Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
-
Size
1.8MB
-
MD5
947b6a7a6af5ad950b6f47f0f5fcd39b
-
SHA1
2e92c8d71992df5fb87fac5420de39cbccb7f5a8
-
SHA256
36df2f7402059356f8a810e6bcfb542a89bc13692d38d4e728c944362c21945e
-
SHA512
471c63858f9b69f3cd1e0e1c83e96ad71e91c41aa9f66d293bc53ce71d178997c8deb32378000400d7cde8ebe3bf13a8cb139ac8faa18a17ed72a05ce6dcc73a
-
SSDEEP
49152:FE19+ApwXk1QE1RzsEQPaxHNZ/snji6attJM:m93wXmoKREnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3688 alg.exe 2580 DiagnosticsHub.StandardCollector.Service.exe 1980 fxssvc.exe 1820 elevation_service.exe 3696 elevation_service.exe 3924 maintenanceservice.exe 3316 msdtc.exe 4604 OSE.EXE 3440 PerceptionSimulationService.exe 4908 perfhost.exe 3400 locator.exe 4384 SensorDataService.exe 4884 snmptrap.exe 2512 spectrum.exe 1272 ssh-agent.exe 1268 TieringEngineService.exe 460 AgentService.exe 4452 vds.exe 400 vssvc.exe 1228 wbengine.exe 4856 WmiApSrv.exe 4496 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cbe6f6f24a48edc7.bin alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d449d35d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000852ec835d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb299e34d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003168e235d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac023d36d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc69c335d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001591ca35d1a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5205835d1a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4485f35d1a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeAuditPrivilege 1980 fxssvc.exe Token: SeRestorePrivilege 1268 TieringEngineService.exe Token: SeManageVolumePrivilege 1268 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 460 AgentService.exe Token: SeBackupPrivilege 400 vssvc.exe Token: SeRestorePrivilege 400 vssvc.exe Token: SeAuditPrivilege 400 vssvc.exe Token: SeBackupPrivilege 1228 wbengine.exe Token: SeRestorePrivilege 1228 wbengine.exe Token: SeSecurityPrivilege 1228 wbengine.exe Token: 33 4496 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4496 SearchIndexer.exe Token: SeDebugPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeDebugPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeDebugPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeDebugPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeDebugPrivilege 1852 2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe Token: SeDebugPrivilege 3688 alg.exe Token: SeDebugPrivilege 3688 alg.exe Token: SeDebugPrivilege 3688 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4496 wrote to memory of 4376 4496 SearchIndexer.exe 113 PID 4496 wrote to memory of 4376 4496 SearchIndexer.exe 113 PID 4496 wrote to memory of 4540 4496 SearchIndexer.exe 114 PID 4496 wrote to memory of 4540 4496 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2580
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4700
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3696
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3924
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3316
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4604
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3440
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3400
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2512
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2836
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4452
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4376
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5db5494554ddfd92b1e46aed63260b25b
SHA18c3aeab7ff0382e3cbc3509ae8f37c4acb8ff39f
SHA2565f0245bacec13c7473614ed371f446d9c8a3f049e802d128c719c92c243d96fc
SHA512bc0a67058e0ab6f48290d6e4abadb3f5079361638e27e674df8130356d53fe98ab15df43dc0c4d3c96979532fdad588cbc6077db3565b92c9bbc783314565e60
-
Filesize
797KB
MD5e7440f84c2e61d3744d2f9c5306a1a7c
SHA11733b77f0b63a827508791bb69406cb486c9d1ba
SHA256e846b83d22da62d52eb822653fac5e27f7a8d16c62f8219c54785b8c4de7a3ce
SHA512c5a21df5beb28904233cd98782b3a6fade1ff5b6c3bd07771030d4cda1732b5b690411a19893217beaebc26434e9cb9d5c65d31eba2153aed72c61598dc48d3c
-
Filesize
1.1MB
MD59d9325e37b15725e3ebd9c6d5a190eb9
SHA1853939b2cd0e017072ba859693bfe301c8ac836a
SHA256366cfa90cbf60f59545167128f4981caeb2b852d76c4fb33ed90362df0d26231
SHA512d24cc234f117ced84f7ec2e68cb4d622c5eb90213ddf53d7e3bae22e4304b85378c4be4341223f47d1144360b8ec19694bbc053dc150b37688ee94cc545a7b24
-
Filesize
1.5MB
MD532711c11a0271d03ceae8ab0bda5ef9b
SHA16a3efb18d60eb234400e9ba9afc0c1f2d9f35dbe
SHA256481a5344b969719745a855f660079e8a9c4c5d24d261a3e35632eb3ea51ff93f
SHA51274979782b85597080cb99620a81445b5dceab428cd277a367eb80ab5849e89a13bbd757f99a03316644b8e082c60624edadd6b5b6e04396eb7b245dcf7c5e6eb
-
Filesize
1.2MB
MD5cc0da874e733b53d2e774fcdb68a4236
SHA1a3ab2b5e2f22da1539b6b8db1e3b0b0642214f38
SHA2568dcf7d2d8e6667ba032c2aac2fa4d3726d702bae17bf467f6a99f39009731d70
SHA5126e8653692bdf6ca6644c2349cb70b73de722dd08e713efb66d87c51bcc84b640493e27374ec8da2bede5382db01c51fd82d116a8bc5927885244ef2931335624
-
Filesize
582KB
MD557b27f4eceb7c77915c8ae797a2d0b9f
SHA12af175dbee26d0f226e303f1840400eb913ea410
SHA256b916793da25c1ee46abceae1909efabad2f6f0fb062a04462af8e5f3f1f5785a
SHA5128bfc0b3b9801df5337fc2bb2f99e53e797233b534388de15faec3016979967681898ca16e7786ce14a3caca2e0bd2fb7f151aa469422f9b3e61dc4403aae1bf3
-
Filesize
840KB
MD5a01b49b231ea2ec1f2501f4f6ce2ed87
SHA1f913e32ec553d030777cd1ad6ab2864be4490f48
SHA256ce13491d714829a3fcd7b1e496fb9142d372e0e2604e335e401fcb99d00dea51
SHA512ed9c3a980ae637e3134c45f7f71926a2609f2f33c67f5c3863fc04432e879bcdbea48298cadbdfb20440bba31523badd1d6e47dcadaec3ee922243beb8200193
-
Filesize
4.6MB
MD5175fe66bee1d232fd96441b7cfd5b686
SHA11808647e2ce347f032beeda418c6f4208b8fbd04
SHA2562f3398a914dfe96347b3bf8a6866cdf9d645fc792f68d63c9b527c98cb1b6369
SHA512d9418af183729590438df168d1eb74900d3581ff4055b54643a8148e2e0c97e6927e1d683d391889da6918c9c1cde0a23a0fee1032b8f9d854d1d1ae57eb0b40
-
Filesize
910KB
MD59b9f2f497e2377ff2d6946ce56f6405c
SHA1a96c81e0f3f533042e6bd11def574193be905fe4
SHA25652f71feaf733732d2905a38d82dbf5dae206dae3da0b4575fefa9c4b0757701a
SHA5123ae7524a3279b099aaa68737662bbb5fc2bd7d2cf93ba177a1e8a8867d8c6dd760b0366bfb22b7360ea073078d8c4dcbd501169ac85202c776e578e00b7e6ebd
-
Filesize
24.0MB
MD55c105238a02243046268862b260d73e8
SHA1ba287cf7260140d07a54d1c587f9d046cd6b6f25
SHA256f90a390540a4ab026bb756780040425056fda17734b7e5a6bd79fe6f081643e5
SHA512338d7b6adf5417020f11eaa117ab0ec8626a5245c8c6bd68f7b74405a43f3c2df54018fbe0d10d2e1b9e004310808526aa52b96a1b3826a141405fa187ef07ad
-
Filesize
2.7MB
MD5855b561592c5dddacb920b6a360d5920
SHA119c34995ea493c364f43176e5b631f9b9522a3fd
SHA256d2ec298369a4841c07f65700b58747797e0bfecab497d0239d38c6dabcef05a4
SHA5123c423d0dcf8ad12c706a31257d537485c115b5d189186e5a5e8d50ee43c9948db9c1cc0055da6241b0a1842420abbf9330b96b44e68e9fbfa1673498b3093209
-
Filesize
1.1MB
MD535452d70c981ddb09af82eb9b727306f
SHA188e03145a2ce876bd92e6c8cdc5609f21d989341
SHA256509e634abead5531794eb20085da1e10627be692345c30b4c005c3700ddfa28f
SHA51296641ce272ead7b95b87374db3967879505c31692bdabff5c0ff162c769188ba82156dfbe598f73b716d82000ba739b8050baa090c4bfa9e21ac0549fd10b68e
-
Filesize
805KB
MD5e4b10816c5153d5fc47a05871e64b4d3
SHA150bb9d52f8961e253534f1201e6d683701a02493
SHA25651716f27385a40872f112a5dcf7b792e16454eb54afe57ce708bf19860f91c63
SHA512250af237a16de0adb97e9af6adfe93b2eb5ee9f172250c15c688dd9df940c1a57829142059de763c61a423dec22691c89780996e7bfe4cc945cf50295b4ea147
-
Filesize
656KB
MD5ccb04cae3f46fab1368651020de98e9f
SHA104531d8e3e41399c0a5d5c098aca501766bb5e2f
SHA25687d471b6d679aefbb77d52094a2defaa121b5b8b894325fb36f70050bdf4b94e
SHA512f481e699e1f9b4eefa5141e263f52b1ae123e06f12f4f18c1e0dad5627158fbd45e4067c3b598319fa58e9aba4fb1a21de030eee8428e2401a91cb8506cc7e7d
-
Filesize
5.4MB
MD5a296724d66f432fdd6bd758fc00bce1e
SHA1c2bee5e5312044b14ea004d728a48589b5aa30f2
SHA2562e9507069173cb1ed0b80f051f9c8bcea06e90d88480ed3c4142992baa74339b
SHA5126977b1b8f3928942924ea4003a270ac2dcfda6d56ac767a551a51a5da7fce09cf9eab56b4e27c961bbf46ce0b9380530f9e6cefd55b722bb8878fc1feede48ea
-
Filesize
5.4MB
MD5fec1d8efeb963972c6593f195db3a6c7
SHA1be562b1ad6855d5eb43d7c6b0a680e500de1a003
SHA2561fc986b45816d9bdaa25a80f83df44fd484c418edfd50818fb47310209b51f9a
SHA512d6d1f1894a54d2e472fe9ce1be852d55fbeba347603815f00b19186010d83d81e92bc36bff131786ca293da690b50c035c8b8a9da18c6587354121cb524cb9f6
-
Filesize
2.0MB
MD5ee1f8fe98ba1c81283239664848072ed
SHA1f25124e6649b998b7e79fc4cbc4b332c3de10d71
SHA256de5691f24e1b0b6439249807637bd893a692acd4c30fcbff64305b921631be8d
SHA51216eca742baf0dbcf6a10ffe781898baac7cc38361b48fdb4bdde0e914d65a41b5f605539464cab3c975d1af3ecb9709b16bccbf520a8cdd37c17ac1481560faf
-
Filesize
2.2MB
MD54e3a5e2534c48719ac69b6f661a78542
SHA174795d431dfe27c042dee032b2f77a89ac8850f0
SHA256f63757bd1dce8c4312648212b98105eb2c00c7aae363517ccffff0da03cba797
SHA51226cd6e5e8b213347ab9031e07c5450bac88bdcd4faf037deec583a221608387b811e5e35c8860a07a41b48ec288468217df151b950704bf9e8e67297be7ee27c
-
Filesize
1.8MB
MD5e01958ae8f959b40ff08e76447000ef9
SHA10d01bfd3aab1585fedd6115a7dc9b171a233289e
SHA256990d9559f8663cf0265c2f627c8d922f6abd8fa376b04336ca123f7c5396eb5d
SHA512209b5aab8d125bdf6c148603658768c653b4c55eb832628aec60a06d39be7bd53bee1fbd086dadf27ff7c0eb641dc17d146fd91382e2f222ef7c91ec890cbf70
-
Filesize
1.7MB
MD5f22dc29772b53bbffef0a37ccd73e6c5
SHA177e77545ef250ace338a3d63709e27d1796ca512
SHA256091bf97e1b6f9c798e2fa98c368afdaf4d88f23dcb8046b5513201fa0c7f4361
SHA512589c7c4929bf83cf0fca141de889be90b4eb002a4ecaadfba511193235808026fdbe50173e646f7a499711d0d7e5146f1140abcd51491a40abb5a165d2d7ad24
-
Filesize
581KB
MD5cd5bbe48859b3452775c1f8270f94405
SHA1b9467427ab5ea84c54e38828397b98d28c506159
SHA256b1ba1b0d7eba19773cc8a1cadecfc01b1fc23d716ba62d33176de11dd0086cb3
SHA51233382710dcf586e4675cb4849dec841cf9f4fe81f89c304343db965e115ba52ac788f962b23b0f7e4bd722ab22cb27a2c4a8e6199efa3a4476c59e75d0456728
-
Filesize
581KB
MD57b188d372edb2878a5ef6421a789339d
SHA1b485a74412e98b14e17f2b5d7a718c24582652a1
SHA256dc8b475d3107e54f0b288905af2c8f9595067b2044cff29c1e0b829145cc3349
SHA5122df227579dbf32fc5457a5bbada21fe48a4e580cb2e60f1662bbde9b2d498d1fd46a0933d279478c17aa4febf673e2d00bdd1223c63448aa794f8d6b4a9ce520
-
Filesize
581KB
MD5e461becffd2ebaed4e231b7568be10ad
SHA113dc3c8e01b879133786992f587f1a39e770a850
SHA25653a94ebbe52f1aeedd466ac4ee3289f6f07ce00d9b31abafdb134840916866bf
SHA512b62636e7ae454f3adcc4b737a05bd84f73a7c4ad8fba2ff367d8c8c2d795f9060abad04600a32e1f1bdccc9ec2ec335ce54c121d6709d5fd43d088e34adccdc5
-
Filesize
601KB
MD5fcd1cd932e62d5e86abeacbb0aae5426
SHA149c57fe06a7bb6567647e423915f9bb8e3ef57e0
SHA256af213e2a409522a11cffc8f53c606e4411e8ba3471da2bb3f23954a5a674f935
SHA5122d939a4bf38d12cf71a2ca6b4906b3d8b4767d4f14eab7253133bdd654baa4a2a7e4b18e314ce2656b59281944831e537024542a0b269ea644d9a653c577831b
-
Filesize
581KB
MD561d90beb3cc38c28b0f5cbbd7a6af442
SHA108da5a60a4a6dee4024984a8ed1a5d5d2cd49220
SHA256536e371e1bc28960bdd496bdbb49bf401110f39dbfd219c195bd45c34e4d41b2
SHA5121ee92871f30ca74e9d6df116166f5fd00a834c416d256891b0ff37263eeff86b0613798d3e09eb5bfc3cac1217a32f8b28045ed911f1f593bcaa5e1d404583a9
-
Filesize
581KB
MD51440dec39f447ad36697c4f99a4254d4
SHA1c6a7cf7939e4b0474fe83540ee6ada8d81276237
SHA25655ef84edde0746ae6292e0364306912e657fe2f2e3ff3a10af19f1e2e8c847f5
SHA512fb679fc0789491ee6b68872810ad733e2ff56a5f4b8d3ca397ccacb98d22430618612f665e6b8a036877c5d9655b4940de010990a5df542dd3df01b582481dc9
-
Filesize
581KB
MD5054819ba30ea775a9c887e28fc1c32ee
SHA10186a846a6d51b19feb8ccf0452123d9d8abd4f0
SHA256b2b5eaa0f35c58a62bba822412f4f3062ff534872764736d04a68b53f5d9cc48
SHA51239e92be0ff57ef2ddd638228f7e254335f3fa889a67a27570bc0974e2c7e1538dc38ab546f64bcd3899045a6804bf622e25541c0b3330df82118e68c94aa3737
-
Filesize
841KB
MD502e39243398bf327995482fe02530b10
SHA176c354d155acbcfb3520c2cffa5a81ec1630a78b
SHA256f5529403ccc6426353341c18a07629407242557baf21737e610e3f41337df3d2
SHA51292a6ac23b5889c8b83f9de7fa22d7008e66e6aede55a9972d6cfc77e2b217283ebac47546af39d14670e455ef2bf57d92ce87aa73b4fe3d95511277dcba3c77f
-
Filesize
581KB
MD5fbf47ce7113f3540752e100b77552c66
SHA1b8fd57e7191b7d3f247b5a411398d8aa9baab012
SHA256e73570dd453b55cc394c62ba36d2214453d5ad9fbe6be59ca6ec8e74190ccf80
SHA512bb97664df02344d4e81524195ee89a5b1e5e4a5c109b30292cdfa47c43135fb4de46f33959f14dae9db8582d9335635f7acc7b39288fd282ac832be983ed363a
-
Filesize
581KB
MD5c7b310e3dfa77ba6a2625b59c89eada9
SHA1378a899392cbd47324d1ca9ed1c8e55bb38bc1eb
SHA2562995fd9eabda2d5dd1dd2deed9a37f569209a248c7f07d973b954135aadf4375
SHA512939998f4487829bb8cbb7f32a00c66840123bc681908ee5561b3b022372f8a9394d18742fe0daf1ecb1cb1fce94b4521f19b57973e0e6a422f2736b478a4508e
-
Filesize
717KB
MD57cdf742108b2ed91a7d196209da1edca
SHA1c2b68d0876f336b00e645a365722a583f35a5b50
SHA256d13433cc91406c36621b0394c50dd3b1290459f68ecd58f5a5f6f2900e269326
SHA5127e8839ec2a3eb9579c8234232e346d9b64d3b571f8abbf784a8ae4718bbc4d4a9d1763a017a442ba7a98c75dce6da6f121cce41fba9832ac24c526fae349ef69
-
Filesize
581KB
MD5d870a69cdd928489fab8fc8fd95ae15a
SHA1baf1dc69b24cf444f00f4a49908ce692513b5f63
SHA256bc3acc69692f938144f56df8de9a00446d723b2af4e0b841375fbd7e66c6aa0d
SHA5126ce3e0cafb146807a93e512ebbdc68577c964c0de017ce5611286d284640e83c622634f65ff8262fccd78302c1e50be7dac59bb31b94695de21292d5c88b1dae
-
Filesize
581KB
MD5f1c6aa86fcfc6c39fc13f6d857f00459
SHA13ff70ad0e290872536a383f5b96fa90885f6f90f
SHA2564e4eace4c51d15dde300c09195b02489c885c39376646e95d84e4184bb6d3601
SHA5126042db809b9cf56f50ef1c5a156d9c6a6d1b7aa5409590f3589013a77830c0bf92dd2a8efe24dfe1487a60d0588a81a3b5d97301eebfdca2a42e5a00dcdd5d45
-
Filesize
717KB
MD57ff5c6eed79a6d789a309e2e6ba8c4b0
SHA135317f24d186f9766e25d35eca1c02f3ebae5787
SHA25645682b075fdaefaea2e02a2e430df2814ed60aa54981995f30d072f2dc1214a0
SHA512a8764010d0e86b36dfb6a3172b2f5089e987ac62316626dc73c516a6dc0eb5e0359a6f188800c8fb4ef6adfdaaa12b527340f293be3b9ed5faf8b84fbe5cb140
-
Filesize
841KB
MD560455b0d17e9adfc0b19700a2812dde4
SHA196f8e5888eb8d79e0e29660a7f38672580592c12
SHA256132b0f30667ff80101309ef8ca7f488355d9dd416063aea13d34e5bb07c904ca
SHA512f1769fe9b6b98b48e240139eb0c9522daa166068fd85231ed154e41b4142b77ff7386c56bc529372fe9daa364492971a30adae93c55174181a48eda2ce71586f
-
Filesize
1020KB
MD5baf9a2533b34669c77f26501aeb08531
SHA1344ecdde5253bb3b860f548490b716227ef75ee8
SHA25677b7268ed7636dd9c4aeda1a20c0b9b245aabab7c1e1848dd969eefe4f0bcd83
SHA512ca01f89fdcb1c6905918bfb0906630fe5896b94eea2ef5843e04a167c0f4d8cc520391c0664f3d667be47415a5cb0f7ebc8985ed36f4d6a9db94408c4f0e722a
-
Filesize
1.5MB
MD5f6c116a92cd5a7e4141af80720ae6ed4
SHA1e6e02783df7d2a2ac5a28d54f71b43b4a26b97cf
SHA256ab3ad07eb6498d8055c67607b00369e76e272edb997f2def3b94ef432d1c3685
SHA51257e919da186fd838cc97c29a845261a70159f54b63c6b847f315891cf959e48893a0bf7ceeaf193a538f1fb4ed88bc0c0d674400d9b2f69afc7c0caa7e011dd5
-
Filesize
701KB
MD532b0f3ff4b63c5a7bb15c6e2a68b56d0
SHA17d115abf41387daf4b12bba0e65bf27167d48685
SHA256d74c914f898f523631a9c92f14242e001f2f89c84697e64d54fa08ecc94a81a7
SHA51295cfe1aadc00a0502684cd8e7377528e657829596b53c27d5ba4b3cedeb9b3e48723ebaa00ca4f66ae940bd3fc021514638db41a86859b56b744b9f86d50f4f2
-
Filesize
588KB
MD552c348116f2c444f49506f52607b62eb
SHA1c030e1bd06748af3120cb3520eb35747307115d1
SHA25653427bbcfcb2eaaa2ab0eff4d1cede473967234a2f1afce37d1164e21b3588ba
SHA512867a4224678338696e62817a19ca59dc17e9256855648daaf20a5084a2151e16b19399b39c45d8356e71fd485a019e4fad6f2dca73577e0d22ea97b3996ee57d
-
Filesize
1.7MB
MD598539f2c42474c5b15423c39ed73cd56
SHA126fd44718ccd5fc556b99b43679cc0dea3528c58
SHA256580dd4b3b54cfc94365946d7b235b5377614bf2260ab2ef886179a84c4896a87
SHA512a456dec07845d05d617921822e457d4b221c3541cf24fbe5304bc010df767bcaadf1e172fdc0bdb890a07c93121109ef22f5bf1923af2d80ae715cf071a20549
-
Filesize
659KB
MD597d7f973c842556ebb65167473276394
SHA15d48bd6f99ccfc1182de022a9bae476bd22ca021
SHA256e4d0e5d95fd3e5885ea4cd5569025e5e8fb77b307dd84644bb17f30e99d767a2
SHA5124ba60df767b1da440d15d6e123eb3ce912b2ff99a76bd3c4d23322e004b29e5194e23270c7a18ec19f0827c42bcc46b69ce8fe394524531f4d8e331fb3c75a77
-
Filesize
1.2MB
MD51f2238f138ed6440d614d004d4978035
SHA1af2f2869bfccad5d495a64410764291479bae6dc
SHA2565ff24be598a8662c38b1b522fd2ef65520d986831ac5da92f69369e2e88894e7
SHA5125e35d9a268603e0b33b12078a643c97d75ee0c125ebf63f735ccfd0de53bba1da7f8db9f0f6f49dea3b0a8818dedcef312c1e1dbd72fbcce2a054886e939eb68
-
Filesize
578KB
MD5dc7e050e595a1b8f1e0c829483b40da9
SHA13f6888d9524744add43c2454d059d4cc55aeaea0
SHA25661989fc888580ed16a0a98c66357449cfba8a592411dca0152c9590e0abce870
SHA5122a5b88bf9bad24bc4f3d40f144506de1258dc755f316d50dddcd4b5bfe646865b80da138da8a90527b00b065e0d1cf54868123e21713ea43abe9c0bb1458f3c6
-
Filesize
940KB
MD5ca82fff08093dc5f23689925f5f86f31
SHA1cbccc2196df94c987f79d5cd548e7bb2a7c0c5f9
SHA2563e88f768e7671e048acd37be614c3814418240a644c0cb68e77d4454867b4c3e
SHA5121400f93d4e05fba9e7cd37ae83ed646990d26b4a7355c6d4094157b9378f20ae426726329f1cbfc5e4940e3baac10af953a68e0943e1a963f442313ae422f4a8
-
Filesize
671KB
MD50e6a9f8b92b6a96939a88461c6768259
SHA1aee2919a14701d95af6dfa7a58b8a8ab18341b8e
SHA25636d49b9a119683d149271c98bb203881baf47d9b364eca3b6f07947cd94e77d4
SHA512b8b90ec2bac0b8a7b74fa93f76896caaf8d607748d7bba5dacac35c49913e955793a27822b0ac3cb79cea88f5a46075615b5b14a82b1e722a1c4b7d6c60ca5b1
-
Filesize
1.4MB
MD5f7e27af42a4002440fa44e59fa9b245f
SHA14e5bc69992b12750380705a84e67847826bc5546
SHA256cde81929d5bc603a7155e158c050b728a5ad25e834e899dbbcd82802e10a4cc9
SHA512fc860e9f9a8a8f26d157d734c5f01f87899dce7fefd886582e292f2cc2a0586925f43f4b21d90883820258d5873845d0dc32e0ef576a5af5e09d3b9b08d744f2
-
Filesize
1.8MB
MD50ca273cae86c79ca56315cdd78004441
SHA19862a77c6706aab353fd802c901ff5d4ec499601
SHA2560e05114394c4aee09d7d7cc720bc352dc9b28c09f0eceab593385c4a59f601c3
SHA5124bfa8e805349355e58ff99093dfb42a5d81fb5810cac8e95ecea353ce370125a8394d3a801b925f5245d860a592d48ae4ca630ff184fe9bc14f1d555cf8bb132
-
Filesize
1.4MB
MD55dc2ab2eb4ec7331769cb5fe0b127b3d
SHA180bc52a3bf7ee974c9d73009c0e4930d11b24d5f
SHA256391903231ecf76b59620db81f4535c1ed92a3cae74869415bfe1dfd7d552a5ef
SHA512374f182816629192dba6f81f7e29b406bb52b6e968fcfa9edbee524c1b2d15fcde8ffb2b37f7627c8267ae3f012590f99ad841b3e54e5fcb07ea04f9f7526ae0
-
Filesize
885KB
MD5b2524e66bec6f76b128f9639db870bcd
SHA14c1c550533ecb1da23e2cf6576ef759aa77b6c75
SHA256ec8d946b1c0a9b9a94ae84528f110da720facb6b23eb804634b0faf4d56b05c8
SHA512d3a69592dd7b3fb6d70d54785fd1ae505267a0b05d4aaae249ad672babe137729e727b8c1d6e15ef652819d9cb74efe32f856bd70968cd3a767ffaf6eba93a1b
-
Filesize
2.0MB
MD5a7ea0d5c25f75d2f9e4a6e487e004674
SHA1bb373e7d05b6fb6ac5cc15d286d2af9d0be9ebfe
SHA2566c348aea26c0def192c7d26cfbcccaac864774ad1149c8a29b6e2f4822696756
SHA5122580c90423ca488843c6b9ffe4a308ca073c261477b3b3f3d1a9aba1e338fc3a7058c864011040bacd0a329bc2e72532cc61636fb67e0a33f8f153f17e1cc958
-
Filesize
661KB
MD52118a70ecb1d756a74f1225077aade60
SHA1e55ae0ab457e3500d94648caf05ddcf6bcbd1342
SHA256ccbb34984aa01fef1dba57b4b0a01eac4576c848d010316d1706c5cc283a0a3b
SHA5126a3c99e3bdff9ba103d9ffbe6f6889e4f7153104e0cc6c8d0d21dc024a883bec67b308ef5b6b64426a19c38c73c358327d9e65289ae9b957805943ce9614c73e
-
Filesize
712KB
MD5b2a11ef95d3bf6cae54dc55b2ddd1cf3
SHA1df1736914a84c831acdf3ae2fb5ed42a929403d3
SHA256c7d35324e23b2f9d44787c1910c9ca65741a0f16fa6c8477def96a637f685b6c
SHA5120494e1a4bee476173cb32d09da291e8fc2eb2fadc48256fd7520ef831d841f6ff3d668a54a520385358e5fd7ce0ac92e8955fb3af7211f56e37c66d633d73282
-
Filesize
584KB
MD50195f0ec0359e6c0525b936af2a132f0
SHA103624a6813e6b55d00bcfab6f622777d07503815
SHA256561d588c2710c6e753f21dbe8ae9a84942587aa739493c8cf7f09fc41d5902c9
SHA5122dc70d186c076e021453f20fc930ec6abb0e7e583050f7b0357556c676fa3409bc876062660f64ca47eb8288571b1dfb9a9541c9d83afc3240a8e707ab87a165
-
Filesize
1.3MB
MD57e4ee90badb1271491793848c0e788ae
SHA1b10b21fc52f4e5916175bef208b21cb4d6ab6bc1
SHA256bcb1a94110362c47d0cce4b0e077f2eefad59c3bca65875286ebfc8b09bba832
SHA512d62d8bdd85700c27bc09f16cc638c01f2d4ddaf201c48333323a8e914490b4f5227fd67a985d32ea464f677b776e8b3a726127d486f379accf124940e4c4736f
-
Filesize
772KB
MD5001c176aa39645f5d842c4066cb73855
SHA1b9ecaa7b2903b6f04937b6b097d83a632f0ed9cf
SHA256739d77623e69d3e158fde5803381e5153d8739d9edc4ee1990a211d81ccdaabd
SHA512f14551636f691944437834064b955b61d533b1854a517838998aa9906ee02ac78bd248383ed5112effbcfaac61e434a75195f777eb1c55eb1f5dff580c0caf13
-
Filesize
2.1MB
MD51032b5dc7505281a253363685e40f020
SHA13ffd4ed5d107fee8a315524df3635c42441f4389
SHA256aea83a95e5d1c9f440c948660bde238babd145b2aeb357e161dc0d4840aa2218
SHA512b2ed1dfc66c920775628c79cca2ca12abf533cd7e2dc3d0049b8892d9db80e32da97378e6254ba90f70411cf727428d32995cca3e6e8e60f794aeeeefb07d18b
-
Filesize
1.3MB
MD5db764365f8e112f76939f1e77e5e86df
SHA15a8c40461fd487fe0ffe89a906bf502903b8914c
SHA25655217a67fc4c8b727f468f2050a99d9c2e6b72db94c150033bfd6baf059934fa
SHA5129ed50df0f36333d28cd3288885bf1cceb51bafb549ffe9ff19f1f215af78475ac9ac43a23fd1fb0ce95e225e41a42dbf4c5edad25047f78b7fe0686654ea6e35
-
Filesize
877KB
MD56320bfc3f859c6b0d4f6ca49eb7dd8b4
SHA164bc4a9f8370758a4fd421fc2d28595adb85e383
SHA256a244343e3bac7da4a0ff9126338d42dc7202998a0c417ddd843dc798e603317a
SHA51226d6a747857fd5f50948956bcc721f0d65e0713cc2777dda23070390a4e611ba1de10c1243d9ad95cdaddefb9f090e9b8117dc5f775f50b40b0cd32f7144d58a
-
Filesize
635KB
MD54c3579d198f64605d4c63c02edbc3112
SHA158d5044690742c4520b768eb9074f8ad39e2dbf3
SHA256b08825a47f3c940421309ebaa903005b31ce99084a026a76fd13c64487664a47
SHA512f30e59857c0bbf99180f2f1fb09d8535dcfd16f48d0376d45f5c0eb1ac040497bfdf306f19f7d2ebeefc87dc3f7f7ff50dd8a06c8473423a027aeabdf46b1d5c