bea0e110f705ffd7cd66c71ed1f902659516e7376230935d5d8a03473097120
-
SHA512
aa974c882e9d12a7c7b12ccacdf493da06ad9eefd5b1835ac6abb34df15c7ddeaa57fe2cdaf810996f12a094c99596ffbe1531f5d8f8ea4a5d63bf73d658916c
-
SSDEEP
12288:QvXk18DFaBfvfoPDct6SlxlwkJJrqQoUhTFfPLgpRtHmr/UNvp8hMoZUDNF:Ek1AayDcMkqQpRQmr/UN4MbN
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4852 alg.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 4828 elevation_service.exe 2592 fxssvc.exe 3524 elevation_service.exe 2328 maintenanceservice.exe 5012 OSE.EXE 3648 msdtc.exe 3964 PerceptionSimulationService.exe 3856 perfhost.exe 3516 locator.exe 4000 SensorDataService.exe 1792 snmptrap.exe 644 spectrum.exe 628 ssh-agent.exe 448 TieringEngineService.exe 5036 AgentService.exe 1004 vds.exe 2944 vssvc.exe 4416 wbengine.exe 4740 WmiApSrv.exe 4664 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2ce2d3ffaa61dacc.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000625e3ba8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000907ddda8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef4a28a8139eda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8ceada8139eda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b4d09a8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008593b2a8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ae0ba8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e8280a8139eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 4828 elevation_service.exe 4828 elevation_service.exe 4828 elevation_service.exe 4828 elevation_service.exe 4828 elevation_service.exe 4828 elevation_service.exe 4828 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4644 2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe Token: SeAuditPrivilege 2592 fxssvc.exe Token: SeDebugPrivilege 1656 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4828 elevation_service.exe Token: SeRestorePrivilege 448 TieringEngineService.exe Token: SeManageVolumePrivilege 448 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5036 AgentService.exe Token: SeBackupPrivilege 2944 vssvc.exe Token: SeRestorePrivilege 2944 vssvc.exe Token: SeAuditPrivilege 2944 vssvc.exe Token: SeBackupPrivilege 4416 wbengine.exe Token: SeRestorePrivilege 4416 wbengine.exe Token: SeSecurityPrivilege 4416 wbengine.exe Token: 33 4664 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4664 SearchIndexer.exe Token: SeDebugPrivilege 4828 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4664 wrote to memory of 4132 4664 SearchIndexer.exe 130 PID 4664 wrote to memory of 4132 4664 SearchIndexer.exe 130 PID 4664 wrote to memory of 2540 4664 SearchIndexer.exe 131 PID 4664 wrote to memory of 2540 4664 SearchIndexer.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4852
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4824
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3524
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2328
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5012
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3648
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3964
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3856
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3516
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4000
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1792
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:644
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4908
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:448
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4132
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fa5552fe0118dec37d1e2b3c887b91be
SHA1599d1ef4a93175465074efc8dbe7f12efc007808
SHA256da592f0fdc4f7f02ddb8feed6afc3cfd7965fa4de4584c6944e89ea69e5ad5ba
SHA512266c3fdeffc82a9a34168fd54f9da26eb1654a485e0d94a471f6d2486b8d9b3508479bfc17b2dde9dfeb1fd7cbf44dd2f114570d6fb9375412bb7a7021a61931
-
Filesize
789KB
MD5aee89fbdd6fbd18778635a8e3849f91f
SHA18fd2c2eec7f6241b1354828f046f2b20e2089e53
SHA256c1228879399d584d5652a52b132ef2c9e4200d690151c4eb331d8f07fbdf9c76
SHA5127a45ac547a714042219d9036123d022a6810da96c7d8a4777cf6506409cbc6d7d63016772761077f8b63879c5e9ca45cea74ca017c1d95f0aafc311cfa2d8a49
-
Filesize
1.1MB
MD5818d005881dbdd639a3101c8755543c0
SHA1bc984de1e73d2f2e2609cc667e6d520846ae4e44
SHA2563cf2c4dae393ca497885f285665f41779fea5bcf3e8c91944987db4347ad258c
SHA5123133ee60bbdea967fdee8b0d00ecae1e74f6f7a9319608ccc1674266ca703dfa7de34d7c9a0aad63426fc027dbf1973141585f8aa1c21ea88ba46c5b3bd00b77
-
Filesize
1.5MB
MD5b90e1aabb672614947dcd2f0b344b4c6
SHA151b244f52961ed7f5b16ecbdc9e831f723952c74
SHA25630a06cc35ffe14e4783af83bc47c0cc0c0860f4355cb683ee799e2f8d9805c6b
SHA512788c546a054f9d8fb44ba406e937d72b8c274abf2ac93ecddc725d99775bd75b12fdcf908d4740b32c95bfce21bef465e8bf967a9e93d99afbf0d76f38a716db
-
Filesize
1.2MB
MD5495108b7742ce704f94a60e1df64a2df
SHA12f129a69212bccc35b3fd1736b287ffdaa218276
SHA256212a1042e6e078b4def7511a88dbf639a07062b90c286da838d562b5ab1d49cd
SHA512c98b3b01c00ea343432cca25f3e8856067c25346ce940534bc2c5e5ad8a72378e5e3a2f4aea3affc381574e795e31a4b90d89d842858a50310d67d6237cdf505
-
Filesize
582KB
MD5fb93390dce92d3a9f72b0281d19cf0e8
SHA191e9fe564e6f5d2880e5aaa0dc0e1ecd8c77b4e2
SHA2563808ee19be8fe647a5fc648b98750eadc23554bff32ee22cf28f4528002cc9c8
SHA5129c6d1079f0d218b95cd34a8aeda5d5aa9b29d817b43f978d2d9e07bcbd4068b6208d2e47a3bbcba325bd791c17dc64e689ef2bb9aa2faf175f06594f699b1112
-
Filesize
840KB
MD5429fba0928dbf3261899e430691928b8
SHA16b1e3782c38500dd2221987109ed2b21258ceb11
SHA2567ef43b698a23b68f68f3f0a108e02b99af99b03c317001f2311d3ec1c086064a
SHA512b8bfbf785f5464caeb7993f124c03513b96c245ca7e47e7ed861dc28e8b8dddad860ea63bc8db6d37e52b1938b366783508df455ac7a74ac106d81121929b243
-
Filesize
4.6MB
MD5b832be759c4847e75e69286f98cdfaf2
SHA1ba57c5a122b65bb4176e14b9db70031b9e582a2b
SHA256fc364e9647d84383e107de8524b550f1c9857dd527a007961ffe5a8999a8f821
SHA5126fe090982da5b2f2bc345296e5332a3d48f4feda3fbd15e339e67920f27a139a26cfec7f60f3c908b3b9af1d2ff1df32c16294d94137098a7223c87f7c9b3e3d
-
Filesize
910KB
MD5ae35f28cb8e7d4de672eb366642d3b9a
SHA1c968acd9189ead0b73e582358123a2bc339166c0
SHA25676c0b0254a1ffd0b638c635eafa34859c5217882096215cdcf3694bd8fa753f9
SHA51271f02c398d5ac771a10c2521d68ff4168a72ac12b85debd9054343f983ceacffe89630a5cb48901451b965756682ec8bc9c3f861bf42c665539f0929eaa5f0ef
-
Filesize
24.0MB
MD588f4cb5c3b163bf83101b52e5709c176
SHA1c7e45f7b534abf138bd0bbd87525467f53606eee
SHA25652606db9b484b3dea53125ae7cf9ee124cdeeb54861f30918a1ebf7784762372
SHA51265174871e8040bf9292ee4aeeaeabe3949533492a501935dbdc6afbd985b10170307f3f9c81f91675b511acedf545e587a8d8f8c7c95ebe37df5f282c547eedd
-
Filesize
2.7MB
MD560d7a1b0591b382ea416b4dea8982a6a
SHA1f31e3f34c3af39244dd6e300e1a28793969266c1
SHA256a4fcdde4b651926813b465514751069ddd49e53dcd9c7a343ca536479b7b9cc3
SHA512cacaf2f92d3a8a48fd89ea68b72d1e1d2cac4893683cceb76cb96d651cc3b95502001265a98924dc7b01c91ce54567623855efc0493ff43ebbe9081ed960d7f6
-
Filesize
1.1MB
MD5aaca304de1d7090f752b520dbdc133e5
SHA1c514b6a5a2a5131a6132ad8b207383a5f481dab0
SHA256a75557eae72591bd6d5bad410efa5c717a96fb8af1795797b176cc453c224309
SHA512667302f071c44996a8c20e42eba2fbd7f52095b923ba514376c6a8aa26c4605a7c65b83b59cacd5237612d1b954be3494bae7ea265dd919bd340409b8099fd8a
-
Filesize
805KB
MD523362e715253241c47bcb84cb579d17d
SHA171f93770a6d890e41ace9c7bf5bc9329359be284
SHA256022099455c887d3351a757ebefd3e327d57f93cf0b88cc257c4a8810c3797937
SHA512ab563de5a76a444fc0c8492208b4f636cdebda3a96872c0ac9fbdee1be6455cc6260a3b77270f28baaaaac54127d10f9907886a3e5e29ab8b4d87b7805c8ec3e
-
Filesize
656KB
MD56db5e4c03b8489c4509c9f07419afb69
SHA1fa8f81bb2c9ce4754253003c91fd9ce0ffdb7842
SHA256c5843770e5c6e0732b19d650b864242e3ebe52baf913ab333f3ae6e283ce1162
SHA5128cd9472c0f9d3fcc178b1608fc7a49682af81eb39898a2ea03b31b6fabedddf211be99bbc710fa16ceac5f1e0a115c3426f80350e07cc4eca276a4b86110d7a3
-
Filesize
4.6MB
MD5855712618b5ca9e892978ff789906532
SHA10c8fb9f7c57ec2a5d2a7d901e7728ec2c2e1a197
SHA256020f78ba5e682df4e3e8495e2f67f47b63d907af854c9faad8b67d74e24fa537
SHA5120fc3a9d76ad0f6753e6074634b8ce1c05aa0978a343e2aef8db300428b49131fe20cb0d19ecde0685497c6a20fad276b0be29e640ff26d730418a18afba289da
-
Filesize
4.6MB
MD59da3225bc52689e44f2b2d6a5e1e74cf
SHA1c31bfaadbbed10743c3fff62df47ba5d7ee3aa75
SHA256abb6c6ebcaff562e69545701faf298aacf3e5178c460805aed0683167d7ef146
SHA51213ed4753e564e84d0a785ee95b6b0fa320347a0916e7c574dcf24f6d7eebb48b6262cddeb458957ef50d64d1f4c0566917102987fc3142f3b255b77eba5413cb
-
Filesize
1.9MB
MD505b965f487a392bf9b6772143849c9fa
SHA183f8ee7425592cca6c9dd094eb243109630f6407
SHA256839d141c7f7cb5bbd6e4e8ba59d2cf9ed2165de570cdd8e170ba4a905019bc41
SHA512f9268dd914f0da474df282b64ec5c1d0d5d3cf1059c4f513b311e41b40f230b2a446c7c450ad328813a91b3550285a7bb93159f3c3938887751dd74663c35d87
-
Filesize
2.1MB
MD56d12a93bfad9a1ae306b2b7a96069aea
SHA110fae0e082fc1cdc82346adc9f1de39ec8a74c8e
SHA256b66a8f5f89805ed770a6169e46fa80e8644726b1f444913b206f2f84d80e8e92
SHA512cb07514dae5fb707eb01b4c6dbccab3cdf3631af5206116f5965534bbac4a2836a7b6be2e17c084a4b680a285e06ef0dbafdfb3e37ddb493167e8d2b1c4b61b0
-
Filesize
1.8MB
MD5c290cca1ab9867d6617d7c6e24d1a3b1
SHA1b670b819cf534fa2e4b9d43b84c7c89ff3ccc9a8
SHA2560c36401b5ae2d2f6a1b116139e06ef419804b16fa7d8af7ca5f61b02e494b284
SHA512ae0252837ab70634b6c4d4fff46ff2241a29eb09fe5125bb07e07812124c7d857bf48dd231e1c4951f19f01152e753cf92dd0debacd2eb77c29418344ebba131
-
Filesize
1.6MB
MD5005f47150ff41178a9787b3da73a2a8b
SHA17ed9031c81309bd86a117c62a3aa97a68f345434
SHA25682f6f971c147110e248e170cdf682e0040befc5c24007d2f0dea0635c5ef6740
SHA512a00b14c4546d68a0c0641ba7da3c7cb85ee9f79ff41d9f183b4fb4d83448d16cde2867c59a53e616d4d10727a095e304d11ef26bcfd2f23f8b5bc4d9b0323a3f
-
Filesize
581KB
MD589788d77d9157e9d0d49a8d8c6620661
SHA187879c1cb0c58ed003781726084f686fb030aac4
SHA256d85ace7665f792dbf5e561d35fbb91e16a3a77212ac696d175f2e5ee5ead8166
SHA5126ed0bee489c0a8b15033bdfdd078939229b5da655ff5c3c53b9f76d8d685de6f000d6edf7e2eef0ad72db4ba8718c77b513fe373c113b37e8c04def49dc6047f
-
Filesize
581KB
MD58bed885abd90dda4dc614e4d444b841f
SHA157ce1fc914a2aa3bd5cb5904898afb49d9b1ca31
SHA256fe63b03de1ad9a14ca609b0115442ae1f4cc5c51fd5d395eab10b9c689fb30ad
SHA512b11e162f754b556f06db218aa0afdf86903093582be2dcec2d1cf2943f1e0472596181baac0e5af524ef6fd59c5c7342d0eaecb7b0325394d3c85c27a7969aeb
-
Filesize
581KB
MD5dbedb2b4ab89f96813d513de7489d3ac
SHA10e9f5653522377692898bf35f82f7e8dc75fba95
SHA256c8b463de8dc3ed536c2324fd9940dc2b253d09869887bcdd90a97cfde2977c39
SHA512a53591884d2a0a9f6c5469e4b7677bfa2e485da1844f9793e675e5b91fb540b6bb69f832521a1f031a4bf8a34f7d84944218538b8e92876faf1f82d9f949dc5a
-
Filesize
601KB
MD5c7ae6c561bbc11c993ad5f7d07fe14c3
SHA14dae11d96b66d97a0161e6bd492f61ec84827f8e
SHA256d05dc492ec850d16cdd9bfe2996ea7bd47b486fd8e0d56dfbffb0b5265aa131e
SHA512f0d4cdd1edd2f2759004bd4e17f876042a46e6657ca95a62514e5b59d84b1853571e09c7725fa13c94e72774c4c8447ada832aed669cf4126d0c8dca859a000a
-
Filesize
581KB
MD5eb6a8ffb93110e79ae941aa36aaa61bb
SHA1084852c4e5b3bcf585d32c44c1a943805b57848c
SHA25672ef3816faa43edbe801a147ac3cbd8f3bd965cfbf61442195ec1098fb63efda
SHA5127986622e081a6c40bfd41434a79fec8e2e27bfa2aebe75789d01f21779453930db1cb5f7046245cb907eac4231640a94db32a3ea0ad0c55d91fe67cf4acad542
-
Filesize
581KB
MD52e1f31d9a7ee866fabd509a21230ae9c
SHA1f05c3ada1423b831597407d33c039b2b18a1d02e
SHA25624b496602cb44894bdf75d5cbcb78107d0ac8511957edab098c3183a3fd8dfee
SHA51236e90a78ff7fe9c61f95984e13182bace10d0f5cd0e498cca992423d48b531ba7b839fd1b169ae6b58ca41f08453b076fee660de8085983d130f70a8ec19566b
-
Filesize
581KB
MD5cde491d6aa532110bedd2cdeebaed263
SHA14ee9de3b10d1d8752b51cfe1cf145bb38d0e626a
SHA256e9a38110411d38dbeca859ef739cebc3b7d57461d8837e71878dc54c8938a531
SHA51293ad0437fb7670e7434b0dfdd363f4ab1378925bc0035e2920b0046959891a369d41f10d36eecf22ea858b5c8c9260c48218bfacdf033e356bb0e481464124d6
-
Filesize
841KB
MD52e9a0c722ffa7c932d46af44e9c6798f
SHA155d5959ef25ee60487eb81fad12f9d04d96421a4
SHA256b4d114d38ca871645892a6fc8eeff84a90c9815cfdfd5cbf04b782ff13192c36
SHA51276afdabc37ec1789968a486ec960ab9b2360ef36c0b0173327bc83f55009ce1dfdf4815f7672293aea59bab3c2fd9e1e7e3e6ec5cc822837488f50c305b9cb75
-
Filesize
581KB
MD5aca80168a421f80efb10f9224f9bef94
SHA101df68462580c3f0fa3a10f8bff9e9b193e7211e
SHA2566cdc6365997dbdeee5cf4483b81cb1f217819b8560d59146b2bd46f786f5c071
SHA5128aa24139bc8adf2ed8bb6c5a9d98c295fe637e71c11342bee52386bd29c0a584c658c3f7bf44f900836e3eba7f165d898ee0ea53499376751f0872ffb4d927ba
-
Filesize
581KB
MD5d546faeba1d1b1514b7af39d459ab2f3
SHA181aeba5b7bf58431e2f719b704072d83a5078bef
SHA256869a97ce9d22754a75330a7f4b1d9d476aea406a4bde7d74f45e7183cd3f9b06
SHA51271e386a99e54ad58021b4bdceda6e87fa88df977d89b2a34dea31a7703196382e51bae27446fccab34ce3f018b482213bbf133cd03fb775f03f1c6c3c08a20e8
-
Filesize
717KB
MD566c92f69a30edacf1a780510ead21454
SHA1bb17ca2f896444b8ccb1c9e239c45096cdb2d7fc
SHA256529022becbff0e038ef0e5d2c5666ab8447247c0cd53fd3d8cb8ffc19396cf89
SHA5123d1a63b9d5e3cf9f809e4b9b50192b8a76e1907f8e92165a946eed0320174dcf23124dc6e8b7f106bcf3b392a5c69a1d5d49c45c594cf97cc0a35e612b10a8c9
-
Filesize
581KB
MD595d484c2e4da9a234a8c3eb889dbe3fc
SHA127c5a2742b502031c3e96e8b5cbdce32cec067c7
SHA256206bee745273a9dbc7bf6b135cf2cc2f6a8b20e0404b65cd921c73aac54a135a
SHA51247357f072605e72d1ebb76329d50c5f336ca3df9a77a9575c1bcce082ada30c288f439198ec538560d6f7e981466f8ff1197ab7e93ad763fd80052a391f501c1
-
Filesize
581KB
MD5b224aed7205b6cf99fff3c0b011e4b79
SHA1349c8e9b3cc706231ac000f86a606db0745cf18a
SHA2563e6e26427ff651b162c1885216143dac74a8aed22e8f67c56f80f54cfef28d10
SHA5127f428690281687c11f97bb5ecf85995907ec2cc80e7c0915397e4d4f112dcf84416d7b16ec582ac8359039aad2781cde141d2795b456779fd36d82540b20b3a4
-
Filesize
717KB
MD59e576351b381941e59e4226f30af53a6
SHA166bde30f7dd8497ce2189755b90369e6d1e4838b
SHA25694c86e6f9ff982f6d0e1bc0027347852ee5be5829e0002cbd06b657996d9fd21
SHA5121f952b6cfc2333643e781b3fa9a0ced4578d44953b52732c738e3e4c28f05390ba3edd687dd90fca1f58828e9ce5c5099073e83eb1733cdfaa5a3c4270eaeae5
-
Filesize
841KB
MD5eb489d8496122178a6fc7645751158ca
SHA11a381b545a2659a71a949b1aed7c3b9e8500550c
SHA256ce28436639391a89f8fb611a8af207a9887adcae62e9769d552bb08f4f09c7f2
SHA5121ad9ef6da1b8f220afa06c1dfbfa46baaeb3572edf35777d8fcec3784f20b46e500999f20515b7e19c3bcbad7bffb76a76f59657ee91d543c463e51a855ea000
-
Filesize
1020KB
MD5c37baa9ee743213e3758e80924e032d5
SHA122306a5459f75ff4398fabeae09605b4a3c52d08
SHA256f11c134ae623a749381f76436f4674d7c593abeda0b3c6bb36addfd32d9bd829
SHA5126a9bf861b6fd79524528e552863a8af2a08fb5386d24cd5293750543754f7b87ed804eed00f66507bd14752bfb4b8aad7ab59f2889edf02d0fa1099f1f7475b4
-
Filesize
581KB
MD553b0f670dc3b04623d00cf4a5fdfa914
SHA1e58d5f68e4f4293e5d6e8e81bab9821bc22a01c5
SHA2564f824b741657e607e3befc796d1ef2190ddb3581a376d5a2e64d82f6bb2e9cd4
SHA51277ee6f6b6750673d39ecef0531c8e6b3a25ac06d4763a7dae029913fdfe73f193b518446e6be3160f395b602510f9457921af19f5160e3ad213bade9a834ce65
-
Filesize
581KB
MD5208ec5a60c3d3e4fb6c92449d727d8af
SHA10aff60beb502a66c936b47913e34258eb048140c
SHA25609eb17a450fe76e4216f4293a0fe979a80d114e293c909d61871de6429c23944
SHA512696f71b1a1a03056cd1bee7ccc62ff1fc1d42f802addda4ef7d7ffeda44c59506168dbf1c513b5d1f0a664a69b5d03dbb7ee754641932192a7826627bfc5a214
-
Filesize
581KB
MD5264f242d2f787590625d0d17bfb4994f
SHA1c626f7d72a332ec4cc3469b064f0c23d3ce0964d
SHA2566df9ac0a99a09bd008118d9b7e79b3689479f34e114853207e9921458a407bed
SHA51261f889ccf514c804188870335ee6a22cb990407698cce170dc4b5ee177acf347d9138831921e9dd1eeac8c47fc3000cc707422ff4e6eea141d9e68b71b2b93eb
-
Filesize
581KB
MD53b9c90f9f6d46be8e79a209afcf47bda
SHA1d21ddc30d598e777472d54f2201f54e556177c13
SHA25692cf355d0bfcc2817bc94021d9dabac4f16b69eefccc895338abe84507afec57
SHA512ba7c3ff8076040e21f82270d58158b49e52819cc67292e157b1ea655491ac2e7180a7583e1aaa88d27459f40d65c243b8e8e2902ebcc64b9dc922e9a06f3bb88
-
Filesize
581KB
MD55e1bd5a89236a83dee55ddd3208965ac
SHA14691e98dcba0624939ab75a23a814f2836921e01
SHA2569b6ace28c868ecb36b95c9b3f6f3cb8faab4188b3b408ef26e9b691bd5536169
SHA512ec6b749d75d7f9fc1be76e12b4a419766b3bf1a03f62577fdfab6451a23f55c1ae1d355569584080faff0444d90b03e6d172b64a0b37220a35a24a05b664bb2a
-
Filesize
701KB
MD578dc7dfd9656588ba7f3f95729994019
SHA12981f277901ba2ebc74096ac041ef99051dba34d
SHA256b8242a5876ba45a8eaba2392a5550db0626d159cbde7528e404de14eacfe21af
SHA51232a5da0493280b60dee5437c68d9b701b8ac7b01acc5bba157cefa7d19aeae6ade5a661ae77f6e898b5298dba474a73d0af4a76242fe835cb6b3f3c5ac854cb1
-
Filesize
588KB
MD5d2a43fbe3cdf754ce97e18c88db2719d
SHA17f7bbf5bbdf7aadfcc0a8056ad7bc48b4ebd82b0
SHA25695a45bb0e60358d8b7ae0cfde0f6d5dea8200899e9fb738d3cd4e3f66afc5242
SHA51217dba2315a3b9b0d90c9ca542cc778777d0355e35733561cf3f348296e47bd799217d851e40c4cfe4f5a297c8f6c8fed599af5c3675144c574bcc07905d21c34
-
Filesize
1.7MB
MD5bade9a7a5de427a343ef065334b1682e
SHA1434362210237b244144dc5ad1149dd94475be530
SHA256912d3a1fb3fd7d5fad7a5d71d6fd1f3a259a302b826670526886c79eb6d68c70
SHA512b94a04165595a1c5b6d7332eb026e907ca0fe7e1b1875979ed4c7c83c78d5ffcd048c54761630d688c19c86bace7a43ee0dfc0b77fcce91b53e610dcd43be0f8
-
Filesize
659KB
MD580f416b8f9145dedabb0cd16e2759f91
SHA1a78bfb90f043177a731dd54034e0cb1246a4178f
SHA2567326f14599ef201cabd267fe53ca983fe9acd3bb65ce4777143fa6a5185d5d9c
SHA512cf09f33b30d8be3c8dbb3ec749a6a1da97819a766e57249abb5eccc1a1f808bb0e854c49d54b218cccdf5fef6bd23171c65f81bfb8d1f24dcef2360c518bf704
-
Filesize
578KB
MD59838fcc4d681227ad96ed70d13c794f5
SHA1ec61b34c84b3271896bb9106f482e882c7ec0815
SHA256cc104b1349edd7ecbf726f8b538395cd0c667969c14530e9d10bdbbde86ce105
SHA5123bc0eaef5d5bc792399d1b69742803fb737cc2071d440fb1ac6413022a719ea514c0d5fbb333bd13ebed76044de2251c62e2c3e1a48e7b3e587601af35fb251f
-
Filesize
940KB
MD543ad9fbc59b8b791018ef5362899e441
SHA1e267a01113f756b608738ab3a5c47ab61ad5098c
SHA2566302a8db79d94687453f8b874aa1f08b10769e23273e4e1bf075d8a7a3e4728c
SHA512d49d3fa12b2c8c0aa0a149ab4b2f36df5f877394aab57585eb800664e3082b50fb1d67de67203e71aaf209de17c5fafdedb7efc9965f3e52a4fc25b98f76d3a5
-
Filesize
671KB
MD515805c44c17ff797b81b1bea6f4d213a
SHA16eea5b3c5430ed7e0fbcaad59072bd562f9d8f07
SHA25693da5a9d8e86de2b00020700f897c1bc98596c9f29fab211ac3acd0399449c39
SHA51218dbb2a298ad5c26e9c94c0a1f3dafdbc2874838aea2bdc9da2515778953a5815ddc569879de883983d7d550ccc0d62e58e20a180822bdb22d9d512629485d9a
-
Filesize
1.4MB
MD5044f6a8a21b6bcfa3f7ac8f595225635
SHA15a89c18e07fbf910e6f411c41483b2343bd4b25e
SHA2568d0aa49b5add99c0287e7035cb9c704d241406ad11f719de31d6269d846291cf
SHA5127dde57f7fb296c424bdf78039ffbeb24ad3502f23fb672680e427a324eb8d6f6c27ab92f023e99025aca39774d54fc162ee50eae6b7fc6a19e327ad26863f5b2
-
Filesize
1.8MB
MD5a567c76e2ca5e8b3886601a48a7f7eef
SHA19ccff729c560e0743aaaad34ae5013a7ac15f264
SHA256c8aa8e15fc99862520dd046f32fbb9d0534d1af1aac11e2a267a82fceee2c1a8
SHA512578cad2f46925eebfac1717ec3a763ea9893c474b9fdf13fc4a8eb0127275f2f17cf131ad1004854aab123a7fae7f2042cb61e639e48cf4b83eac699c5e79289
-
Filesize
1.4MB
MD530ca8d3c5fb2085ddb262220ef32a784
SHA1f775cf51f5d3f8fe0f01cd0edf412eefa562ef9a
SHA2565fddd9581394fef3a3114a98123337702c9f519f932a38e23c78931b3040a17e
SHA5123363f00314eaa675a7b1a35d3a8cf913443dfefe49c1a0faf9bd2f234354fa5aeb5be6bf44f7e39c3b59061fa241fe17e9b6cc8fba6e163841b2ae56eab38138
-
Filesize
885KB
MD5a2a8395297d547ca5c6e3dbf30f3ba27
SHA131d30322d691adb2fdbee86a5d1840ea05a4d526
SHA256a57855abb06aad885585785fca3440961e21f90ad7f5662df3a095fe030289f1
SHA51254e9ecea917bacd9b92be9adf9b0d895e470c96703494a0a273024e87ebad0cbbf88dcb068cd0a06a942638becad3e6e0fbd78fa6102022a261e90fe525d2ff6
-
Filesize
2.0MB
MD57e67035185a4fa777b370b917c104cf8
SHA177c85c2b776fb75caa2aab64c8eec9fbce3c2898
SHA2567f52724ab79adb771a7ac8082f26e03dfd30eb6ae1a7ae0a1073307fee3bda60
SHA5125762cbea64851670a5211ec437575b7d34ddc8ede468b24db2782a7038fd3514e7a350047a3b4e434db15d604ac958585adaa3dfbe2d3dbbffc09408cd1a8ed0
-
Filesize
661KB
MD5859690003cffe540c54382cb6bf35987
SHA133517ebf138b66e7416ef76f9494f8ea38678cb1
SHA256673c7b058df5fd988e82308efc2ca41030ec34f19d49811dac54c6b5828346bb
SHA5121fefe57aa0d49e5c465db5b169f6f2a5d66c55e6f722f6e5448cbdd5b8add639acd6b0aa04dd70e2f683a914ed3b02ce9bfbed943908aef021bf2ff90f020cf9
-
Filesize
712KB
MD552d739fd7b1c2af638a3fef8e2ffbc56
SHA15fe4487159bbf5747081d0d1f929c08f7250d55e
SHA2565a1076543f299064e719298f456084ed6307f7c3d3df05343dc6c336b2217412
SHA512f6df53912c7482c00bcb6472dd2eb58fb71a25da4b6ea240388f46dd0bc6db8dc07d23cfdeddb7891a8830409ead70084b70754859903e9da08f712da94703b5
-
Filesize
584KB
MD529db6298cb5f65beedbd7d48f30d007a
SHA1a217200c17a201f483ad9834c18a850dad3f0e4d
SHA25681f1ed1d337d5581e0a22d5062661971a524deeba4817470b28baead210f6836
SHA512df07a894bb89cd8ea7270af0825d9cfec7044310c945e09e1bcb7aeb7fd0df9a9dae3f95a9eb41f28535bea5659d2334997c64201ef53d54bf2c012b408d81e3
-
Filesize
1.3MB
MD5e35c064ea327c4ba61e675f54d85b121
SHA1f100e5f5386c32b54c573bfe65acb16d640f2a51
SHA256c239cd4e84415a01acbd9d574b9a3c968589404732b623e7407495e97ad99fe0
SHA512be7ead768454aecf048e8b8809ab4b824d9ba67d2432237b72007356391826107b5ae90add1018ed49e616a14b7bc5dcd847b4a76b24a76e5a363f780e8427c9
-
Filesize
772KB
MD51a216eac17a0fbddfb79458d6875289c
SHA1f6d8968374253980ac1f40276675d75d06b2ebea
SHA2567aaa6f2bfd602021dd6b32b9a9563a87c2f6ede02198a04ec55fae07f7af3a23
SHA512c77e0ad1f54946e474dc7921b57d6ddb2340a8ec63bad9f235f7ea2f7ec5ef2e6d5a8864b22b30fa26d062dd9aea5a5f9d7e5fae994f67acab56b52205940401
-
Filesize
2.1MB
MD510eda271300d1c96d4cdd8e4ffdf6c9f
SHA105ed7e361d0d0f2b21963bc29bef96169d84b2b6
SHA2566ae787ca922b5dbab68f84b578d107bd045413d6cbdcf05406215fd2e36e1c0b
SHA5120c27840e3ce9f7b4c94fc93808adfec9984f7d76b966784364a6b3c7732b200b245054bb20aa65fe7537c99b214eee63de6256c552ae200526e9c6dff2a4b522
-
Filesize
1.3MB
MD538e97233f8b6962218041983d7558002
SHA1e2425305a651d327c9ab961e4eeaed30526580e1
SHA2568e0cd1d574b6aa73c1034400206d79d30eeb9b6a941e844de7afce5a4a84654a
SHA51201eda453de00ffa323237c1f313c5c3c9a8732c0d5f23fcc2a771e8a3b6dd1d4a7451a0fcaf4af8df5ec86498ffa9c372b22690361750a9a2af6cefd52daf8c9
-
Filesize
1.2MB
MD5eb927d570e0209888545766c2233e90a
SHA1c03f47344a96df9954b8274d8debd2c029591f55
SHA256268b5a4ae2d72ea3efa428fd43368cd4d27c9ed1da69a9460ac22cf341625900
SHA512a4e5b960fc5d0cbde3ba4cbc4c28bfb5fa018a056bd139f00d55cc2f4a041260f70230828145f22e2646e8095684a8718b3a38506c13559f9f12dffcc41e3776