Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
-
Size
1.8MB
-
MD5
97883ab52cc099de79bbbdb4784480d0
-
SHA1
851ad674287969263b1254ef8dadef90339405d0
-
SHA256
d0840a7bf6250401cf9a336116ac7171f1dc8f16454d5c6fe4f2af3b89479467
-
SHA512
5101c24c3c85a250d64645a95dd4642b409f846cc70b33c5cd6adc41bb76a5f13e62eef924e618be43adc2cc86d94ae4528fb5e51e996140ec08209f9f421105
-
SSDEEP
49152:IE19+ApwXk1QE1RzsEQPaxHNsXvYMLprznyDSga9:N93wXmoKUXvYCp3nyG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3668 alg.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1768 fxssvc.exe 376 elevation_service.exe 4516 elevation_service.exe 4876 maintenanceservice.exe 4648 msdtc.exe 2744 OSE.EXE 3952 PerceptionSimulationService.exe 4900 perfhost.exe 1912 locator.exe 4116 SensorDataService.exe 4692 snmptrap.exe 2732 spectrum.exe 3988 ssh-agent.exe 4000 TieringEngineService.exe 4688 AgentService.exe 816 vds.exe 468 vssvc.exe 432 wbengine.exe 3196 WmiApSrv.exe 1020 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\69ec2adcc3136770.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009686da6b76abda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8c7d6b76abda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a794b6b76abda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e9dc6b76abda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff66386b76abda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001f1416b76abda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bf4036b76abda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c917496b76abda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe 1492 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeAuditPrivilege 1768 fxssvc.exe Token: SeRestorePrivilege 4000 TieringEngineService.exe Token: SeManageVolumePrivilege 4000 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4688 AgentService.exe Token: SeBackupPrivilege 468 vssvc.exe Token: SeRestorePrivilege 468 vssvc.exe Token: SeAuditPrivilege 468 vssvc.exe Token: SeBackupPrivilege 432 wbengine.exe Token: SeRestorePrivilege 432 wbengine.exe Token: SeSecurityPrivilege 432 wbengine.exe Token: 33 1020 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1020 SearchIndexer.exe Token: SeDebugPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeDebugPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeDebugPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeDebugPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeDebugPrivilege 1412 2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe Token: SeDebugPrivilege 1492 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3392 1020 SearchIndexer.exe 109 PID 1020 wrote to memory of 3392 1020 SearchIndexer.exe 109 PID 1020 wrote to memory of 4272 1020 SearchIndexer.exe 110 PID 1020 wrote to memory of 4272 1020 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1048
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:376
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4516
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4876
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4648
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3952
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4900
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1912
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4116
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4692
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2732
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:232
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:816
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3196
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3392
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ecb8ca2896cb6e745e2318346e9a10e8
SHA1eb06cc6728fb5926b7b1fd0c46f21217472c508f
SHA25681750c84f455607b3b9485a9a675dab4cf4ca4662d91e4a554eabfd79924fcca
SHA512e4c31022024ad4d7f7f15ae99b67728edbda7a3fa51b37c5016eefa6d23770f032b853978390407cfa1d134ea8f2df9cd031dfd502f49421cf56af685c140add
-
Filesize
797KB
MD5f74c1724edaa1d1bd9fdd3175672d671
SHA1ed642c92b81ef956474f5b9c0d751c26c4ae9d53
SHA256c76ad1362246f16558d9322789aaaf3b824771f5b85a08d256c020028d2506ce
SHA5129556a51c6ea2dfde824e7a3f5e9c8d770d5fcdf801ae137656b6c181683db06c6aabac5ad21c84c1dfe9ca5aa70e8a2acb4fce3e0c0aca9c1faeca444b91bce8
-
Filesize
1.1MB
MD5ea66e823f72a33b5f9b57cfae223b50c
SHA1cc8c71faf7959dbf14f41a5a233b4bda629ff843
SHA25688902a5824843d4a82e037a47f4dd32923c7dc3d89448a4cc4439f265f324806
SHA512c5b666cab9127fcda9815e43a41880ed0284698e80fcd7d6c28b5e96439c63ebdeedc8593d475ff73f928523fba613bb7391a94c9a735327e91c203cf10827c7
-
Filesize
1.5MB
MD5a8bc8a0e6b48be39f340fb43f2a8b49f
SHA1c8c7f7f8b40a90a57a8a3d10078bc290af6bd020
SHA2561b7a20300c46055ce025cdea6c7b4826899ed0d61d8351aac144ef173f08df1f
SHA5127dd349987869edb71370c0e936858227acd0ffcf22ebd88cee0a280f11fdad19f7a7bdb47739142c0310b4ee946bc150c16e53f213d4049f309854ef7a2c7bb5
-
Filesize
1.2MB
MD5eac9e1db382e0df3317b22d063af4042
SHA115ec1b554dcc886ff4a79b3aeb0a3bfdd7a03d07
SHA256ada1d3cbc8ac773c85933fba9125456e8ba1409e68bfcb191b48bc034bce155c
SHA512425f678878f526d173ec80b91e2c971bddc6fd5da2fbdfb39aec3fc065f12ef22884ec929701898c1c9c490ac85854b0a1866c315aab35327469ce42b6114aef
-
Filesize
582KB
MD5e397445fad69fa5dfc545c4e71c63f3d
SHA1660b85b8287445e552c65211cc6c1648b0d821bb
SHA2564dee751d4322358081d1056b00239c9cbf7666514fbdc753244912ae1a2f377d
SHA512247f1568bac73e022cac4aa15e21f5f6ce7f4384acd9d96ced29510aa468b5f0686bbd33b3915756123980a1c28d84669987fee8112f9ab09303158ddc6ef61b
-
Filesize
840KB
MD5324d361708a6943849d959928f2a69c4
SHA184354453128f190fb10c510222241f483ceeb0b8
SHA256ad52482267ea2e8457cffdef6b265d629eef9b953008be9686c5d1e7e8a528b2
SHA512c3e4c19f3f4706b4cb6f64cc807fad68241687eec39b5392ce39225d1a54ab35053e63b62efaf4e3e2caa4af2812e4655b5a05f30b7f72acda3dccfc227155f7
-
Filesize
4.6MB
MD50ad0c4faec57ab32088035bf2b83d8bf
SHA19bfd8ff3570b6104962b898d62277b9890738d46
SHA2566295947a2619ddc23dc08b15fb67f4389e7d9d02d96788264005737d58b30a76
SHA512f51292572976202688b1b2b96c4e7445ca2b7e3598e187cc1b16209c99a0260262b40d9e23077bc75032ba0a3d44494f21d64a813c1153e4ca74d1d192f5e4bb
-
Filesize
910KB
MD567ca2621c4647192c23322fe9abae56f
SHA1479422794e492a92181fa85f83a853ec7c18fabd
SHA256b2e62dc96504d51c5c083fb789b9f8eba2aa1c37d935a72c9b7c3cc573549c92
SHA5124607a75db76a9880a3582a6cfe51642062aa4c65d8781ee79f4eff8470bb9bb08db26ee096e0c4a0b5e763c52482c06824a7c2802d0200cbe959e4499698dbcd
-
Filesize
24.0MB
MD5b6b41e2052b1b949054b2cc865d023f7
SHA12fd58876ec3871e64e475713a91f634ba60f7b5a
SHA25672c2bc2ad224f2751de3609cf4003439080822c1dd7a541447e956fa5377ebda
SHA512d75baeae409fbba4903b3f9b4a56443a3a7d62103640f315a503106178a845245fe679e1e7b1df6a03d4bc0d36a54d655e74b85647e7956e84f8ac9b738ad355
-
Filesize
2.7MB
MD5ddcb73584376469167d077e16ab0062d
SHA1477512353f827f7beef2547f4b9bef775341bf6e
SHA2565a127da1e38a05d7f96d161a9bb1f46ecbbcd84587bfebfb415b1d47dc2e27a4
SHA5120e784a6bb680e33adde2685cd640aa52f4fe9e8e764a549f00bbf68e505aecd4b17ffd57dff2a033018919d736082472c5eda0f0415b137d3e81c799d3bdac6a
-
Filesize
1.1MB
MD500897d91d01321fa9e1ac3a215c8867c
SHA1c3f3c68a7ef2d44a17c48c5a80b73db217cfe453
SHA256d3b1c983f99cf5fb3895be709492f572609adb8c2995c07e4653381051aae7d1
SHA51265cde2a3f6601f8a1601fff852b70af2fda9989c2042382a407cd8fdc8aef3d7a0ab2c224daa3301a779713813774d9fdd1f8dfacfd94b30f860646167297719
-
Filesize
805KB
MD5a6f1abd630d92118e029a5f21ec463b7
SHA10a660e871a3b8c24aa272de7c05a3eac56b0f89a
SHA256f9381f1724f9678dd6176f319f652fe18d0c4e8c4af34a18b72e0b1d0d52732d
SHA512028138f808f5d57f69458ea6e4e9e4e1811334cc96d9dc8795305b065a7005f9949e3a02959cad7aaf0ed81f30ff09bd6955fed7bc78ea9acc2db3ff8b037f08
-
Filesize
656KB
MD53cc3d0f4ca1b44ec57d453bad666f4b8
SHA194fa8a452aa9dac55c432277008f642ce5844a39
SHA2562d5862067fd0c1de50cb77fefea494375268435baa33336d7e407f8b2fd8ba05
SHA5125751add745b76b9127e3a53b6dce98ff618950f5667e8486a3185e045bac0ed569c62577aaaf62ad16a233c3c72251069d6318bfb92e7aaaecfe3e0d9b250574
-
Filesize
5.4MB
MD54fe955e6accd66957d5d33f2d40c61d7
SHA1e85b470dcc0f4ea9ae737977ae81068e20c2dd71
SHA256c0abf34ff72562b7911b62bc552c5e28270bf977ea946278767dd2d465b7414b
SHA512e02516a038f70e036a56d28b518aad8521b61564dad0f538d2a3b4ff640758021d82e1b5c06e50ac788e47b3a01dba704eda703c9cde5b9c80c3f63c0a85f35d
-
Filesize
5.4MB
MD5ceab02e522063cbd2de9998ed1b0d12e
SHA17d74a04b150e2f153b2ac73249567fa93d6b8be7
SHA256f41452dc8cb0fbcb35e672593ba8270495d4958b5a77de10419ba9d2beb87f02
SHA51232d2b62e604f38d21c4dd5666e5455d75efe7b305cab29f5ba600bc9e4a14bff2167619e627a0527fbd8905716f06e3ac0e415655f8896b5ab44fd63505b2fad
-
Filesize
2.0MB
MD5297352639d3f6aed5fd7c393a3e1b93a
SHA185556bfccf72f038ab87e389348639c8f6c8b656
SHA256876e4c4e13759e2295ffd305ea336fd75be3ba5675adc59b61e29bf5efa0083a
SHA512783f42c1ebea1c4b20a6cff337b8d8665952abee241cb69814acdbc04f8a9eb75ec63cc6e080859abe51d126dc846b24cf6e1184a37b57b7377ebc589ecbeeeb
-
Filesize
2.2MB
MD5ce719ce6485b35e74fa3d8bfba861b36
SHA14a25bb32b4298a674c6f666224c6d257fcdc528f
SHA2563da6277fff1a64d1f8b4b3fa461fa1106ca778f83977216236fd079c73f74892
SHA512445a6e19eb51396ab39149f61937c09d42a7cc129b9a8a5d807651a65f4490eea088f8abd8a32e41dee3bfbb3cea7ab4e6353630a29a0436bc6d50b42cd10afd
-
Filesize
1.8MB
MD5d2fb1d5d93b2efb70c6bd83ba3270c67
SHA1f61a7bbfc0441754d90f98df8820fd1be7417fb8
SHA256e0b2d71d3dc75877c95e0d97e4ff1bb1e1dee67ab2666f6a7505299f034123bd
SHA512a98606172176a2e629636fbc517b25eef094bc489a6074b6eca6d2b1b8ec33d5c0af7921f5498833c66bb1cef7fa34673712f3ac9400a715cb69ed4b961aa804
-
Filesize
1.7MB
MD5fd41c9846d88152521d3c9209e70b950
SHA18174817d6ea60d34653349fee8e75a0a2d6c17f0
SHA2565e9697e5736fd834477aa1c29b20cd356e80806d217a04243aad4cb44f23c818
SHA51257749e8d6fdb4c0eb585a2648d1934070979c572373f983a36479f524f0a5fd084c42dace250fe99de9e218521ad3d83cb793f027406fcd929523f77ea537612
-
Filesize
581KB
MD5f5c7fff87afdd8121a26a667975db9cd
SHA1785fab89a9d1294543c07de4714500885ad6ecfa
SHA256b12c6bd9d32f7eeb0ed5a5e4e82d5013d206d8d49c3d063afdfabb2df375c5f2
SHA5121c240ba46fbba25ea6e728d3a8b0d9d3f9d5763b3c32d51573d5f069d4d89170095010568ec06a526ee394f1cc3be24a71415b24555f9f1f54fc25eba1dcf1fb
-
Filesize
581KB
MD5a3f845875366fc7e0c3202c5a39dd9d1
SHA1ec48e1d8ed433bda644a2d43c82faf4fa3819752
SHA25613325ed98151bdf24cbd1abe58f378cd7107e5bc286defbcee7cffdd67ba8eab
SHA512366e4a0a28c150ec5db455da3339b3a5b20126e78ece2f75a5281208ee687b8e3d5884881c0629d184ceb50e1f86ca25f50158dffe61172ae6bcf0010b1d7699
-
Filesize
581KB
MD5e98950e4fb0ab36795b768fbdb1a3834
SHA1d9f0ff3490c5e816593016eb8e2a0bce1e55d6fe
SHA25637b4a4c83e1691360e6842cea44d32902e2228c38269a23ec78669248e8a2404
SHA5126fc1c64362cf8cbd86e66006e1281c081a7fc2233841c942d9d58cb9be063bf46f32791652efaa8e5ca6b6146ba7eb4e63ced6749e06ed1b53f32c3095d630a6
-
Filesize
601KB
MD5e340fdf237d5c79b10a1358d3a18a153
SHA19c338dc7cfc2b52f73e2d23e62a49debf4beea0f
SHA256802dbee8f28228794203036349f761261859fbc8ebebcd302282391bcfc1691b
SHA51219c50917704f2034112d6e7053a63872fcb97263268acf274b9dc7695261d27bd339efd0bfab9e81e35c153ab818f8e35f0c6154b3b88e997a387d6dbc2d721f
-
Filesize
581KB
MD5f6695b7b4931b16eb627524e72407f4c
SHA16e44f16d83ad59d9f7b2ed62a7fbd155c5ca09c6
SHA256caea360e8f284830c11377c17990d1554f18e191da6b1f3670a7c2ed1cb410ea
SHA512b48a7ac225da7b11c2f82824e51c65b8d3e62623f12f832cd779021208cb21ec6d752949a368a3c4adf21e66f9d1dd8293d6105f42713ff503c0401641ae85f8
-
Filesize
581KB
MD558e7e8c79d8ce4dae2822253ed94d416
SHA1da1bf4e832ff9f7e6deb387d1154117a609f58c7
SHA256e5cfb4ca8d1de3a0fee14feac7d3efd8d520f00c2c157ecc2ce212691cfd2418
SHA512bbf3ba1f4392721aac0b6302848563a1330a06640d4d3063332ffceb47dbe042b08141f99d5d4068b0ca0f136e40b93d0b953fa44f8279d7965821d0e13b682a
-
Filesize
581KB
MD5ba593103f1bb09be7976da228483a45c
SHA1cedde2c67fb1c494f7d19a364c3866703745117e
SHA2560a79fbf84c8334e48da25e9e5308ce92163017588c786fe08a30c18a018d6465
SHA512d3cbc4fc5807f5ac0cc8fe1abc01665dc08fb2ad5e49a2c9020258f3c7ebb8d4d5f88c54c0552cef0e8470f898bea23f2286f834a7f2d6a615061e7212f97bfe
-
Filesize
841KB
MD5b40c0624423fbc43bec4fcd360af2e11
SHA16b462908565858149e262bc7eb89d78732b407dd
SHA256fd9613550087e57c79cc88be062ecef8c08c6476a6856d43d097248ff53c4b8d
SHA512e2c5f8ef00d0f9e0508a4f528c49bb2e34887cb9cf2f2562704bef34a14cc20543b154fc02fbc33c05100f3e684a0007a42a4e5ad476fc4527bfc294aa1550d7
-
Filesize
581KB
MD5b6b41f014eb1f5c1555574625dc7a840
SHA15e39ae83417fe4fb9ab13bb0ec62539ae30e2c29
SHA256a60fe416372b85f5d9b958b25f6bc3c02ec68f9f4614ec9a47d316c93a6d8605
SHA51218fe63a60761a829f00b3ba44b7abf985a44d1869630857ada39b58070d9f87612dac1ff033302dec584cbaa0b92e8b4f3982d1f7721f4dee120d62ebb732c49
-
Filesize
581KB
MD5a84e54ea230577b4aef573e02d394856
SHA1129a1e9063aba03c7fbf6fe88b3ec54bc16948cd
SHA256bbe5249fff3be806f3b13bb734cbbed4c85987af1fcf9d0cd7df7f4be8139c3c
SHA5128a223f9338d565d776c7f8854c28b3f82cd4f8a63fbd1caf146a8c7be15021272826513395d684216501dfc13f447292209e81c8dd4137da52bf3405c009feac
-
Filesize
717KB
MD5eb7f35924a31d599dfb794ca339b3dc4
SHA1bd7c1d80b970266b3048fa9daaf9d62f56fb35b3
SHA25630ead213d3e5925a26d0eaf9f6abd4a3a8dde687db714ecc3223890178a9de8a
SHA5125cf45346a7e67780463a10477f03fbd4319f140b7d2d16c7f10d1603217dda319de95eba2d532b1b02ee58314cf717edb74733490a8ae739a3763bc34b2f3028
-
Filesize
581KB
MD553bdd5c38c90558e0bbff5683c103e55
SHA1e1b4f3951aa0074267d124e25a726f7e61936fc1
SHA256c3e0282e75ed099fc9bebc598b51e0f29acd084c54e90abdb62a1ee7f1299180
SHA512e317b4b4467adb53ee11b4e67d0ff944bbb1dfcc2236d2ddd4a5079d7f55ccfc03fb209fb2e5b8a31e9341c079855d026606468a34fbf96e856dfa42a168e4d2
-
Filesize
581KB
MD57d56d21c1fba62cab6f2dba8fc829665
SHA13c7330ade8c19d2b73dfd0effd72e3e439d45678
SHA25671c047dc0ed77bb52b8554a78ffed41020abbe21270e24fee4690d15fe1b7476
SHA512b8ea001e1c9782373092ce5b1a28db86340d2db3bc9ae23c13e2fde6bda2e17b509291ed61ac4d9c523589b0c4be88b83c2474e47bf511a260bb4f68d80116f4
-
Filesize
717KB
MD528a2016cec9f861312260cbdd253d971
SHA162c8e7f8011e177d44775369266f73cc99e03759
SHA256e2b4d7c1d9eb9a55c1b0516a02611dd2594255c949d2609d64a5b530c62fd149
SHA5123aa8242ac6b0f68b934740f72169ea10b1ab71e762f3f4d3e74ac6dfd3f46756860e3acbd7733f3e95d48c9f42626750e398b7001583d40ee36f3e9fd248d8a7
-
Filesize
841KB
MD5fda313df921ef0d67537a13ceea0dc50
SHA17d68672a4b1dc1c483760be1ac9603cc7e33f611
SHA256d37f2346111d91bc9194b62140b37cadba42d2ce74e045beb07fba83a376a318
SHA5122981d2c9e6859894d48b482b1d35748080e55e86395f65b22776de12b883e5d140e16e8be2b680b73ec589809141c6a51c719cab801158f812c1cb686e1fea77
-
Filesize
1020KB
MD5009fd6da561db985a40f6f598478312a
SHA16b3d92654a72dc64ee1032803607ca2985e20e78
SHA256fe68c50bdaed1f5fd33ac0a49d6380b23286d95d46da2943bbbbe6df3d3e399e
SHA51285456278c04fbfd1ba4c7b015c1cf524b188e3219ad909b11bbf7077447b6da1629171d33617149fa441bf7cd5258df9cf345c8e9b88b4b5a3e6a1368ce913b7
-
Filesize
1.5MB
MD5f2eace844db1872e3b92e9b72b1af58f
SHA15779cc65481bc5225187cc2ce3e0217c89021f0f
SHA25688b7b6c23b66bba9e5802065bd12663122d21523761ab47688349301820a510a
SHA512b5e2bfc16b0772185126ffe7c5f225fcf403815508cb56200d2a9c195aeb1a1d37528909d88d2859a795aa2d487d25e5dff9835066c5d4e9450e99fdddf877da
-
Filesize
701KB
MD52b47b8f5bd7d271e31190dcbe8e4d1d1
SHA1d5827e4b0a4da96668080056a2c71c8dfd422de2
SHA256fe14ace21679f42c9975ea29202933c8d1761d9c6bf901bf317a1724dfcec3cc
SHA5128d844ff43b246cc92e85c483423be0932f0893fa6131e4d8406554a4b0d47104f0669ab63b210a35cb704f4e4d1eaa551bcf3e3da78a02f0134caa75c8b3283f
-
Filesize
588KB
MD51c6985d6cac711cc1cf053f2bb5ed4d2
SHA17d2be1a18595ef6cb6da16e31af891d2025dfe5d
SHA256e540ba57505ebaa16922c96645d5cb008e7bc81a63de7bc3fdc5212c9b124216
SHA512c0edda16cc7e81b02daf212744b8635c65ecc8753587db2e43697cc63455d787ca1f716e62b0f4e7cef7dcfa17981375cade354f24f618d20301d67a26134dd8
-
Filesize
1.7MB
MD59ffcf4ee305ef63e67f604975565487a
SHA14baf2ce2f6820ee512dc53fb256696e8748dcdd0
SHA2566953406e2e3ba5ed6ac3eb59d52930358c55ee8ec2e9ad1d1a323f8f9cf19e40
SHA512cafa7eba0029f3fa41a25461008cfecb48d141f0321681527d9ff42d75243a3f5f0b6aa75ed2ce0673e978b25a62986a4fbc159bcf2260c30367c2e6ee912f8a
-
Filesize
659KB
MD5be3579ee8f0aa391784f5c29c9e1bb8f
SHA188b8e92d1de6afacf1896c02c66af27378760daf
SHA256f855703d4566866ebb0a61769fe09c01aa164ed0bc8b1a4d156d727a00a3aaba
SHA512c38e081159e296a09d569bfd915be6ed888d53212e4e095e96c31cbe49ce3b82301056fd2c336ef716714bef7f7e115ed0bf439dea36b3337c7221982675f67e
-
Filesize
1.2MB
MD5ac568cc296a079d21f67792c39a6a48f
SHA193730fb5ee237d52de5cf1c35843a0909a34547b
SHA256d7420d50ff94efb461b930e6c73803a660f7ce6efedc936993483b4fd9b98035
SHA51207825dba45db93a4f6ecb7a24037367f3268380fcfd95587f622e1f013d9a29d1a680b088eb88c640078c1877703fd58de854b2154435ba3ee720682870d1313
-
Filesize
578KB
MD5259d979a175d122eda42df0a883d1df6
SHA11aad9f5678372819c883057d30140fda91e4314d
SHA256e1079046854083d81d675be511e6c2aed3311f865a9792ab04f5784cadfc527f
SHA512cf5cfa9de1c11ad4b4c357554a581157a3a8995d8379cbf1c7329eac24b6cec0c4c0d1cb2b3b68f808d89e288e9dae45c8858cca8e5d01b8e1542066f6efca57
-
Filesize
940KB
MD54444376270b5baee8be70f27c448bd99
SHA15de94848370dfaf3ff4d145f86a1b0f61f2ec3df
SHA256e564b12a943087d58656ab22437636481feea51a43e91ebd6b673b36b62dfbac
SHA512a29e047231e5032460bf6c72e3759484f7a188f9b7331cdd5e50a1778b9f66d1abf283aae9e96fde37da0ea240042016d83105ee3d8fe014debee2546dbce2d6
-
Filesize
671KB
MD5515e2d7bfa9677306c2e3434cd4d665e
SHA177de00471b18ef05d69300019896cf65fed2ba0e
SHA256c0a04b56d284cc9356743cd3a45689a21022664de574e81a31013b5a305f924a
SHA51221f6717eea16a0b1552abaf5056dec29d1c3f511a91f1bf3970063e11f4704e723f1d5dba730a7aa94d107f7d64a5c2787f49fcd4d9f932a5171fdf0f59ad7eb
-
Filesize
1.4MB
MD5c48e007a3a9a821a70627f5201fc7bc6
SHA156322e34a9a80bedc2967fbd66b667aeb4e4b08e
SHA256892e9963342932c521cbcecfe0e2869fe9e0b3ff2bfb95de993acfff3924e854
SHA5127d5fc78e447d3e8f60a9a79cecc8238c710663fd873b83b91ce4efb44b44f178152347f97b5d3fc1cbe68c75f0381514cb70d33b884ef1dee8c9c57cff039a90
-
Filesize
1.8MB
MD5ac81b6069ac5d555b4b48bca49021eb0
SHA136b93a1b5a42fc1e4ff0b8e68f25c5f0ab43f887
SHA256946eadb12addb4ea1acd3541c0a5e778c11bac5cddfbdf4d685c177eb122e6a6
SHA5126feec3045c7d08b2590a1b48d0326ffa8efced5294eafae69203d48a04d4e13a4edf0d6b3d3b00cd818e2295bab89a81d7dcfadf37f86f8243dcd76bf150559a
-
Filesize
1.4MB
MD59d155f214a6c12220ab4f14005fea44d
SHA11882d6fa6eef8212f084f7335603bd8fe31d526f
SHA2562b9f77b2e6ab7d4d8aece34559e17643593473653b5a9195c830655fe99e4c9e
SHA512e1294d1378c76922bd904e0400c8efbd27938cd12bd28e35e3bf5fac436ca5025afb14a24e8651c922d811d1c6044333353958757b1a5595c09959c1539cf25a
-
Filesize
885KB
MD5b06c74db71259a3ad9ac4903e7b2dcce
SHA157af5979df63f787669a9e157e806c9a1bd19dec
SHA256f16fd755650453bca3a37269a7317c1e64a002510d326bd1e41b97858902fe6f
SHA512447d48e872c08626411300938f3ba350b3671c7fc802485878a8409fe686eeb1818ea8e9a6e499bcfa477e033fc2e1b6a06cbac0cb3baa99412b6de53be86f67
-
Filesize
2.0MB
MD5f147097f5f06fe8aaa70b2518f4c153b
SHA1a4d16caabb8d649b7a3450e04948378e4ea89eab
SHA25687f23480dacd650625f8a11432e1376fc554509a2fb974fb8d0acf78c87a39fb
SHA5121e4e19176f9d9a82459c60ddaf4b16c6e81871d0440b0ba569cb62a6d6cf8e252434dd6a73086f5839bf135fcd67817023e9a177805dd62a98895ad42d8ec0b8
-
Filesize
661KB
MD5d056203454fd7f62d882f1eea9266817
SHA1cea46bfa51b8c27e6b369d7207857f09bf2f8ec8
SHA256507053c91d3c0c5408d8c0299c9ffbbfe255d2688e72dd994deb1094ee4bc3b9
SHA51286a5e405187820c2fb758d5bc41d20bfa969d798a041331856b9ab2b0875a76e400d32cc283fdc38402cb2823033a3fc1745bd5e9b351ee1032929caaa567ee2
-
Filesize
712KB
MD5fc86b883564c43b5ddf4d0cd12686462
SHA164e376a661b03cf85d7120f6bb6e59e7901721b6
SHA256749a090369076a2f2a13d97a1ec9a5d12e6595749d857c7e3935d7f2b3f75416
SHA512b4f99f8a59a8409fe42ca14cfd2083c15d355ed6abbdc8dc96f2ed27484d12ce27409c249fd794b4a48719343ac7ca74609ef05630b132462dd71f0c7948bee5
-
Filesize
584KB
MD5921497552ebc7a7f7dabbad129650b1a
SHA14601613766be06832e7b37c442ae1ccd2ab8c48c
SHA256c9505fa6670b699198b2c5b53a6a0517ef870f5c5af0ad53a9ee6900c34f50e5
SHA512e8fd12087465396d7d42f3401ffa57e417414ada50a98a5148f1a314c0ab0a23684d8d6abe5c0a4496dc6fac43d545a05d666a23dcc0b5f69a47b689660b9925
-
Filesize
1.3MB
MD5db29a294258946cbfe26638df04f3033
SHA1d7635ddaff6f55b0b47b5edbc821b8a261831358
SHA2566e35654644e56088cb05883fa5998803398362e55f56fa49b5740c2d94c38e24
SHA512b10b0150748b0d557ca217ec1bb6fdd02577041d34202f5da49d952d01f0e7f2fcd21b6023afc01db2487fd13d02d4aa25f344af440d121843fa39a0d84cd71d
-
Filesize
772KB
MD54ed14062d3d594be8f5f21ed4353a24c
SHA15884f79c4058fd95623fe7ca55d8ec3f520a2d7a
SHA256c5208a9b03d13134d8dd19e3864337560797ba5c5e2767f1d38dff624a2a0ece
SHA512b985b98b52c457350a9c9d3f9c6d04b93033e67d496a7e8b85c7a6a4c31a21f85bf89b4acc0978f787a023ac488017b20aec16c0e4ba9a68eaeabdd44bb55faf
-
Filesize
2.1MB
MD5bbfb0ae5061d02e7d13b0af3afbca3ea
SHA11bc9535b0aad59aec4a758a3d1cbe39663e04779
SHA2561b7f8c7212f139414de17a1380a3c135c9ae728d7250864bbcf494672dfe1fd5
SHA5127352c400bab2834f9ce3faf8705d88371311dcd0d95089797f1bb1390ced87c601fa35a2d252f5a206e8c9327ad308e838a6293a1652d54408939a9d490eb26a
-
Filesize
1.3MB
MD5322ce2dde3ac5eb09150eac1cfd00ac6
SHA1cd8c029d3b5d018a93192b8e33fb2d5842a6c81c
SHA256816226e7a13903f98c12950da98abc9745a2c89f7270021d6e6868b9e7f65174
SHA5125822e5994bfed3c0f54623cc2fc4ca12b65f7dfbcf39113ce8740a1054d5719a9953c6c216ffab912f8ceb7eda620c7e212f83fcf3acb2691aee4734875771f4
-
Filesize
877KB
MD50ec59aee55d4c8f1f58fa5a3d42b04be
SHA1b2abbe308582a798c21423f277b06f5b8196dc26
SHA25659afb39c8df582793a19bad3637dcfa52e907c59ec8ba5ceccd918f5ea04f516
SHA51273b82869fed9aa8de83bd575bcbe1078ba40debe5bee259b70cdcb736e6900d344667b9cc60ffeaf9bb97eab1618d8643ced0f6ed5d141b2f955021b91d1feb5
-
Filesize
635KB
MD5fabecb16a0bc6a5509576f802e53f8d8
SHA1602170b2feabd0740806d6194b9ecfcf52441958
SHA2568c2974a527fa3e1dfc2d128d9e97d3cbdddc8921cc0f49bed2780000b5c7e9f3
SHA512875ff3c07c94be547b8517538a4f7ce70c98e94286c79bf2c6e8779896a8c5168eab2100d2c6f3026556573b508c4786a8ee28bfd030e4feb9db7b22b101f3af