Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
-
Size
1.8MB
-
MD5
74413fbeca6919363319dc15a157d6a5
-
SHA1
6539788a55da5cce4ba523e6f36ba6908566f0a4
-
SHA256
031497482ff8e39f965f92e6fae9282ead4c5289c02e5902f469490f5880cc1e
-
SHA512
77defde240cf61b09fd474d313c8759059dc3a639b6fc7eaba6f247a300b6e2e571934c60304aa653ed49230b00d1dcfe88008527a47a8ad05cccb9087f4e846
-
SSDEEP
49152:5Eo9+ApwXk1QE1RzsEQPaxHNULGQrk/Ww4lo5rFGR5:n93wXmoKETi44rq
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2572 alg.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 396 fxssvc.exe 1240 elevation_service.exe 1728 elevation_service.exe 4728 maintenanceservice.exe 3172 msdtc.exe 1928 OSE.EXE 1512 PerceptionSimulationService.exe 1080 perfhost.exe 1432 locator.exe 1708 SensorDataService.exe 4508 snmptrap.exe 4200 spectrum.exe 4376 ssh-agent.exe 2264 TieringEngineService.exe 4448 AgentService.exe 4908 vds.exe 380 vssvc.exe 4860 wbengine.exe 680 WmiApSrv.exe 4808 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2cf07ac234f82a5.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aee878b75e9eda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f882b4b75e9eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b9fb3b85e9eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c7a8db85e9eda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef183b85e9eda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000184b7bb75e9eda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd1b0fb85e9eda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ddb8fb85e9eda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe 2776 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 216 2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe Token: SeAuditPrivilege 396 fxssvc.exe Token: SeRestorePrivilege 2264 TieringEngineService.exe Token: SeManageVolumePrivilege 2264 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4448 AgentService.exe Token: SeBackupPrivilege 380 vssvc.exe Token: SeRestorePrivilege 380 vssvc.exe Token: SeAuditPrivilege 380 vssvc.exe Token: SeBackupPrivilege 4860 wbengine.exe Token: SeRestorePrivilege 4860 wbengine.exe Token: SeSecurityPrivilege 4860 wbengine.exe Token: 33 4808 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeDebugPrivilege 2572 alg.exe Token: SeDebugPrivilege 2572 alg.exe Token: SeDebugPrivilege 2572 alg.exe Token: SeDebugPrivilege 2776 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4572 4808 SearchIndexer.exe 112 PID 4808 wrote to memory of 4572 4808 SearchIndexer.exe 112 PID 4808 wrote to memory of 1752 4808 SearchIndexer.exe 113 PID 4808 wrote to memory of 1752 4808 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2448
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1240
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1728
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4728
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3172
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1512
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1080
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1432
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1708
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4508
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4200
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4376
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4212
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:680
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4572
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:1752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f582e50bb1c9b4bc2c0f8d7ab70594a5
SHA1ac72c5d43d2aef78ab39c20436072ace8ed194b5
SHA256033d9c4d5273118b6e8472c8a74680a097b2b379e1e356871adf4ce2fa9d7437
SHA512c05ef69c27d52153216ac06e8cccd382fd571f747659e9f239507bd3709c07a85db042f31ecf15f1c81d35424c7aead4ee3b27b6b7e3b91c618ca3ba55a84680
-
Filesize
789KB
MD597e16d32239048c3d5c20c6c371844ff
SHA1cd4c6b9f987fdcabd8fba4f2f42816804e4833bb
SHA256394c3d67a085800224d527aa5bea02c40d988538f949c999176dd04d75fed57d
SHA512fd38f2534e22ec3d3c06c8246026da3c3e32c8dbbc92f0afbe2ae12f4b5a00bb8edd803e8ec5be913b3d72e84aa642ffd28425f03178a8d1db8b07f6d4609f8f
-
Filesize
1.1MB
MD5eee8abd8825b224d8b966a3a9cdd09bd
SHA194590aa715e15d9541c56892b8d50e0caf85536a
SHA2568c86930d304cd001b08e40fef4f45a26f74f19be8abdbe024277db4177b1eccb
SHA512418107cab9a1fd5ce4ac45d9dc94088431d24b908694d49c11a8566b2e8b9237c0768d9092ac27bfd2514a8af9ef193bcfe2f1af942e3d03af64aee50db4a35d
-
Filesize
1.5MB
MD5e6b032a723769722b1ce88facd53d418
SHA1646ac7f6af095386ee3c5d8688a1ba6d19194206
SHA25698155346465f5d5262094a3e80a74fd7c7754defa6ca2b3b38f67595509ca92f
SHA512a1ad3c1f7637b802ef628e206e5f23d53a58f42b6b12776ce8c78cfbaab6eb07ec2ca4869feda84ee8fc4cf2bbb96c310fb87fdf7a5e809c80493c96754a6cb2
-
Filesize
1.2MB
MD5413a3a531bea793ed8c94f9c21b074f9
SHA1694208a39a1bf40174b8bf6a091a67bc61a8b470
SHA2561664fee1557d0e587620be263312deac2848eede7c1a9433c175b127c0177bda
SHA5125571abd6b0b3e8f1b815de26a9591c0e3fe0432c2691341784925a08ccd6494c7db67ac6d05983c2df29420a57cff9e13b29e5a2e02f58744a752823444ebbbb
-
Filesize
582KB
MD50047472b2d638c997a8f81ebbde614f7
SHA1ac4e7cc080dda04d1cce3d32bf5e1898910c0c5c
SHA25620dcf46f522417a752a295e2d9ac5dc10f4bdb542b826588a878e55ede00e39c
SHA51287b7e38ee11e2525f919ac114420e97a663c894be744aee7e67a3fd35e3b49b83f76eba71592d7777025a927f12a49250e9707bf24ac1eb220e62d3dbfea6430
-
Filesize
840KB
MD5799482bd9143a0ccb68a6a38826a7c8a
SHA13f4538cfd7b166a2efd464450b5936c43cbfeeb6
SHA256047199947f2b7454fe99391b938209f5c3f0d194f763c00b46cba40e6aa99b01
SHA512b891393116c7d001ba3a58d15c12b3c0653ec3b8021c801e5aa2b0a2b2f85f2b9f5d35ec1017de2cdbd6a664087296445c82486af27f098c4b74590d10d99e71
-
Filesize
4.6MB
MD50fca8161217fdcd8d7454ee0e5014770
SHA1b3b038b1d557a8e9d01ed9a622a712c0684e14c1
SHA256dd050538501d1590a87722eaf1dbc1f845b45567dad8ea4e27af35162f89dd2e
SHA5122cb5526d3b4f423e423339eace1b67f453fff39fe0486b5722a90f8c8d0c938bd3255d85eeee8bf9a1b7be11b26ffffb08ac764ed193dd11914b1a4066bc53ce
-
Filesize
910KB
MD53be414ba08c780358a1738d0dabedc25
SHA14218d681bef56a723fceb2c08cedeac659330da5
SHA2563c89e42cecf83bd207c423dad6b79e97701c04d49b3cdf81ab5239b120f2a4a6
SHA512d36fea25cb016acdddfbca20d04a79aa340ae58aa61736c93962438baf33e1944dfef368a5798ff2eb477672b8d15c7f6b205ac509a6ebb3d0ddf168d4362e84
-
Filesize
24.0MB
MD5ac7df798a1244aa29b2d805853191e77
SHA194308f92122560a05b884ede6ec3bdaa16d663ad
SHA256309fa10216551e2f7d74dcf4447cd26f68f68ea4c5fefb28ca8f15f95cb10f27
SHA512ddbe6ab15adbdc6b7152b1d99fd4148c0b1b46d6048db86fc492dc9153d1f79976efcfb9e53342ed38ad9851ce012f9251e271db209d92d6b2683bfc01ac5953
-
Filesize
2.7MB
MD5d6d9c366341bacab35ea546984b3b99e
SHA18b83204608421645ce756c31a1c1477ee5aa4d6a
SHA25681b61442ceb358a028a8f36125f1375b3b863aa99bcb3ec03f9d6b7f91e8da7b
SHA5120791bf3c97090a9cff4a663c61944db6b56cb667fd99fc8e0a1b2fc032c592f9e77b4701f76727e4a2030003393195cd6c06ba7ec4d95964f7de09b8ab379a57
-
Filesize
1.1MB
MD59c3b77ba198f3a0473a7cd07694206ff
SHA12a0247f0a1584a02b014f12ba59e4d4f3a1a11d3
SHA256de288e579da48ae1b71c9f550b9f5bce149143c15ed62d596ba549ece234976e
SHA512fa7341e2e73cecaa36a89b087430a9a7b4d06868de4c8a1cc564c3da0ca78c1a8b5c5ebe27be0eb0b014e81da974533dfb8def57a2fc310407f6df9325a0123f
-
Filesize
805KB
MD5ec864e6875aa2e6398a2bf1b07a0f0e0
SHA1f02d6225d931bdcfb9683f9365c377cae91587ec
SHA256cbe8ae33f9b4b3596b29b95cf5e804517d8a6ebb852215103c0681e617f33814
SHA512d34cec0588eae3fe411f532fada004f2e4ad827ec7b4b23fa8b132031e1aeff6459ebb90a74ca281fd58cc89891978398f4ae33ae5b8a76010372f3bc4336bcd
-
Filesize
656KB
MD5a34e3ca99a3f4133ecd781e1e9a782a0
SHA12b94263e62a4470cfd7605117aef73177e4d2230
SHA25694967401a5e0c323207ad6f337bf2bd35298343a05873ead055b2e6cf6588cf6
SHA5129831a76531f128e3c1d255b5844b19d7eb89911d2ce4f780bff8c81fa2b74a9a51c4156c570889cd1f0da15382fefb0c60191ce68a1463d697f45f5aac0f346e
-
Filesize
4.6MB
MD50f1c2b5f3409321faf1b0d73fd3dbb4b
SHA1cb7b2eb3031ce2c9437cdfe46e4f2421b11ca39e
SHA2563f8270befd0d94d9391e373d45c97e08828d5b697957d42dedead79693018b7e
SHA51204675174ee26ec6bc28d072c792031597588463e2fdc92ab3e9d8c27e7d57096283c16348e57c45e264aeb473cf286ed6b5ebffa2d009a19f80b615ddb7d6116
-
Filesize
4.6MB
MD5ef5f60ea921b09e48442960cbdb95a05
SHA1a7c4eba78652ffd089e23dd5f7dea6a9cbbaac8e
SHA256ade2fd02a3d899fe2abbf82e76f0a08e2d42ac2ee73f2ea465cab06ca6a6df6f
SHA512803643663382ac88d35cb0929906cab5663a284ea95fa3554e91d8ab4dd4a0635c85d5be3e81e3590b10374d552015eb75ed7d065345e58453b4880e52a415e6
-
Filesize
1.9MB
MD5b6a0504ff0ce44809e4c2020af5b2439
SHA1c79007de28ae68037c54b51a43cfb2c4e5fe05a2
SHA25645de75b0091a4ca3a1ecaee08fbca1700868489606fc236f019f7443080211eb
SHA51238f774febaa79c823732e016891cb655ca3208f88a8903faadec638e96380647b199b2862dbe7a7b2f44436d7ed80fee872ffbd3a8496c52ee22f9a82fe2f3f0
-
Filesize
2.1MB
MD506e0aeb8416f4d900597ae4db1474696
SHA1415a4730e120659a6fa33a592b04d1a3628221eb
SHA2569232681b9d4eee89d4ecab8b8af8fdbbbc7df4e7bdb8779313945ae4ed5fe93f
SHA512f6e47c74c99f4c07cd37d4ff8e27f2f7a0da0248bc23882fd3d79bd2d9390040b1254c41fd35b45da1f092bce02005205eda43f29cd892b7f247d14dd2a9735c
-
Filesize
1.8MB
MD5703aa7009a9a12d66b115b1dd16829ab
SHA1b9df572c6939a7bdf512ebf88442b7cc77245c34
SHA256c2b79645f83118446a7fe87bd88e63feb95a237e323705fb88392c75a093286d
SHA51233aec38d670a31d04f0906e0b2bbbc493fc98a09d0964dbf08c0a45bada699e49fcba2fe672112c7513d5866216503c489bc719d390cd8f0a0422e670ab995c5
-
Filesize
1.6MB
MD5e1a1656420901f23b6d0d403d9e03eb1
SHA14d8c0105c8b4589eb9213b642874bdcd8ce7f935
SHA256ce32df7672949bf2f2403f0f999d5726026adf7d4b66350a31a711d82e5ec788
SHA512cdaede7c7c024f1cc3082b336791ef6432ba3d2f4333b6fb2fb59ce53e9848fd4a5579c8cb1dc2f19b743a9fe04e789b4cb890e411452fdd002b246bc69ce8e2
-
Filesize
581KB
MD5e2f961d5e8f6c5c1abf493d22bd08f30
SHA176c8ee354cd6790f64dea4223d7334b4f49c2e43
SHA2561ed72cc4f7c71b84ab1b749680a3cb256083adc66f81f619a7ac456d0c8cbc2a
SHA51223ae5050c6d091b2a815d33cbe4ae70efd04517ac178449f00b5b9fe9294c1393cadf98b34143b75d8fbdd821d69969d49c748aa49892559e0ac10805190d9f8
-
Filesize
581KB
MD54f7e2ca036514e4ba7f10f284582ff3e
SHA18e2ce86caaceff087c4453f7dd138b864e00d778
SHA2562ce711efad7df23314bf1d878b239adfe601be9652862794f720d7cf5495fdb7
SHA512f6a581bbabae021707147ac468831178bb2567a54b8c357ba0e99760a9278b67bb5dcb78a859f69dbe876af9a86bd829fdb96800e57c40407217877839f98af5
-
Filesize
581KB
MD540b4ae1dc40a3d9a9b1d267c1dbc1c72
SHA1655d28ed0733fc4658ee5c54e471a958b5ec5013
SHA256e9186d0035be4b2f261c98336a7e88054abb6c0a1b930b081e562093aad36c4d
SHA5126f80d7b60ec4b4bc3093dacdfaed6ef0f3bd5506fbd49824a7fe8f830bb471962e3599a6b03df2f3907c4b6f7c3daf1d752fade9cdfafe2a4433217d1b860dfd
-
Filesize
601KB
MD5253c07a22912567a064ca0e57796ce90
SHA17c22efdc0f4a6d82d407657b90425bd881984e03
SHA2569da7527690c646d10aeeb74e0c4506552dfc2750312ce47e0a9170dd74b64724
SHA512dffabc7450a02d91ab23d7c7a7b016f1606efe481bca839c34ed9bc5645b5154b58cb18d5e19b0a5e21100fdebfe214334cbdd2668e34914655134baa122a730
-
Filesize
581KB
MD54607fe4b63117788a1fb5418e019b88f
SHA1984ca844aaf7bbf2d926e6ef57b7bc5c96e1642a
SHA256e1b20972d4456ff98ec1f42510507299b3d5e6b053ebad5d86f6b723f38da6ac
SHA5121923777b4751256bc9109b34e3d5185c66499fa1f07543198056f4a3f1dd709cf3936924eb28b0d1833a74256c40aa2118dff99d1910b415c74ca0a1004e33ae
-
Filesize
581KB
MD5f20ea242f391b1a48a26cbd5efc0cb73
SHA11f1695f203b8ab93279224022724ed4f9e8a2525
SHA2567d3b014be8859284a6d902224a583d458a39e1ef1170570c2517e3a5d7951fdb
SHA5128b045a2c79cbea95c34074001c85ab5630088d6b790712f0d5c909346281ef27bb8471ba59144d4c52395f2a894cdfadd463109fd2144c62f3e65c81bf8ece9c
-
Filesize
581KB
MD57fd998056e5b4ca559e28365971356de
SHA1b1232106bc740e6a2504e6ac648567f1dae4c75e
SHA256ff34c217edea345398c75322ebbea7a0e379dddf7b205c0f5b88435229d2e96d
SHA512365b8a83ff91371111c93b427955bf288aed32c6aa7c190903e61d395cdf7821de7b23b92822238f27f984c629f2dc530147dc6c739c84e11398bad24b2a9d89
-
Filesize
841KB
MD5dad9a958245572e0544f63c6de7bd596
SHA1a8fdf73260b07be0a514f36ea6d3926f8b4c5ce8
SHA256d4c7420b4373301c46b5ef0a0b8f66fc824c3ea4af5f5b2f43e7a3820c6ecd00
SHA512b195913f386fee56006fadfd9fcd1b756bb9c1e5233c2d8898ab876a4a116c7118a4667bdce9b115edcbc73f6119068f22bf6213aabf55d10f0efb8ac86e7cfa
-
Filesize
581KB
MD5ebeb3b2deaaf94b0d2a2321092d9b40f
SHA11c17bcf9e263e2a7690902789d3e6ce7bbc8e789
SHA2565218b85ad4d912145ed7e90bf7e0d71c365484ab18421f5b259a441ef2cc9895
SHA512acf250e0178a1c9e3619eaefc06139cd83c5c7b0a597f19aec77e33160669e5c6e52a70f4dcabc500651dc5dec7a36ba13a5ba819b160eb22d0737e8b32874a4
-
Filesize
581KB
MD54565bf5e61415fbe472f2b43592a2f95
SHA1aa74c610ba931cb5c203f6e10891c03a34a98c34
SHA256550206a9ef7d8ae74b10415cf7d25d2e66bad0c285c4b5646ad8e645d4095f2d
SHA512b1066fa75a16b15cface38e79943fe3b2c490308fe918df0c208db5fcd3b665650f71d1132cbf8bbcf9f6aaf77f99dff2c1d42a3ed8f8a15c23513bfc36c86fd
-
Filesize
717KB
MD599ab97608942afca385724953ffd58b9
SHA1052302d58a5e9a2381e01c7fc2d755cea38ce7aa
SHA2560bc08e55e9c34209425209b4ec4609f60cfb4f79e99475b727b6c903272df508
SHA5125d923e784e7d84a788ba007c435ff9e8d8d1edbb36ae33e5eee90b26faa581d25b335fb60d29dc84f23b5ecf2fdf4aa600206a22b0120f724559d3cf4d48df8e
-
Filesize
581KB
MD5c7062c216b281b1a823133fdd6977638
SHA189792339dd015fb4a288985925026c54a7ca2db9
SHA2566d264d59d1953d6145d755726da05842ef293dd520fe87fa330216c1b3015acb
SHA5120d9f25f14dc1a7bfddcc780841b341f9888d6db44af9c64a8c6c2e832852e6cdd535ddccba1b20e418942adbb8168f5ee7304e35c0b40e4e44ae060c2f61a687
-
Filesize
581KB
MD5f71695d3c64017c87e246285bef19d09
SHA1cdc0b67259c938a651a7dbf0f66a370a15a7f78c
SHA256e15d5957f8a6da1948b2350bc943dcaaed2204f543a52a282d46ebec5c114366
SHA512bfea64dd601eb881fba441475a87296a4cf9a927bec87b0884dcedbfd07c0cde2f8073d0a50399a349c3f90551318331b1cee8e78e8b20a482c1c0bc365e31ea
-
Filesize
717KB
MD524f30cd8dca3d00bd19f4888a20407b1
SHA11128bd55d0efd1683dff0459a44ed66950e843fe
SHA25602b6e35360a5c5cd649ef951ca76bcdabc6402b61d2fc0c8ba47e1fe18ddf488
SHA512837547b667b64c012bc1c484d8b44f3881925d7ed2fd9364890e7a407c7dfdc60e6ab57374a8fac049fe4e97e3ea129aa631710078d40163c0db9c06f48d8d01
-
Filesize
841KB
MD506772e084bf4afc4e12c1282f947390d
SHA1c0171719a3006c930c0a8283b17213f396450b31
SHA256b4c04487cd6ee7f2cfb6cfe70bab905a17e1b1c0452b1bcb4f5ca6f6945b6ffa
SHA512bb3d3aede9c5c2ea20abbe8f7610977532aabd40c2cc07a06293e2434d54c5284a5f496d4a42f2c85554b76a3cd6a5d975ebcd826761bce983cf93a35f69a096
-
Filesize
1020KB
MD54bc4428bfeadb4acdfe26a5e170bd8cd
SHA149b2c4642906d1b758c90361f6503de4fa84df6e
SHA256135d8559086f3e636a3684e3628d3f4337157372048ec9f422b8d9a955fa17d3
SHA51206d9106ec79a80e5c9bd1fa98458b30cdaef177eac7555f9980b2c5d6494cc2bab050706c9866e495c36a6dff56b6c1050f043e4b5c70d9fe729c225b9740f67
-
Filesize
581KB
MD5a259fe75cae4d8de3601f19b3bd6a86c
SHA13ca09d48eb0c878565606acbd8c9024c5a28967c
SHA2566fceb1befac22e9c0a34ac8ed9c838e52b36994c7e24a882dd7e459100bd63f3
SHA5120f3fd9971d3364fd0d4a755064bb386beed6e5edcf27e5e2a914696d8826eada107300c31c08c051bedbc50a2453cb4fd2198a5e245ef414157cd09687a359df
-
Filesize
1.5MB
MD5f3ad6035a6398da3b4665523a4dc55a1
SHA1acb3b24d5d1b7b9b3a4a81946c7afab08fbbcb37
SHA2565a346b27647012b05c070bcb12f367d1b7e4e115108ac9cf684246cc221c855c
SHA5122d765b6d6683b0511c0feab71402fc262dda3c794d2f618e41990c247a896c06922addfc62893d1f6a9e5e199107524afc85f274fdca02be01b2bb157afcd01a
-
Filesize
701KB
MD5310b4e1511ea7952ceec97225265bc77
SHA1007d9a60c7e01486503a9b2f5ef321e3af957b81
SHA25646b089db45a91761f443d84a0730fc07f228c73da0b45b84a423f562c71e5ee5
SHA5124935e02fc35be935a8506a560d3c457fc8157e06c06ee8e171bd9689fe65e157343ea1eeb8cf3d560d2030843d36f2683f1cb89ef302317a6af588c057fa67ef
-
Filesize
588KB
MD59e686cc5ce1952d9edfb6316f0c5eca7
SHA1deeb50e029ac3ed46ca095d736e1fc98835efc20
SHA256a7c8b6c814ee7e740fcabc090c1e9793a91285e5a08da23e16b9bb98ba1da673
SHA51286ff09b91c10b08b8b4929b1ad3bf1011103756742e34e8497dd09035b24d093c2a37310e677c801979c77fbcedcfa555a7bd2b9c453ebf47580bde248ab9370
-
Filesize
1.7MB
MD5d806988d7d27e8937c09bc278c028266
SHA11be71246ef1d045854dbf952e4ea7f1a06ebcf1b
SHA256febde3a53fe62c5991ae7ded0154a3986c7f9fee601251967e4da33ded4dfce3
SHA51235fb3d49c552ee0a0f7d148d4ffdc1c32dd832915aa9d7956ce4342e8145f826fd62e6df5d298543f648c50972cd8bf1ce32a6bb324d11fd40f61ade224af39c
-
Filesize
659KB
MD53efb2cb1b13888e077d3d778cb05b60f
SHA141fa08694e4a152b555a22d489942e531706e58b
SHA2563a58c4a38bf219aca587144882eec9f98c3b93e8de9352fc8d60495c23c62cd0
SHA512b3640834db32bf69a08b4d305f59a9bd2e0058dafe8a919e5d0a8c1a42a998661d17e80a60c0f8473675f0fd879dfa42e786f30738ca6e251304cd9adeb352f6
-
Filesize
1.2MB
MD58264795958e12033a4589e056737ba86
SHA18806e685af3f89b499a7a0be51e56b4140953faa
SHA256c8561dffed0dbb9c25305b6e171b07516311e053e344e5862c74dfa66d609225
SHA512c21d3a039a8712ea1ba08e0c6118be67df851acb55ebd060576273de7a9ad1eeaec508ee2fbd5a7016a473e2a1bc38450e8d22662de7786c74ac8b7199c75a31
-
Filesize
578KB
MD5800fb12e06ffbf5bcf2312ea0bbe8e5c
SHA1a0db0b8c4fb2d855ac0326c4c4d582fb96bd522b
SHA256f28b3ca66de059b7cb2d760315405e6c955f9cbc35eb706b607d1acbb69cbfd5
SHA512c80e62028d60ab58fbf0724661e5a79b8cf4a4a2caecb543ff429f21945d0d7ecfd822982b4f78bd266cca6649f8431305fe6e9c03046b668b092136dd5d83ab
-
Filesize
940KB
MD52d39a2b916f46218233b051b1422605f
SHA12bb7cf7377ec164fb910aa614ebee08a8d70e79f
SHA256a1dd1d9852613f47a2bfd05bb6bf1ad4d43b7e11f09eea76a08bc9c1593c45ff
SHA512e79e85f2e65d09e4928d564a9ffc1d49b3f19e047a782ad6f905e0ed842470e3c877fd32b101c1b250b22f95b4ed260e51f6da5a254e536a4e8c27d55e5f2391
-
Filesize
671KB
MD5dc21166938119138e5c006166b494418
SHA1df1ca7239e84b87781dff5dc116444583084e3ed
SHA2560410b6aaf8bd3aea991a38a0eaf9f0a06799c12888603ead8dbf4cdfa64493fa
SHA5129d5d6da3810e788d1dcbcd8db6a4015332cef2ed82ac32e7d81d7a8b89d6bfa6c858547a1e508b25f795b62d2bf82f33d39f97698b69ec60ff63fa71be2d6873
-
Filesize
1.4MB
MD53d22f0904ce165bfc03d42c217898090
SHA1fa46c4d3de4bce1addebfb22ddceae9cee92c876
SHA256b5054fda706003fb7b574567eec5100ca6e8ca6b1792ee14cb7691adbd477d22
SHA512d7cdd0c732236efcac3b001c6c863880dc371cfe59044263eaf6f5c9619f74aaeb6fecd4893f9739ef8078235dea9f7837972a31dc8290ee6271f1fe0ac2433f
-
Filesize
1.8MB
MD5c9719882d5279b91ba945fa488ac34a4
SHA1a811c1cedabe529ee78159913301a18d6efc69fd
SHA256ca9e63b7ef410d0c3dd0526ef92c532a7b3e716081379c47ee3bb9b220c4a2a5
SHA512e4cf93fd992413432939f8b7602cabd1e637255c48205982be5288403b9888d7078f8c97e31cedbe87167ddd13ac4dbc5a27d55d5b1fb3bcb289564107801aea
-
Filesize
1.4MB
MD5b278350cdf1a5562f1fbf7c6aa91b32b
SHA1e7a59be358f2555da2cbfd7a85cf329ec785a12f
SHA256290cf291bab77d4aa998acfad2bcdd1820bdbfa23df57eaa3ffe4a86acf3139c
SHA512c854df595238252e0961b6d91e0653a14affb72dec9903664ed16eac2a55aa38b01c88347af19fa3de4f9659299260757e93674a241b5c02a4cc9bbdeae0381c
-
Filesize
885KB
MD524ec1a0806d666ff43aea91296c710fd
SHA15a6081547c426571f80c36fadb12383537d7d7b8
SHA256a98ba6c77861382a3c794b20d65ab5aecc8107fb1913d221aec194283509a263
SHA512c4da60c6c6430c1c92174eed22c0d7f2cf4c888786d8564cbc3048c423f8441f6c30196df9054eaa3a3e4891c47aaff054336690fd30a4ce85f0fc8d78cfcd54
-
Filesize
2.0MB
MD50fddcaa468f4452cfa279801b92d2f60
SHA120deafef0e5c001cf85ab146ef76f6773269f4bb
SHA2567aa0561b08d27f42080cb95c797ec09142625a6b4775ae1647c7211dd5e1c209
SHA512d41c4ca5a775da9289259357d3af533e5ae7ae62fff3bad6b3d81512b596e024099d995f2e5f80a181583f1827531b62f421a4121d75b287ba8f5054252be182
-
Filesize
661KB
MD5e1cc8531e43eaa6b95450d9355573893
SHA1768801a2b27ad27b6d0a9afefea79e31c593691a
SHA256a8801669c4e6a94b521d066b86c962501bba9a1fc85c18a32896b6aeaa3cfed7
SHA512ff77d57905e172f01c95f04819a2f52a9cf5c20ea9e99802ace6ed60161a35d951da8f3ccf82edc439597e916fd7c0da7dcad2c4a6fb4a532b7fb925d3fefb43
-
Filesize
712KB
MD569b3b975ee236b9b6041afeabb823297
SHA1029678ab99bc0caf2f9256847d9f93104e7cff68
SHA25633e9d045d4818b79e191c2c4c6c0aafc294450fff8c01c8c0a6ae9adbf4ab36d
SHA51282318664111def9fc17dcc9e113ff771bf1f3c1b90257787df98153680f75b7fc145aa368769259e87ce591b5575921f786f302696718fba6f5985ea7613e59d
-
Filesize
584KB
MD50b0d2b18b813512507dd6c58aa20ab3b
SHA12eb762d2b9a6c3ea1054ea872806280c9adf6b4b
SHA256c2829a8390dcae7f0096ddbcd9b97c3d963be87288dd9d3573ed2841abc1c29f
SHA512c28282b362d212ed598f3c2f79c235d78343c434b203338ae688e956bfaf86b28c29965ee2572d0bac7e2bf40491a6a67cbbeb1cef6f12b4e48be3a789675181
-
Filesize
1.3MB
MD5a183609432d47c96fa59bed40a9794fd
SHA154b64363f668ab540b9b5372e21b126b6b499802
SHA2566e5b78887fa3743d10bf67488cad955bbf6e849c3fc6b5334317159252e42874
SHA512317169a408147b5ed75d4816ed6623ab34d76e13af283dd9dfeaeb74981b9ccd8f8a3bcbd9ace1f9f9ba6b96a9297273c9cdfda4ed1309710bb0a87d93b50d3a
-
Filesize
772KB
MD535e52a798a18407884e20776a1c9ed9d
SHA19dd0030094b7f225bb558ac42df00d449f5d372e
SHA25623c47d941dd57c9822b95c3c863e0c865f92a76ef1f8d0158158e90c375358a0
SHA512cfd129bb0eda7275ffb4c9cb81b898302dba873494045add4c6f843778777d6d582ac0e17d12ef9e112706084eb3ba69c38de2951cef0a7f00a3da71b850e33b
-
Filesize
2.1MB
MD5c6be9d10dca63a81b72e7a2313588d9d
SHA179d2a4c64ab4633c69bea999011b3fcb7571e6e7
SHA2560ca5f8ec6c9138df08d4ab009a97492b53821bdd7d7fb2daaa326d09f92c8b5a
SHA512267a7b85ddaff869555effb6f11551932a6bd68a8b1e3dc637fecf76215c8d958b959084c098dbf59e35f701e4fa00c691b87cfa395d47c04cd9ed7da3fdff85
-
Filesize
1.3MB
MD528a1e643cfcf7d64542b48f643e8314f
SHA1d6895c1a3e7ddfb30a99d675cd3c403800ead75e
SHA256dcd9f6d517908e596355e3d7171a7019871909ab311b1e342715b6f483962e9a
SHA512be0d92198279c6b50750efe92df5ec3e17add665ff1efcd328f53a5a7de65913184ed1e1bcb2341fde89475cfd8b01c019cbd9091a28b69ecdfc84fb04e3e9d8
-
Filesize
877KB
MD5b568bc57bc30cb80bffe2354ed9dc43b
SHA19de8a8e5def2107693cc1dce3b43a84d9f10db24
SHA25656ed3987507a6a29d869d7eec26aa1fe297b366676d37810cc693e4eb7a53cc5
SHA512d662a5e75551e85f07afdfa3f86b28bc676e3d921b8dca267aa4a29b3602523882fbdf55a1238aafb3428fdfdf4030cb2564f78f6f4854fc78c37f5abd92035f
-
Filesize
635KB
MD51f1637c5c3a79d8cf6cc51a8b1a2f6e4
SHA13f065fa535997c269dc48d45bb1c1d050ff6ec77
SHA2562bf76cfdc8445ba4cee85693fcc45804c89384a65615f01ecf6e09f7d09835ea
SHA512e2fa81b2fb568c6076179419aca689b2d91aa42d3c203ddffa5c7818355ff4c85519441668a04aef1347d32767d44253224a625a0a9dcd385ece16e2c08898cc