Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 04:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
Resource
win7-20240419-en
General
-
Target
2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
-
Size
1.3MB
-
MD5
ee23478d9ad041844843453d30cc11cf
-
SHA1
1b5b0fd292f6c2f467a737dcf872b8e403b2484b
-
SHA256
899e2bb6c9b56257809dc8c912b5de68b8c1c4801f50ca389ba233a4c6e97357
-
SHA512
477b4662708f92cd8bd0f9921ef7f68a1f314974bfbdee2b7b471f8d368ad91da049c57474419762a5adc03e7b13e99e6dd640136abee732ba681acf0d67d8c6
-
SSDEEP
12288:mvXk1CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6k1CsqjnhMgeiCl7G0nehbGZpbD
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4172 alg.exe 3848 elevation_service.exe 456 elevation_service.exe 3712 maintenanceservice.exe 3336 OSE.EXE 1912 DiagnosticsHub.StandardCollector.Service.exe 4996 fxssvc.exe 1664 msdtc.exe 1928 PerceptionSimulationService.exe 4924 perfhost.exe 4028 locator.exe 4584 SensorDataService.exe 4040 snmptrap.exe 2124 spectrum.exe 1172 ssh-agent.exe 1788 TieringEngineService.exe 4092 AgentService.exe 3764 vds.exe 3208 vssvc.exe 4300 wbengine.exe 4424 WmiApSrv.exe 4828 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6ebe00c04a48edc7.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074afe8e8caacda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005fdf6e8caacda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084fc15e9caacda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ab1c9e8caacda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009763bbe8caacda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3848 elevation_service.exe 3848 elevation_service.exe 3848 elevation_service.exe 3848 elevation_service.exe 3848 elevation_service.exe 3848 elevation_service.exe 3848 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4956 2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe Token: SeDebugPrivilege 4172 alg.exe Token: SeDebugPrivilege 4172 alg.exe Token: SeDebugPrivilege 4172 alg.exe Token: SeTakeOwnershipPrivilege 3848 elevation_service.exe Token: SeAuditPrivilege 4996 fxssvc.exe Token: SeRestorePrivilege 1788 TieringEngineService.exe Token: SeManageVolumePrivilege 1788 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4092 AgentService.exe Token: SeBackupPrivilege 3208 vssvc.exe Token: SeRestorePrivilege 3208 vssvc.exe Token: SeAuditPrivilege 3208 vssvc.exe Token: SeBackupPrivilege 4300 wbengine.exe Token: SeRestorePrivilege 4300 wbengine.exe Token: SeSecurityPrivilege 4300 wbengine.exe Token: 33 4828 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4828 SearchIndexer.exe Token: SeDebugPrivilege 3848 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4828 wrote to memory of 1524 4828 SearchIndexer.exe 125 PID 4828 wrote to memory of 1524 4828 SearchIndexer.exe 125 PID 4828 wrote to memory of 2396 4828 SearchIndexer.exe 126 PID 4828 wrote to memory of 2396 4828 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3712
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3336
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1416
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1664
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4028
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4040
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2384
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3764
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4424
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1524
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD540ecc9fe6f4761aecb6340316915ddf0
SHA124d00da511e36d2505448b444f398961225144db
SHA2562ab955c417d860cde1d5751c2ada0958f5db5d6b3a3373705ea240842cd1dc0f
SHA512dd4773255ebba4dec188253cd66d04ecb6f47773a5998d9fa09f8bf4ead5b42c4891618af9578690e01ce6a73377f79cf3f2ab31a56da582eecf3561d20b5952
-
Filesize
1.4MB
MD53b629ca0144b8a320b4b6d29d96bf0f3
SHA1c05bcabef516bdc6ee17d434922dff158a304cbd
SHA256398bf11d6f3628b4858e14ef85fa3e7ff8c7f06c707d0fb95fef83d966ed8e37
SHA5124e2959f46e0daa170440c3162138b7916bad05d8dca6a57d8ffee748b836159642a058fef568aac343bcd34a5f282962c8896788178cabd6266e275c0b890e32
-
Filesize
1.7MB
MD5796c71226f7a63b102ce862ae354e9f3
SHA1102ccff9efa66bf82a9f8956230f7da6e05987d2
SHA25673dbe2bb63471da65c61b3a7d3b17c6f6adafc9ca857a9cdc8a90bcac66fe69c
SHA512cf27953e684b036eae3c83282370478b5c135f1fcb3cad49a51908d41a76cb20095279eaafac6bfbf74a2f11433909e25f951ede4c37b482edafc63d298d9d11
-
Filesize
1.5MB
MD549983313d09819b0873d949b1257b124
SHA1f595f752121a5dff6bf6d8598ea0ef842805d3f1
SHA2568ef04b63b77922defd3ddc3628bd1ecaef7db22b4b7cc972f874a3f8a535591c
SHA512fba1e84ed13b0cfedac4dd3e044a779c327a7fa71335d7771dd9436ab8717f8ee6f6b7bcfbc426f708325d3787f9d7dbcb05c0dd51fc6bf49046042c5ae2c6a9
-
Filesize
1.2MB
MD563f65569eb19c5b65d15a7b90a76a6e5
SHA1f98d0dc4707888c384dc32bc190b4a89c28ad5ab
SHA2569e34606f1e2d3fe4d9308948dc9b0660e81fb13cb00a43618843b62949f7fafd
SHA51242c411b433c74fb9ca35097276682c915290669e573c0b0f1550936b7f65a4d4a4855868d4aa0eac32b2c00be8f905bb8dfe9ee083ac255ee785a82066cfba58
-
Filesize
1.2MB
MD5e89b516a2b6fe92c0118c61b44ba2733
SHA112a8b9759d3f28c77aeb2ad79fc71aa259d08d59
SHA2563c00a5b6d0c03226e1e8a77a979e0aa77d5b842102474a07aa10267bd10e3914
SHA51213c045d688c5ec9993f34425fec1023eb6cea751cb7378c23953993a735e0109b321c78f9856d90bd97f5594c09e5c5f1c3f171134c25082f8db48a8f784319f
-
Filesize
1.4MB
MD545de8c654f258ef052e28fca4da27e02
SHA1770eb6c17c5634087e86b515996001239ea85310
SHA2562d8b8c75f5415c8757281da361738ae68ba8e10490533ecd91aa657c01510523
SHA5129e32681d4fb729578113bf4a69381707f3c38e86ad5d3e8d58e690a6ef0a24d16a473e510ad6e8f20d60543e2c40b72a33f35aeb36eec1eff25cdf988e603aad
-
Filesize
4.6MB
MD5675efe2851a86bce0129a1b4c1827be8
SHA1bd41c09c548c27078c94a67c9ca6f42fa6ed880e
SHA2565ea1a870f7589511b304822952602adc047ca5376b1ca3f8418701732fad841f
SHA512a7de80be833826ba7f9c5c15a460e88d0e4b95691c6946a2505be73f05644e7290a422bbd6e7747de2021c0eef803cc408af679dfc41ea874ea998235455ffd4
-
Filesize
1.5MB
MD5ed1b4a80fde0ca22580bbe9625734aaf
SHA19db447fc1c89ac39cc42693c2d423da9dc4ce960
SHA25626f29ad5d0c7cf190a9efd8380ff574d7862c7a2cb53f94deeadd54fd991734b
SHA5128973ef386dfe12d8beff4b873fe89eb7c0e91e6eb96d46f2176cedf6a43a9b3b4c010fe4aedefe4f44643987979e0aaa53e87301afe5aaed70cd03c9346e5b43
-
Filesize
24.0MB
MD50a26b8ee9befb9663cffedc67e453b18
SHA1240be832635ae78899d4e5600c6a5f9be58b4a4b
SHA256cf66e6a4e4a70d828f3c340610e9dc3388b536d913ffaa666c318494cf11d9e9
SHA5121dfc0be03fd4540a315e88e3187fdb368fa4012d964899c56df8db4bcb931a504c959cf7bb6b9cf66816570784439eb8980c3b975b78f44952190aa0ee69e3a6
-
Filesize
2.7MB
MD5bc395ecdcdc682c0b003a02923ef045b
SHA12e91f5b767730a7059ffaddaf2905fe01079618d
SHA25621485f4ae42c6bc96a18926326a43c7a0cfab566c8f5057d582791d20013e79f
SHA51295bfb03f5d4c04372c1b57f3307097688b8ad4a45acf0349325d1e7410ea9729480a8c1bfdffe6c97323f777c403076bb14d692e4a67a92ae6ea12b9a5bbb82d
-
Filesize
1.1MB
MD5a45ec285c53d8db1e1966f87cfd32670
SHA1cd8d6df81fae7b2d877499ade0f45c648635e641
SHA25693b695b5f95b0ab14f841a420f50ba77196ab6bb557fe191855cb9da8f4f743e
SHA5123dd49c7d7b80c635f6eff244bc24cbec0254319c4a0bf0482af1c5a7f3e13443827a642dab3012dac815be430dba72f26249f286e89efb1bc9e7d1ed0054e0ea
-
Filesize
1.4MB
MD53838068b8c50deb20304e2aed7687133
SHA1beb875a16a35110265a3ff1ab461b75902594576
SHA2567678f9cc746e391294cd7568dd03f60a8b0688d35fca1e331b89c8efb08e567b
SHA512900c494dc32e78ba330ffa9089984411d07f719cb6df360d9f0a5ee9972d01b04ba89ec576a920b0b2581cbce4a4f9738c3afc107da2713f2175576e84ee4946
-
Filesize
1.3MB
MD52fcd0dadd5afb887e56388566d10167d
SHA12774230ba7d585b2759e83171bb083a33e643bf6
SHA256b52d9ffa798f1c1680c381c035dd32553261e2d774f90f6c52f51dcdd37ee20c
SHA512a74515693851aae6afff247a3bedb4e2bb3084a6965345bae3fb0336ab50f1a71dd1ead0b12d96dd3a89d78a67407b9fa8a02384960ef1d58abb54e8ef36b548
-
Filesize
5.4MB
MD5925d7c4c18d38284bd4b6daa342e42c0
SHA140befcd3eaf38ed0c3df36386f6f265a99a75828
SHA256fcd40b6e2c09b0611a0a5f839e88944fc2c25a1b809374054270a611ba7c0724
SHA512a105b00762fa3e5063ee2c0ba842eaba729d2bb5e4a0b360f48da8c3b37b28e81833398b17417ec4b174bca05d4554dbb8d76e22dc8a15d0c38d4b6dbe4dddf1
-
Filesize
5.4MB
MD59d7c46de75026d442a71f587e84d6b33
SHA11f79df931db481e2ee121e4c38333ad021b37ca8
SHA256e647195afb5e15252021360476098be9e3e0f14a892fa329a62d678d54fcc0d4
SHA5122136ca20f46ecb56e19bc1a5322ccf1ac459030a967f8a5f2562f9cf205312491401f6d93887f9fcc0ffd94067164c2dc99d3edaab8257bff60273c059e8bc0d
-
Filesize
2.0MB
MD5b64a53a6be56c648970e57c219afcfae
SHA11a59a5d9c5d1b2282150d8727d9c5b0189d1bc17
SHA256483aef2ba7e91b87935fc29cb17323646984472fd0f771ddbb314c52dce93ee2
SHA51253dc0fb00e9badacff1b1a8179ffd24eb3b8121306110ba55f05fd3ab469d3ac4d88c33747a42c96648fef7bface1ebf137b923533d3721643a7fd396d6c65f7
-
Filesize
2.2MB
MD5e8831a68ca88a25244795644330332f4
SHA19f70a09f2bd1c3e40e75c9733fbeeb559af323b2
SHA2568a645c900ec98ab3fdc171a88a1af1907e89124f888d7607cde0bb274f15977e
SHA51237e9e1aa61235b371757e675ce50da7f6bc66ad1dc698d6d4b42018f9f2ebe95fd3125019f632d7f549db1923fbcb1d9bf2ff4a30cb8906a74abcf6e9e734f48
-
Filesize
1.8MB
MD5300ce76bbb106252af65c384ddde729b
SHA1e2be8775fdb42259614226f631ef0f5ce3ee137c
SHA256bf877c549ebedb1fcef6cbb6ab55cf7af86637cf21678406d2137839755c2164
SHA512535c86175f49929a6b2ce41a3d8f3b65ac183f0c14df4247668fe3e0b5289e50cbe8b6a003ed8b4bb67a824a83ab9c242a5bdaf8313c0369c38288209353f730
-
Filesize
1.7MB
MD52d0f5199d7a78a7002971e4f38d11d5b
SHA1cf233926f780753f867a8e03fa6386dc672cbf51
SHA256fd85332865b683028fb84b7c02ac42b22ad31d3e6e15ce890e358eebe9dc45ae
SHA5121c5a867e3b4f277f8019fba11bd5091a71f3c90cf8ff431ee50a2cab520b70e83638fe10e437aed2ae24c970f0057bd4203d3b102cb6c6b1d4c6a7fe17146b86
-
Filesize
1.2MB
MD5a09d6a172e2d90f61ab1ca8a2ecd0076
SHA1104bf858200253117d761bd43461f7b1f976e544
SHA25641aaf13b28a676f79fa9b2539d59a6a5ffb787513d35979cc3fa992b76454f61
SHA512b2f8e9fd301de7350e9a1ebeaed7338957c457bc6beebf79d6aa5cf63fcacc059428008f199274eed148d3274756c28fabd4531e8ee8719dac77158c32404601
-
Filesize
1.2MB
MD5789855dae1a23d5b2f01f48515ff41f5
SHA1e4783c3aef9bd8e5020fd9897de458ea63cb5de7
SHA256322f76e4ee8e1ff7517dfd9cf2b37158b8f114b65a624ffb4b4f7dd4d1b263e0
SHA512594e3fef28291b239aba1e0eb5481bcace89aba4540c1ef9381b0b2f84157f1454339b6536f4b71bee968f980622bf8e1fbfd0b4c27b764eaa640d63c7c5fd8c
-
Filesize
1.2MB
MD544e43e6ae3ed2116d9da2ccf01394a06
SHA1804450a8c0226246ac17200b9c67b7581f38e692
SHA25686fc248e3877348e8a779649f9c40a74225aaad0402cb3f975dad8ec26e9b02f
SHA5120ca05451085eda6446f6af8bb5f4449617e16c6af30eab0152a60e8185e5dcba3ba9e7dc9781762b753c6674a80f4f10779fc4a6d60abd4e8b597cf3fa8baac3
-
Filesize
1.2MB
MD510f4b846d65d001d2926f6ba18097b68
SHA112821917b4fca51d2fae37ac408ad7b5cd702831
SHA25629dbb3c0c22abdebf1f0cd49b3db699c750a6a96ff5850d65efe7c96f6aada23
SHA512804bf18697205ed9cfb1f610eea5ae57977a7678084f5cb76766d3ed153a5bd5fdc7a5dedb17da368e7382535be123224eafb1ee9eb7371fa5456b0172ebf4dc
-
Filesize
1.2MB
MD589f92670d68a3a9480b95477df7ca132
SHA100999e5abdbb2e605db52c3b056fe797e186bfc1
SHA2567037d47ad0b180dc68c70d03471522405c058a06b6340880c3a21050fb78013c
SHA512852be1ddf840a4af9e7f83025044bce6250de7ffedb07c23cac0806df8f20e5e87fc57aa7a39a87b6dbac670eefd59d42e6f07989b75eb26005b3d66eb8a2b53
-
Filesize
1.2MB
MD5f4ef5db61685e67500d053ea687714ae
SHA1f450bbdd874f7eec97c173be84409e5dd72ca52a
SHA256f238ae66ddfd11acd829b77deb604a5a0805c1d8d5abdce3a55a3259e12e0696
SHA512dccbc7ce5c5ed53e0648d1650adc741e4454c93c58a666903b8f13b958670af49117c323ed9cb176b88c7513e1a33007d0c771dfd9b053c7c057aec0f4fc7d09
-
Filesize
1.2MB
MD55e979072dd0017e9fb3d455172ce68c6
SHA106b6fd7b1a79fee56186da67b3bae05a4edb2813
SHA256f7d9ed4a395eb76be2eb90292157f4169e832099546fce945a2bdebe7dc5ced9
SHA512e957331e66f4f292c596eca8c4639457a949d57b2a2ccc57ac1e13a734d566ed839ac7c3e44ce0837f27245dd18a7edc5a674e945651b371a24d88c052174b0d
-
Filesize
1.4MB
MD556b4811610ef48edda63a0d241a6c729
SHA165f44d0598947389a4cf7196da7a5bfcf8e39aa0
SHA2566cfdbe96ecb9458191de48ac6ec68ce07059bf9197d59fe71a311b32fecf286a
SHA5120d2cd9aaed1f5d4e33eaf1aa84aaa827d41e31d831ac025ae86c127035bfd81199deec9bb7efa2a6599e99043beb44416e15ad302c63e30905c38b1547f8090c
-
Filesize
1.2MB
MD51da4cdac3868813b35da256ecd88ef7e
SHA11f64913e3fe526c624c2f514e4811f5db2347f9d
SHA25678dcc051d0360b31ff75f30063d0ce2d177da931f5b7addba1954d63f4620668
SHA5122291d0af7accc4f207869442fddd91794b860dfb5aee7692193802343559d4f5a7d80128cf64a9ebc460330ead553f5479e6303b6b3d4eceacd3a085f014ac6b
-
Filesize
1.2MB
MD5d4f250e3b3f077db80e470b6dbd4cfb8
SHA1a22adc99ed5b2c1f00c251ef6427127187c64377
SHA25636dc5ddbf94779a34c0f13c294c597fc12916f4bbbbb88d7aa0d90dd691e9600
SHA5124bffc86ece398a73027ac0887fec6c7453331773e48204dcf73c7f688930c3d5ad5b1f16a51f86cff580b0002c72cc6c7e1e3db362a278f0fa81663037968bb1
-
Filesize
1.3MB
MD50b2013def00e84df2d76b6048364881c
SHA1694e1639632dddcd2aa605596e81b38b4121679e
SHA256184a9580c7de0cb22979f7854147467fc689b4133b88b307578574e200402821
SHA512852d49e42072981144f96f3bb4fee77b630103ed98328167a6c1c61097a4b08b342b906f73e9037c06b0f199d0b502bf561fb593494436b1620c65dca3bd4854
-
Filesize
1.2MB
MD549782cf13d69450485c1341ef22bc868
SHA1df2bba4768d60e12bb0dfeb15f8b3eb1327017db
SHA256c1d0d77f4983f7dbec2a3a3f5c2f1b93e5cbdfe85b6701353eb70d149431be00
SHA51291b6205e01c1bdd3a315679f1e95a5704aea97422733020e8a293bdffcb481885a676296a46d55712c2684750c778af8db751c9523668ef1c4bdfab2357b2a20
-
Filesize
1.2MB
MD598f7b319691d2fb4ce0617f6423bab51
SHA14d0215e14a3055fc959320ccef0afe10b02c16c6
SHA2562c742908bc7507fdf43d0a3b88a74615f11aff6d9c2c66c8f98b3046161848e5
SHA5120717f876359103bf9e01736b5258ec75e6b279749b0ad91b3b1e9b99c5f2905c3477d6dc78495279b8cad2b26de409e48817fef681e872a5dd879d7861dd5348
-
Filesize
1.3MB
MD5df6430f7c8e1a23bf1389b68671aad5f
SHA1ae17d19b1e768c6ae724efe829cc0309c7bacf63
SHA2565fadbba20807cae1d7ea8c17d0a954f4a6547a16dc423ebcf9374024ed9cc28c
SHA512aac85bf4e1fb6e950f115b62d77d98e803ad71eee7ff056b1545bbaee53034720101f85a84169f1c53d906bc9f1f4739b0e01b2fcb4194023047cbfd76d1cd8f
-
Filesize
1.4MB
MD5a7ad62768f0ab8506dfe370b7a694770
SHA103bcbf74bb5d77c0025afc2310bf2a5dc9adb6a2
SHA256edeeb5bf812fdc9d48c9b8f1842216b0edeba2a85ff8ddc434c7f7b6ed564663
SHA512e9726b1da7a6987b8b60a54aadbf5bc6674d3e2118798e9291894ac0571696da3dd031eaf42c4c813f5ae9b7c014a7ba8f383bd5ba8627bf1eb3a4800ab4298d
-
Filesize
1.6MB
MD5f927f4054e2cc638add0b18a8e3811d5
SHA165b5f1d9327da4abc7c056e304e32a325f51dcb1
SHA25677e6923a4334a8eddd0abb1769133c60bcfab82c813d40e7551202ba119122c4
SHA51200e5f6e1c88f81d1b633aefaea06a0f37071403c4f677056dc18b5dc69c1739051e3de3246f9af190441bc698c3526766c839b99753d236637530385e600e8e5
-
Filesize
1.2MB
MD58fbdd40bb981f4ef1b7be4532de299e5
SHA1f856296cfba368abd8d2c612d31522a368b5bd6c
SHA2567a1f6fa3417541fa1b914b981726eecafc729cbdbd3e8607943a1b94ac5e39c8
SHA512a43f285bc9d73c21de1db2c85f20319e8e025f99af3995833753eb26d5a5b2c4fc2a63e479be56259151affc4440c27c9f9330219f6723d6e314c3066c1358a4
-
Filesize
1.2MB
MD517a41607455ddc095a47b489c41bd428
SHA1b03c7156c694d9e536082cf8caf17ed1fca1fa3d
SHA2568095439bedc5c8ddf26f112c773edce901b92f58ae4daf50ea541b3e2fa1c9fa
SHA512c8b5e30340936bfb93b3c5c7c1561d1ec2446bc88bd4478a64ce020cf315fffce40eb8856feb81a0dd3690a39f8b3c38b494e2ec842478940497ef1c0dc0aeef
-
Filesize
1.2MB
MD5ffc0378b37d1bde371571ef0fec54119
SHA104d207847d512ab71865828006a2ec0fe917d732
SHA256bd05ff9212b2dcacae0319ee6381d14d04ed078d21aec5cff85815a9e9f73605
SHA5127174bfe91fa892a7c3bfb33caf46a576ab8f00f6915f2f5b2844540ecdd82b5a521d2debc462c565031e83a1e6e9d8e1a6d55c97269303718a703706c1eb956b
-
Filesize
1.2MB
MD5d1c153e55ed104abce73aa61bc3a7306
SHA1690c200622014e03c97fffe090b146567b451c1d
SHA25610c50cd5c9cef79dbba97d783091145678dfbd0e589af57b0db5f2e1a033bcdf
SHA512b3672d9b8067abbbfe4f6fd6f208284f90ddbd19778e99c3d7b9476f8aca8acfde5d73b791969781cac26240cc35d1d32b835111a82ed051c376e59ab81eecbb
-
Filesize
1.2MB
MD5fc387a4c3202ef974bc2ea5645e2a3ad
SHA1d8c81015704bfe57fdcaaa879ac9267d9b3d17b0
SHA256eca3fb13d7eec22eb0a2a4b1a89742c04a1d493817d8fb3defdf87b094f3b216
SHA512ee3e3333fae09bfa798163dd9079f889bea86696b1db39218762b5d39d93cd5acac1059f28125bb27087cbb9a3d666a8bc3fa29ed5483eba67c54d3fc177eec6
-
Filesize
1.3MB
MD5cb2759411a7017104fe86cef9712c417
SHA1e67f305db879279134255f696f7942c48cf7733d
SHA2567fada852cac08a866e8ecae5530f691a758f105a3a818239b723c087305b9cfa
SHA51219b3acd8c18ad3100a025ada04044c2286c60e1108a713d34b57c914d54f9e58f2615dd8a4b1ef3a7bf57975448140055c4fe05b7328f5365b30c5c831faccfa
-
Filesize
1.2MB
MD56e3d4c5a8349ff5b576547b05bf17b6c
SHA1dc0e52c0b68bd0928186523c4a4b225dc2e27c60
SHA2568e7723a3243c0885fcdf374a3a591f43ab0c2f451f72eb9fc52193baafc86d6b
SHA512311635dc321301621e022f43d379e54cc9bdec7c362e67451e86e98cad42e4eeac8ff72231d6c57a5c947308ca9193cfb0e212b8cdb1aee901e39f01ad1c23bb
-
Filesize
1.7MB
MD536d547d4b58241607861671925c04a5c
SHA16d239d19c1e885878b148a7a958c9906e853ab7f
SHA256c927fe461c7e89ea4125389b3c065ba62c6d00fe6d4eeb12394848eaf8041b84
SHA51255e7fe2cd56cc440b2178c1640a883d08853192f7128204f7d7dd1f98e5a053691784f252c176eb4e42678c4821b17a9f464af87a5c60422bbc7f1890cab282d
-
Filesize
1.2MB
MD555a1360154507b2a2563895c5df3a2db
SHA199e5f9ed01f24c00e80a343d7bd46726fbf60c1e
SHA2565988583d616d76d171d92a46fafbcdecdd1eef75b4e6875355bf6ef905c5c8a2
SHA512abe0f3f6cd5ad0aa89f5aec531d501794032c5e79ae181f68e01c7a76ab42a7e2fa6fcdcea7565891b93001c677bff32e464e5b1d0ef950c70aef6675d4b3fff
-
Filesize
1.2MB
MD5269fb1f88b2a90a834c7bdef0929a412
SHA16bf4fd09ad709c6141e129c789da3f39b029a24b
SHA256417e261c6a34a62c1fdd03a2ce251ec1af9b18302fd71712087ecf2959979360
SHA512b6c5ead754af11fc3018272a50d546773c59327e30d92b5518e95bc3ffca1f2de6a9328ec7377c5650fefab73297f3c54b89b587656c3605d281f1f1653ebf9f
-
Filesize
1.2MB
MD5893d49f37932f01a962eef70f5451f22
SHA1e834c307b3ac86de6005d3c04fb9f4f8712c82ed
SHA256b07d7dbd5b7cd9bb74af6b7da3836bb9e57dfea5913a6e255063c73b6a385e34
SHA512bf8ea085fa6f71964688b4475da6bbc2084266e03207704f12bb648c800639ea3f6256d13fd115930f92f6ba7a0219e16665d5022d7d7cde25f40c6d472d3c61
-
Filesize
1.5MB
MD588f4e378014632c1564600f89a58d465
SHA1cbaa9619ad9161f83ac331851b862ec0eb846af8
SHA256b3cd689d3beb203391a46d7e091a44f69461ccb25b29818f62fcf5aa65d4e158
SHA512f762e0597767be91a54c88109f91628e93af5b91c99b34f06c87d66b1302b75175ebd37c7a9e3ef1e24147e69c0a026e08cba73f23e555ebd3222a805e51ae06
-
Filesize
1.3MB
MD5825899dc321ed4deb9efd2063e7edb98
SHA170fee67ecf23f58ae57f48e1ae7a69245620dd35
SHA256cf6d1ae5f8470abf49017887eed81ac4b8f348cca0e3521e68a9748e80b9d7be
SHA512e9db066e5249caf9073e04040b84312c3692fd99415c7886a4e7c2add7058ea6ba72450f0f457205466b31ae7d17a0bcb7f5375352f1157d2f86006a84aa0992
-
Filesize
1.4MB
MD546a3ecffefa4ad0101c84d8b6e4b42f1
SHA165baf6e08d3a61d82729785dbd573c2956e3313d
SHA256e4b8242c1cbd53a1585149eefd70cecf274698257e3395860ebf6ad02ef2765b
SHA5127f0316a91eadc3d794cdb9e8daeb78f2b8f2ecfec306b95ced78ca9bbd28888b989b0a36db2deaeb243cad6b5e696354730e071d4f47fc4d69dbc8bb20205015
-
Filesize
1.8MB
MD5be1f74750ec23ae8dbfecd8becfeff89
SHA18427b2994d90c8e4a351796ae638b1d2050b5e3f
SHA25638fabadb9e4b9527ef2ac0c5b4626b7be2b66fb26fcba1f38df452910d5c5cf0
SHA512d84456f21abe4b4a0afbeb3f87db119e000363ae62537cb55510f87a90d3650efb594f08cb6f1c1592f2af721722db712c4775315b527d49ab560a7734ca68b3
-
Filesize
1.4MB
MD56af87472ecefebb2d1aa9878cbef5a13
SHA1a9819b03e40552482ab9762100f8cbdabfba5b75
SHA256084341def9df811bd2201be97feea988e0930c48284658e4b14aee3d6b4b791c
SHA51263ad43e360c469dff60a668a52b099d5743c660e3c37332fa51c7177c2c5d04c6f6677212067b25a9970842d471590f8150b39bef1fae636732c8e6b1827a891
-
Filesize
1.5MB
MD5dda5c0f9af60ccd57944fd05a7e9617b
SHA174bd264b759905f5b05fd2602dd596437d00ec0c
SHA256db705558d56fb1f1fe672b104709b38e5fe416a32d5b82b973bf144dc6e7ce8e
SHA5127d22f6b58e4f323f3be9e93b3a213de5ce9898eaf9f1d7c55b396930bfaccfb7d252f07d2d07cd129e67eeba09b41e51035b786f23cb723eb776dd285ede86c9
-
Filesize
2.0MB
MD543ac31315836692b3059fa26f6f71827
SHA170cfb3a70afbeb56ca7d66e2dc4116a53a4f4dd8
SHA256742c40b16fab69a5d66ca290b80afd52c6775bfd3502b594e80ee3884ecff879
SHA5122794ebf4119c5ff23d4c7eadacfe950575ecdb0be668071c7ccb61817422aa6e2cbc31702da5afa8e400422ed0a8c7c6380b9ed5b2409c3284e7ae31f88c7cd2
-
Filesize
1.3MB
MD549050dcfc9ead1c8cb24973c06d9407f
SHA1d4c4d0fa13aa7d6bde39c982cf0cf0396a46b098
SHA2563b116146bc6ef4efbaa680ab17e439075451e43ebf141d02b16ce7fa02f85785
SHA51226938f79a60b0cd52b295e8c4ca87c0d1e99e911913aebf3165fa10151efe4f776b952d94756eb87b2259909a584c2ef4ad84ff810bf5cb54afe9a3678b5293c
-
Filesize
1.3MB
MD51145e45132b07e5a48bdb9b4e557918d
SHA154743bef778dd1a407a9fd3f8c9174f7ed4f059a
SHA2569b07d2b16c9261ae21712e94ffad771bb118089bc469326ceaa91cd142202656
SHA5129e645bdf4fabe31635102d51df10e5b604fb8edd5cdb7d7925dfe4524d59755bd075bb2d307b58a45111a6bbf936ed496d7b966c7e4580600159864ebcee922f
-
Filesize
1.2MB
MD53336b0cbf6fd9664322c62ac094bc5be
SHA167d7dff2bf697a9f71995acf43221e8f9894e85d
SHA256bceecceb50981405e62e8216e15188b6086987b15916ffd8a6654b03df1f1b98
SHA512a23c845cc1d3c4d2d0e004dc2ef8aca412e56025e9854b0e439216e1cbd5d443f7cb2059748175e9226ee00ffc06d249bed173d627d5c4276f344297dbf3d8cf
-
Filesize
1.3MB
MD5f50af3e4b2eec97d8ff531b65de94b0e
SHA177449707815b1e7ab85e30df8b74a3e31f33f924
SHA256ec3fef20ce5e45034d8591e03f3dcb7ecadf059db8673f60c1af619b109aca71
SHA5124728dfcdbbd19cfab5c307c24fabb36276a3f7f21f040333c99d084f5a6b5f5ecd4a60417b2f99e2eda29074b7d92f5c18c9593d9f4d6ce473c689037b6b1913
-
Filesize
1.4MB
MD5bbb08d150c9659b2c696bf75202e88c8
SHA131b19889777e4653fec5414fc8fe1f95f6c2118a
SHA25674812e0f0067b0e0b5597185295b2eb7d46ff9876ca09a94a37a6dcf785405fd
SHA512e28488ea032cfea6ee96b2d86635b9cd9e2e379b7018f672c19c0f441e52c8dca294b4ab5c439907757f6808e2ce5094f718181e1ddec4dabba67439a4bb7bae
-
Filesize
2.1MB
MD5a280cbe4ed933bac7a8834e8a6cbb2ec
SHA13e7df7236d6e07a1b48fb9c3b6d99826b30b7498
SHA256b2b631f33a86e6be96ce3a0e9652ff96a99f26f9cf422e4071568ad4596b13d6
SHA51237af39a8ff538877d4af16e28b1df2cb19e6d393f6783bf925998491ed17fe5c86f32b7843c688996f3993813d3fef8226a6a9a408753241611d25cddf2cd499
-
Filesize
1.3MB
MD50f61292a043c384d413faa8bcbfab9df
SHA1a7dcf628a61ade182a60c5d2f3066d4a31036c4a
SHA256a0cd7650c315283d9faebe4e61a4fb819728a2a6b47b123b369098518e32d466
SHA5121b7aa4fbc3b6579d9e51097f286aa238670bbb5d9a8b0003625a008e117562a259002dcc691233934e8b99c833903538c5e6c28defdce48aa02b52bcdfb647aa
-
Filesize
659KB
MD5ec381d31f2ee57fd5bd071c20002c94b
SHA19fe7fe7883fde653a2b26861bbfe8f9524210167
SHA2563e29a2bb57bbac896cd4599daaf0c676e0428e03bea9392635f678e5c8882f66
SHA5129d471b3f1bda7ffb36560989d808076a330d7fa962ee6964e6b07e02e85be40ab4ea73900bce1c13edc20f262fe7996122bfefd4eb310f76a8cca5772aa1622b