Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
-
Size
1.8MB
-
MD5
b30dd402f5b4a14d61f29f7277340976
-
SHA1
144adadeabe87d836f01130441220bf7a6774566
-
SHA256
5462b7b7023db46232d1f8f9b800f9bdf0028a4eedd4d89cb34f47cfedcec921
-
SHA512
6d5e6df1def6583b0321a4a628ec89090d367d411e12ffa732e213fdae992d84da391a7917972124de2496a971b342f1d5bed05036dc328876b06b30df365c97
-
SSDEEP
49152:cEy9+ApwXk1QE1RzsEQPaxHN27hfw34Gof3E8p4:O93wXmoKu7hYIL8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2280 alg.exe 8 DiagnosticsHub.StandardCollector.Service.exe 1628 fxssvc.exe 548 elevation_service.exe 2908 elevation_service.exe 1248 maintenanceservice.exe 2272 msdtc.exe 1352 OSE.EXE 4016 PerceptionSimulationService.exe 2692 perfhost.exe 3024 locator.exe 2144 SensorDataService.exe 4924 snmptrap.exe 1580 spectrum.exe 392 ssh-agent.exe 2720 TieringEngineService.exe 2068 AgentService.exe 1672 vds.exe 3152 vssvc.exe 4492 wbengine.exe 4684 WmiApSrv.exe 2400 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\abc3cac4293b476c.bin alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0d5fab93aa5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f12309ba3aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000384270bc3aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdfa5eba3aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9650fbb3aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000617036ba3aa5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae7d2bb3aa5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf335aba3aa5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeAuditPrivilege 1628 fxssvc.exe Token: SeRestorePrivilege 2720 TieringEngineService.exe Token: SeManageVolumePrivilege 2720 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2068 AgentService.exe Token: SeBackupPrivilege 3152 vssvc.exe Token: SeRestorePrivilege 3152 vssvc.exe Token: SeAuditPrivilege 3152 vssvc.exe Token: SeBackupPrivilege 4492 wbengine.exe Token: SeRestorePrivilege 4492 wbengine.exe Token: SeSecurityPrivilege 4492 wbengine.exe Token: 33 2400 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2400 SearchIndexer.exe Token: SeDebugPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeDebugPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeDebugPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeDebugPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeDebugPrivilege 604 2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe Token: SeDebugPrivilege 2280 alg.exe Token: SeDebugPrivilege 2280 alg.exe Token: SeDebugPrivilege 2280 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2524 2400 SearchIndexer.exe 112 PID 2400 wrote to memory of 2524 2400 SearchIndexer.exe 112 PID 2400 wrote to memory of 3900 2400 SearchIndexer.exe 113 PID 2400 wrote to memory of 3900 2400 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:412
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2908
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1248
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2272
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1352
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4016
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2692
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3024
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1868
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4684
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2524
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58c46d05bc7ffdcdaa0fab1a2de8e87ba
SHA16a6adbc6bd2dd159a75cc0836ac29a4b761c649e
SHA2567f98fd93e2aef36499cd524f04eb185021daac78b82ee2a52e175aaddb90bfc1
SHA51250a9a21fb7f41c9eddd15467516c7c6fe5c8fc778aa6246c734e675e25e2bf7c2cee46658dd9ee39c88c6ab9c0718f8158fef71bc251aafb4df20c7bdd40eca2
-
Filesize
797KB
MD5174afbfdb8406d6b6ca46c02806949c9
SHA19c3f998250dfc039825435ca645a89df75782eb1
SHA256f9efc694f37af59dcdd0c9934897075626d5fbac12718580cd408ebd6e5dc4da
SHA512f08f044c5e6b450ec6c54255336388025718b683c4b7cbdefbc5d14a028f87672a605385c62770d9af2539b7f602e97d084841e44a5c00ab00e0acae0470aa19
-
Filesize
1.1MB
MD5c15caa6f3276edeba172ede3a3ce3b94
SHA125424ad7f1005937aa00f88b754ce1343bd2c0ac
SHA2563b6a80571aaf71a296c99fc23568cc48b74c883bee50d90960ea7870d0354787
SHA512a2a8762aa23866308ca75303f555260c6d2e4f9bb1161f2c68b5b361751ca5142c755c3685b50eb8b2263dd19967c3ffaee881e998b744348e8ed547df0b4867
-
Filesize
1.5MB
MD507dade3a179c168c845eb1ed6d13c172
SHA1f2cf4e619a3b38c1c46b1858becf2ce52efd0bda
SHA256dd741bd73a7e1ff52bfd58dd301e101a64910e017f800264afaa78620c8b79d6
SHA512637f564b7ffc3c2d5dce4c8745503b086c5e9b50c15691e7c7510256b6f821ac3b31857148b73cace7588141e897c0f38750ffc206fc691ebfbf14f1aa3ce360
-
Filesize
1.2MB
MD5ef582e6451ebea66b2edc32cbab71a43
SHA114b90374a0fb78d8ad3c8d77554c75711ac1def0
SHA25642c8ec4a59e917ad2ead35f5c0c39af59aee5acc5d7512ca83d72df0dc83767b
SHA512bde80ecb1bda64ea448dc5da11a4e556cf80e29ac09765617f9b723277c90c5396521c3b854d9629400b1f696acbb96f84b646b741d1f737e6dc90c6496400e1
-
Filesize
582KB
MD5dac266c58b6db574b4b62a0629b9bac7
SHA1c83951e789b5d5f97463080d0e146a802e8927fe
SHA2564c06eae86c6eaa640ab950c500ae6a907ec8b3cbb68fc60d38eb40d81f6e0b75
SHA512dab2c16ab62e5061795cd916843e6906ce34d7f8e2035217f1acc1ba0486dc6cbbb68d8376e055ac292b916a3510f0496d0049ea46d6b2605d1fcedcbefb30c9
-
Filesize
840KB
MD57888e31b53d16e8fc1540588bbc7c83f
SHA19265f51a97e5720621e5e200c4a752dc6bd8a211
SHA2568215ae091b8d82587a1216f438455f65ede0db53d7810d72b9cc98ad600be503
SHA51252b7588c5eacfa8c055ffc4311b7e29ecdd6ca3684294d93cd2ff3157dc600810ff562f0b37632e101d4db0a557b7ef6c455d0b2b716a0b19053e154970c4b97
-
Filesize
4.6MB
MD511d1ee076c8310e8ca8d5ff963817a99
SHA18abafa3bb453e97f2f48e1fcd8855723cba5056b
SHA25656df1a5998d5f4c287856c8a0bbeb53823163798b4e3675dfb07758b038ee9a6
SHA51257bd5e622d8ec498e881c970191d7b1fd00e9eeb47075f806c2e9bd9e382e8b546d079c9dd9258d680ff0640475918aaba7f93a72470c7732a7761ff1886fc4d
-
Filesize
910KB
MD5f505205a31019e9568fc4e03c56e937b
SHA173c825ea85a4a7b1f179ac53c15882965aecf76d
SHA2566f3f6017e2d1fd9587a6e7d7d731d33c2ddfd0082c97c6abac7ecc9f188bc2de
SHA5128e3a9d433914a6023c88510dd744671b444606ee23e86a37fcb412ef8f456e5c1f42bc604ab4ab3b75e4bc15167cc56c0581fe4bf5f2a0113a866068b95bf37b
-
Filesize
24.0MB
MD503c5aba79a9c5eeb975da126944a6e35
SHA1450cc5f03433eb51499a536a1644439979ff52a7
SHA25693a595cdc73195c1a524d6e7786d43d8d3bae70245418ef9c5379b3a552b5a27
SHA5121f5a8321c54b4465c3e1d963d67a02b528a0958aa9a2fc6c64e3136f143a651df5bb3ad4a6300445aba9c5b0f30572b3ac870e23272d6d3c0259043c115182c1
-
Filesize
2.7MB
MD55253578bfc8c8ac4994805c7f2c8988d
SHA1ef0f60a78b03d01968bc701bcfdbb6045d35486e
SHA256fa28aaf44136f1527d5dd78b54fc5078f83f45e672087e3f63c178647fb16112
SHA51214b823eafd224b2475a1fc54601726837380c74e749a35e2f1b16d82c2def2c91326100492ab9eb0e97d6fad3346ea0bb1612c924369d0a7f42feab97e5905de
-
Filesize
1.1MB
MD59b425d007e50f8fb2f393dc68088181c
SHA149df4f363d2d611cc5d03539d3bc8a5f3eac1f23
SHA2568dba720ce0269ca3e7e330c54f5319e52fddbd2c9ab8185d9a712f62cee19ec8
SHA51243c3cd65d475d01596458de060d213ab5654dc52ca63b8564076225ac6c368b2553ef9fd394c32471e1e3f979d2b5000023d502967a20fbe5f3ca5720f44bcf8
-
Filesize
805KB
MD56cb98fd8c508f5fbf90602e02f16bd3b
SHA18b132a76ee74e2d584523c963a838efa796ecf6a
SHA2569145d3f27159806a38e9d7bec1666a238026c558fd67b5335a46bff3e670b68b
SHA5128e91552468711beaa6575364147ef7dda55a06f9fb9fe2967114d649b9f7f7915858b4aa2293e0997cd6a47ed0693e20bfeba9f13c63d6b2d83193adef3ed19a
-
Filesize
656KB
MD5734d5f77624e508282eda7a03f90be1d
SHA1c420612669acecc0623d60187bacacd9efc16264
SHA256c59a99c461ba39ec711d505bbf57173ef2a2f9231ec3ba066ed2bcaa89ccddde
SHA5124dfe5ea0bd9291e411904958188c04178ed9bca4109e6752f45c42564a7e560bb099de2ea70b2b15331babd31c1997f1b297f92df369bb94c173cbfbb21803e0
-
Filesize
5.4MB
MD5cfa995414ff2f7bfd6e45f05f9a95839
SHA1fa39d72ad4db80dab6661049b0ee94d6193c6523
SHA2563e261c2fddfde53a83386920b1f065573e1490ac50d5c982d54ac5379f55cdba
SHA512ec15972d9ebcca2f976fedfa14cb5f3db477a6da7489c365618879991847682234c4a3044911eb87efe89318331c94badf6e918862b19eaa2567b0b39670534b
-
Filesize
5.4MB
MD5ece18360bb30137cbb2542c6ce516560
SHA13d7af96dda3cfeba3de920451b875415e08b6ecd
SHA25613a8fcb950f263ecfa9ca27dde6ab014cf5cd3dcc77f05456ba7ad72303445a4
SHA512e5b73db6a499415380fa242d61f38df3705f09850e7d1ac7ae65394d68b42cbf9b144947db2560a19a07ce0b530eae868601b9819df748c50e485fcbe9c88300
-
Filesize
2.0MB
MD53d878d6e84fc4c4fc9fb08193f74cc5b
SHA124e8fdf11927c9f2cce03ff3cdbde2065a628bee
SHA256aacee0e00d7d5acac6a9a034cad90ebf585f1bd040f76ffa808318aeaf44dc81
SHA5121b020e8967f55622733d12b46a262326efc4175ef95a583f298230c1bb1d0ef35d56bd2c352e07fe0b3b5d57589a43c61d5237f9a8b5119a4a97ee39d7fa44b1
-
Filesize
2.2MB
MD563b6efa69ffa377f0dc8b10b89ee395e
SHA1edd1142278c3b502b43bd7451d9489e4c5ac6572
SHA2562f52da30c8e175e8feedbb0b2ca0ab9debd81354bc37e4dff73849d0f08fea6f
SHA512be7e194975fd6eb8058ceef769498542b2c556e6bb4863dc0d4b879bc2a3fddb41f99ce59e04cb41d794285a410932ad25454570e75e125eeb678938e80e1e5e
-
Filesize
1.8MB
MD5ffa2ac9afd7e930a68ee0ea0c39665bc
SHA128d51b5077bc7530d585cda0ee9d7df6eb9e43cb
SHA2568a69cc51b8987e4870028311e76a0e6307e2eb952228ba668389885c4b1c7e84
SHA512472c3c88a32495458160f2fd9ac71ccf5e686ab965073b21b4576053c166e8353a13cb4d8c502dfc000a728e24a5fc82ba0787c502ff1fd3271a54fbf9d4fa5e
-
Filesize
1.7MB
MD54177f0abd318e5480ee92bd874a63af4
SHA1b3c5284a273265e227dcff8ff1b8d81d3972af6a
SHA256fb7b2e2f0f665264833ff984f49b2d976a58b78b21e36608bb23a7b0a27dafd0
SHA512006f7a423c14a9ca3c97caaaa5fe4c370900b57258018aaa330faee78a44312a9a34371b8671799d4aa33f8274471e94f501748edd7e826e6fa5f5751dab9fe6
-
Filesize
581KB
MD5c9d9f2e04324bc6f55d7ec4969b2ab1d
SHA189a2e5bdba713189d2b7067408cc611c48b4c2f9
SHA25669eef66437587a6fac3c5764b1dfa1eead5e8bf5ebd03230679c17a0dafc034e
SHA5128443c4f92f75c34dffe18a1831cfebaec2bba1b554878b2639ed4f5d093d43948b86dd4db6c883f0c0245cd6fb584ea05609f4c379e2e5563e9ad287d610adb0
-
Filesize
581KB
MD561780ed94398db7eb128d02d687351a8
SHA155f2634140d760f3aecd6c51a418d4c3532e4535
SHA256516f8e9f2754afa2cc4566ec77eb8f0970d88a788c855473680094cd48495813
SHA512580f96f6512a7267d16a8c7693e429b30d9e6ac30c5fa71f5e500cdb1937e431fbdc60cd0a41ccebd04204f5e789b9a533f363f28e8288827b538aef86546aac
-
Filesize
581KB
MD5c67cff4079337304a39b21ea57e3c0bf
SHA14ba612f2c3fa2641a7040e7630ab752073451f18
SHA256e3e510e7711a4f3b94914c326523c82f13a5e4ad5b4f97765b9972c89acc9b9c
SHA512b9d2862e767f40085d10487214fc8b0484005551c5a07bd52cd0ed1f2c4f13c8226b88ff3e056a2d2416cf07b0b43bc53ae3ae35ed88debbfeb3eeb97be28d48
-
Filesize
601KB
MD5f850bf6007a0746f0b546d927dd9a8ff
SHA102aa96f9a8d5f29318d949d78676bf598117eee7
SHA25642313918b9f1abdc4d79b543d5f73d93470769d3ae46add24a9f08ec3ff66f67
SHA512b67e7ad4cb953c2d8a13ad3829acf2d40cc9ae6e96d733b13f098725bc4121f162f9237604424fd685fd618f250369f4031dcdd328466252f6a472db5b1afb0e
-
Filesize
581KB
MD52989a617b7277970056d500e0c97fbfc
SHA15bc53f9c58aa4c9c8704aafb81b35f309fe52f1a
SHA256cc0dc30056a562734307aae78bb0608c745109f915bc5ab789220ed22408d048
SHA512038ee089428e6dcebd97ebb0f4815b939fb3ed731f4842bbda1a877717f601e87b42fa87b2b9b7f70e5ebe79bb8a364b64e90b7115060b1f1968a1019c0d177a
-
Filesize
581KB
MD553b2251e733854d681049387073d205d
SHA1be95926aa704b382bd5dfdd88b597a8222325571
SHA256cc0af7b7f83218c9e7e093652a55a47a7b2111d4f3bec32b2c4a4dc4b1f638b8
SHA51265ec56b4cabdf9e2f0d6b296f080cee94bf6dfb385b023194c05b341b86034f39646c18c7d4ae062ff959f869970267b59a38d87083522c889a18b84cc6a3b62
-
Filesize
581KB
MD50a8fe60903b424a06cef27986b7bc398
SHA1ff23a4b01ca1d9d86a3ee618c940b6583f40a5a1
SHA256605b4a7d448a532e5ba202ff3c1152101badc3829f38d1b52ae9f1eacd87de58
SHA51276a013f4d538ade245655a48c43ae2092222d327420eb955d1748bdef7479a118ca356ff1aaefa8b9d6a57432ade378723d80c69e12f8533203a951819a863a5
-
Filesize
841KB
MD543fef8ce16e3fd4d9bec8c645b4f42d3
SHA1688927d684d06721ae593e75a7c134d3b409b370
SHA256a262d3be34f329c0a016a4f98aa8be75aab7983b6f0ccdb5aae385cebe865fae
SHA512e33b2fdd75cdba1c26e46ab0e921e25e6b463b5ef8d7de8ee5bef0ce3f29c2a4f5f896604460071e7f5f537cdca0b20a9a5c276217bacb42aaaa96d2cd755b76
-
Filesize
581KB
MD528c5b1fe7dae0eead7b1cdba91c446dc
SHA104e4ba66e7115e5ec13d761c8649da8554b71d04
SHA256b15f57e33156df16df6e358969fd15c904b0cfa397632d3a19187348294b5fc9
SHA512d924c6512721d8346941747afdb5058e6ca42e4ad61f3b7e48c5872a3dd8e4e7a365edb9f050b54cdcd24b5fe9e7f63e0f2ce9cd977ae21c8c6420e15a868e62
-
Filesize
581KB
MD5c41e76b5d358a5d6a2bc25c7af2053a9
SHA166d6fef037f0cd72d44640666ee4ff556ed1cb8b
SHA2567c1774ac7e920f4dcf742824a412a7775c2a267f9b2e62c892d87149568fa768
SHA512b23c28c429f8b100a05c4369808bf4eab607f13f849b4b63e27eee9ea2a0bc19d360ba747979b3f8e0301be7ac3f99167316eea8dacbba20b9423c5f1a150f6e
-
Filesize
717KB
MD5d00f346403f41d1898f6ae6bcc486e27
SHA11cf2d5bcd32d9cdd9dd6f306b354196b6ff50797
SHA2566f325ffe6c0782e131f214550fe1602e1e4b60ac46fc221d7bd9725473393079
SHA512474e28a91730c58dffcb368fa7dcedc95a7bf7e380912391ddcbd0e7b769efb29bfa8b1a108e337053c596c7898ac75f73a05732b1b3014bd85cf2ef93463be1
-
Filesize
581KB
MD5aec91ab0085d1165e24468eb7a26fdbb
SHA1148190a5d1ecd0309c7830f03173e20cac55f826
SHA256151b5cfbac029ff7ff734ccb378c60b75ac72c15ab6f96d51504eb18ae3f6938
SHA512d353d956279bfd79d670f40839bcb922098cd286df01743cde14554bd6f5ff0ba7c99bd52c3a1b2718ea8000a417fc80a278ed49b578188c31d6815bd5253e05
-
Filesize
581KB
MD51759b638496ab73f35e26f79b1333056
SHA1bab4a78d88f32d0465cf6d122fbfb08a8fd081a4
SHA256d05dc3a09f8890be4ff5d65808bc554505a454ce97e76a0cf6c497e7170416f8
SHA5122990e88d57eb90d715ee2905587cb60d91e1162ea6e4bc23d9ca28f312bb53d4327676528201a2bf2b50174725b6b378b3ca1373f31108a135fbec8ed020d5df
-
Filesize
717KB
MD5eb6ac98f22c21ef03faa62c1464cbf04
SHA19433d7af17fa6960a1eff0a746490f2f4aa64570
SHA256d1bbcf7c6e6a5e810bb4deb6aa63f23b4d2d1d5ba03d1baab821c39c95dd1255
SHA51279a7c201008bfcba3b12f5b43a04b5458a6640c2672b963b90d56c9aa84195b7ec9fbcca1c2a06b219651237188f4576a7f4ef8cf6ab9e0c509149aeb0fcf2a7
-
Filesize
841KB
MD524f52a2667ef837d9ca682645b9efee3
SHA1d2f022831414070f5d7a61243ff4ce9abd7ba56c
SHA2565b2f0f59d9c4b13cdc978a8e3b15aedae6502bded60f7af571e91d5ed014ed1d
SHA5127521002572695fc21151753f22a591cd3d30f6ce807c2e8f3267aeaef893375adf716d3ff25f306a7c2b7520697aa3f39d1edc426a058ac21c276f00e83d6387
-
Filesize
1020KB
MD5daab1a682b6bcb38d4759deb8972c639
SHA18b12182709d919e4078abf50c3261d71a11f0cfb
SHA25653c03ae888dcd91904f1749be206ae2316e74f49cae2280e0a4dfc9ef19b1da4
SHA512ee3b484e87a241eb977628b0a8e094c69c91b556f08924e77cc2a802a65790c4646062023c0eff98f16c86041851a1a609264b7e333fb1ad1fa40aaa122b9589
-
Filesize
1.5MB
MD53320ee682deeab3ac2db961217c1f1de
SHA189db7e06d1be163ae840acbadccea302e42cac23
SHA256d817298e55a63d56630adecae5e0c9f61c15f6a94269d519d846e542a3d3b330
SHA51259e82b82693ce695445b9acafa1629ba6733f97362974880cee0992d51e91ecb5036d5028136ca3563f735cb0d86fa6d465264f4f984fb81c8280fee4ce2ae68
-
Filesize
701KB
MD59e134fee7ffb45b8f6f8238fa933c709
SHA172f9256bdc01bf8e8e75cfe26232d41e770066c1
SHA25608ac57fb7a91682f500f8f0b0481a35f5393c50c81412a76d3d2f40f6c1d0957
SHA5124a910b43a2d3cedf8e45d6e3b7b6e7a30549d79aa3d45a25abf0f253a8e7169d674ba0dea725c806cef13bc49b9b80c85c4ff278162084f91e10913ab0955104
-
Filesize
588KB
MD582b52cb540a890e52681cf2319ca67a6
SHA148fe7b598c81e1d0e9ea4add2541838963d36459
SHA25685609f731595999c738594d91f20fbbe52787ca94163dc3b39a96e1dd2649f06
SHA512d9827332be8b558a7dc7b3cb96d5a5d2ed5dcc87c204613b911e32da4a56e689720d3cd96da036e930b28849c8dce3b40854d4c5643226a4278f3b449e2fab47
-
Filesize
1.7MB
MD5c29ab48b7396620c8a6bec5b5568ac7b
SHA1bfea871458f2609cf7bc2317f6d769965aa8f682
SHA256d0120537263fb285d6729a156978cec56ec147cf309b074e3f5c2171c5e3853c
SHA5120525736b71a200e3e9949d8a1c7c40845a42d28e999023e2d8ec49b133fdd8d51f4aa9b231940c0cdb82e1fd104a2b990dc39e52a7491ac0e4af982c83d14961
-
Filesize
659KB
MD5d7480c5c6f0330b312b9287507b5dc72
SHA195ebd6dd3880bf41434447c5e390dc4e7b851087
SHA25676724a75ede8f2e388d5086f64ded010e6d72d4bf9cf3e1721d7b40fd8f33944
SHA5120ff8a53c697fe6991fc1839cdaced61b1752fab5cb9a0374f695e766e65efd65303919b39b2ec04aa644b53ae7e9ffb1ba3e0139b4d3f24d21d0347898ed8291
-
Filesize
1.2MB
MD516b2e2d6f2441dd36310d26e0e493020
SHA11218750532ec145f53f5c9438fd67298914993f8
SHA2569038fa1ec6086b508c18c198ecdfc36cf36e4e92bd80858a72c29b2bf12b820a
SHA5124209994e239176fb4f8665a2acb30ab8ec7c27ad6e22799a5f27ace2b0b32de399cbb13c4b2058fd5b26bde8257ac8aa0f6a5276678befe72659ab4aa93eb077
-
Filesize
578KB
MD5ce300e71089700814d81775fcbafedb8
SHA17d620cf8ea051f174a7afe18529eb35c2263982a
SHA2562588d28343fea84e3cb28889015aef9101a002dcff34d9815f190230f31eaf74
SHA512c5da6514687c17700f851f2bedc3bf0db13b134c34caf76af2da7b199dd360050d35ede06b26f66fd559707f9b32677f719c0d7b1996c9690d93f99ecdd5b4da
-
Filesize
940KB
MD523e83a756ad18d2cb8bc6975dd0969d0
SHA10049d09aca0cf69a5353af7922071db006f80020
SHA2560f0427c44da1d7406eff331e9242cc58b9a232d9a53b5e7e1722f88236791d64
SHA51241a83136fa8d406a9e273ab6b54a3ebc1c5df3787050b717eacfa121b69eef5590382a21d404f2c78a0cdd4b30305b8a4f96ace38ed74cca531ce6e8a2ae77a4
-
Filesize
671KB
MD5db088f0945c9e10c215810fd0057f8e0
SHA1901a099ab086b463c814797a2b87708c976296af
SHA256eb1e3c0c7b7396efe6b158bbb67055a86f2e1fad62b9c5e85ee89c2e039c53d4
SHA512e697fb7545178af7d8964a17ead1d5ff45c659ff85248d1df309cfc80e6992ff930b57d6e6329ffa3c155641502acce59b382ff4c360052a260bf60710f966c3
-
Filesize
1.4MB
MD5479f8660c22cd94368874c52908a5224
SHA1d96d337f699a85ad3e6d458d69263b6c49c968e6
SHA2562875e67d3fb4c4e3891688e9b1e945b16ba79856dc3199413529ec0f7acae698
SHA512b1d272a8dd46a82a9d43ad3621fcbc8c104881cb1547a771394bf4f404fe2d9c762d0dbccb2ae370e3451afe1510e79001299f4a0dc7369ed59dc84f81dad38c
-
Filesize
1.8MB
MD5a9ed75d8394843b255af910a0bf6a915
SHA117098ad9db183ef0ec94e26ae8e9846bb56966ac
SHA256f06fb8ef0d488fc56351c18b99085ac6d15877817f5a8f58c64304428597e017
SHA512793b8dfaafa0ba7d6ae583c7fd4b4cf3eae44f777b123c491295c5f592b59bd70d20b50e4c77012301638e9e2eb0b3bfe27769e59d77c96865d07776190ed139
-
Filesize
1.4MB
MD59542ef4021894620fadaa61a7f07abf1
SHA1ea96fb676bc245e9eba5996ed96689cfbd0d2af7
SHA25643e5e1239d23531afddd5b433cdc8461532160f6d63020de4e0bf4c3f575ccea
SHA5125321db2820d7e076767398d7a9a978d067b1453d7f9848456a720ac243ebfa02012fd23ac932f26e9dcafd47358aa03a0cf433149fb0bdb7c41fc6f730cbb0eb
-
Filesize
885KB
MD56d9e1c842c85cd41e03261795447d16c
SHA1fedf452f656484f0b20c582a88857a96be55a93d
SHA25619bec3b86e248bbfdf2fdb92f0b4070f2968acc04ee515ab66d27557f29435e0
SHA51246f915d1e9f071330fabae9a4775adfc697ef70cfba8268b9f1ec7eeea8e2515599dc9fb724ac452a6eb33d18716354f3ad27db923491d9a1c9286b429c64b54
-
Filesize
2.0MB
MD56e7e5556a33adeb6eec2f6f26a27e503
SHA1db70782fbe2e0ea014a3bedeb96386387f6af78f
SHA25684bdcf326f896c64dd29eab3716f1a8c2808a6d4a87849c2a796444729146afa
SHA512368ee0e89ab4875967e78b1796a258470cf810e319a214d3f75de36215b229f33b3c7e4be63871c09ae3f1e0f576f132dbdf35495f5a30b9b5bcfdaf398fff7a
-
Filesize
661KB
MD5123f19a47c604c15dcbe462e7f3ef4aa
SHA1de8008f43737bc8548d6f49fb58318b58d5f3aad
SHA2567b9a3ff1950ef10f39c1373145a29a532c94cf3970c99d6c63a3eba67bfcae18
SHA51271104908d84a5688a6bfeb8fdeb9f86a1d361e3d19ee9fa72ad2afe927dce90eec840016e1d7c01f511213076070f791f98df2f372bccc0361b093ca80ae50c9
-
Filesize
712KB
MD588f6a2d4a402d74d24fa9069447e527f
SHA1676a97c9fd92156537ef1c5e0b6ad3fdffaf2033
SHA25675c3498e8412f80b3405984d92055203e03d0d6c71b791b7c6071405c81a5e69
SHA512ea29b2f7d550d04b045cfc3b740f914c45e5529c25af361c380725839ce9a8cb1381949d37a6d28d233db820d88bf8e2eaa0c870a5ea8810de14d94dc45932bd
-
Filesize
584KB
MD53ea23a3ca2b45e20d456c4bab6a729d1
SHA16a8aadebc0baeab834ac3597f5b45306152f351a
SHA2568d72ceb40d63f3032ef4cdba29f245fdca22d3675edfaba0093ec08f7054d3e0
SHA5125b97d886ab152f2ec850cfc03fe0dbf3a2f4e0e121a6b54c53584399a8e317e49b7714f837010cf9f8025adcec0677abd938efc656960b52a2bdb6c0ac0acda0
-
Filesize
1.3MB
MD5e7b7168b501d7a545d0498fa5e0592b8
SHA129af10a8d7d5b7d8b75f2f12ece31c6589bb97dc
SHA2568e6d351346ebf8419eea304239b04e8c04bba164dc4f8a0018ea3aa84f8cb2d7
SHA51275065f239aa93911744f3037c37a7a5b1c80576b54e6b4597f837cbeef6c99922414e2729efcc0dc4072e573e96d0736042c7fd04042b7796bf59ff7be9e6b0b
-
Filesize
772KB
MD5fe7eb64b9e9e9d3997113a1f9458b4b1
SHA120803a7d213e1de64799677a2153a87358fa0cb7
SHA256fed13798d0d8211bc0008011c60bf172d2ab44a6bd78c81a00b56efd5c144408
SHA5124caa8c39e699beedc30143532ae7bedad79258d3eaaacae29f0b7a9fddad99a5ec171c2ac842652649e398281ea297fcb8b3f9065561b6417ba656c516efb63a
-
Filesize
2.1MB
MD56549051d7f33a32678ced699fe98f4c1
SHA11d00e728ee2693d56d6861655885bb61b68f54ea
SHA256361b89c42c5e5e1e02a20daed3f559e990c61267d913dcb192296c835041de77
SHA51292c43d1043b17ea75f3ef761f16373a0546d19398bb4a9f01cedef0d1d6d8e233e397c2eb66b9b782a0f0f5c6b2744ea166c8082d3a3adfa35b1d7b5c13c79cf
-
Filesize
1.3MB
MD5e3952a56823eecd28d492528803002b4
SHA103af7b71e16e258e81b698b076f9cfaae124bcb5
SHA256838ef3b05efccedfc0ea4a502a187105e9a989bed34386caa22d30f628a50232
SHA5122b591d738f733d821e6b17af0a05b588ca605b15514ca77dd3e0885dbb56b32052c58dbffe44b651835fdd5191657a6d1d51fa96a1999689ff8330d41e104ae6
-
Filesize
877KB
MD5380127753e799c9f1b02765381ffb5f6
SHA133d0cebd23691132da0f91346ffb9d2a9d10ddd4
SHA256f239272cba75843799eae3536a4670f604c87989e950afb4c3d8db14ff3d79e5
SHA51244cf24001f91e6fc181f3fe2d0a184b5d9706340e4d4c52a157432b8b25ac7884abc4c2f0544407b20046a34ae4b0a6c9ca1fd3c70e19be4a85a7c30f3b33151
-
Filesize
635KB
MD5db30f9e7e91d3e6d435bb636c0aaee55
SHA17bd19deb3f505d6dd78b653b0250b796fc0d9c9c
SHA256dde5aaa864ad0434b486bae0b786adb4c170484b27a67e56d2193e0490baa5d9
SHA51205f56c2eac080ccb00fa91f92188c86fa405deafe285b4337dfde29428982c0b6ce88c889df89d3d468a0a966a6850b7bfc5c11e15db27b83e5de682011bed2c