Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
-
Size
1.8MB
-
MD5
6ff0d7a2aa108a18889a6f58b3ffd9b6
-
SHA1
6a5eb33cffafa69d5a042b6c4a920f1ec48b49e8
-
SHA256
28f5453ba1409363f40c61a1007cd7f92ee0e75accbd95394b4a9f6c67154ba1
-
SHA512
57c64d2a545116e25431c2202e6f25ea97214897562b2e27d66fde56a92820f90d8f153b5b5196bc6611ab68ef414564bff6c5c18b7473257ba6d7e618f31cc3
-
SSDEEP
49152:IE19+ApwXk1QE1RzsEQPaxHNhXvYMLprznyDSga9:N93wXmoKpXvYCp3nyG
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3968 alg.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 3240 fxssvc.exe 4172 elevation_service.exe 1692 elevation_service.exe 3756 maintenanceservice.exe 2168 msdtc.exe 4592 OSE.EXE 2876 PerceptionSimulationService.exe 3716 perfhost.exe 2108 locator.exe 720 SensorDataService.exe 3676 snmptrap.exe 220 spectrum.exe 4268 ssh-agent.exe 4748 TieringEngineService.exe 3368 AgentService.exe 1188 vds.exe 5072 vssvc.exe 3756 wbengine.exe 4076 WmiApSrv.exe 1676 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\44834c81b3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b0cc37534aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f65e9e6e34aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003525767334aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036508b7634aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5a31d7634aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe 1980 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeAuditPrivilege 3240 fxssvc.exe Token: SeRestorePrivilege 4748 TieringEngineService.exe Token: SeManageVolumePrivilege 4748 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3368 AgentService.exe Token: SeBackupPrivilege 5072 vssvc.exe Token: SeRestorePrivilege 5072 vssvc.exe Token: SeAuditPrivilege 5072 vssvc.exe Token: SeBackupPrivilege 3756 wbengine.exe Token: SeRestorePrivilege 3756 wbengine.exe Token: SeSecurityPrivilege 3756 wbengine.exe Token: 33 1676 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1676 SearchIndexer.exe Token: SeDebugPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeDebugPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeDebugPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeDebugPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeDebugPrivilege 4188 2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe Token: SeDebugPrivilege 1980 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2944 1676 SearchIndexer.exe 116 PID 1676 wrote to memory of 2944 1676 SearchIndexer.exe 116 PID 1676 wrote to memory of 836 1676 SearchIndexer.exe 117 PID 1676 wrote to memory of 836 1676 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3968
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1364
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1692
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3756
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2168
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2876
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3716
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2108
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:720
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:220
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1988
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1188
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4076
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2944
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:5716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5b7f207774cb15fa3634c949bd91038d1
SHA1f44e0dfef8340384cb3142105442f9048239d640
SHA256eaf3a37d2ca2c60bfe6ffd1c1b8f04878774813f2c936169532e30044802bac6
SHA512bf2f84b864d00a7d09b771cfec5fa6f74ea752ce89298905e36ce6c06ed763c169501cc782db7eaca6f2408f26ea5e87e5c2fac1b80089b1c38a4e52ae249747
-
Filesize
781KB
MD564491e6fab152d6b1166ad2215beff24
SHA1b5db8bcb8395e1fcea4c56980319fb1b5566e5c3
SHA2564ad3001fd72f07445fcd4b8577951c23d236a6cf0b6ac8b3ebe3a84c4d1b6dd8
SHA5129e7b5bd6cc199b8b2fc111a627ee8166877168e4982ead24c26a81ca6ca68210836ca484b7a75e5786a1fabcb96e1aa58b9381cfeae7c9edd258141b03d57cea
-
Filesize
1.1MB
MD51fac17151b0194ee413f150ccfb45b70
SHA1e70f0b406b26456023a67e389031667026dee456
SHA2562d1ae8791fbe3a28ac3b403fd4587c1685d25b5eed51306b34319a08bd08fa1e
SHA512e8950c0049a4e59229324d92c862df38e5b5b1faa9863b6963a9e0cf3938998e8e1842619a3ea717b7a2a2861c88ef76a20bf62b7ca9bae2274e1e546c724dc4
-
Filesize
1.5MB
MD5171ff00a8c9243c340800899e18598d6
SHA18f518debb435838d18c945f324716dec60ed2f77
SHA256712cebdddcace388e5331f665d918b2a1d11ac14e8491042431236d5bf7e9bd7
SHA512e3caa42ed02aa4cee4351a0d74cacab79d8352cabc4c50e8d028c9b6b20d739909f151566435d165b07a9c4acf83623d86367e7a431726e4914e1fb66b66013e
-
Filesize
1.2MB
MD5e3a606fc724fae84a57a43171a74b7f1
SHA1e0cca55a024aa1dd258c8bc2b6b00753a9d27eaa
SHA2569886ac39c57bba791413d6ea35b334b4e8cf90db04132d15a2c325968d82dbf5
SHA51252483f4a73a313a2dd52e8a062765eb0649d16510ee2a1af52762cf4bfb2111f349acdfd3bc0bd22c3cf1b32a72eeb3bb5bc3a8b10ce2c439da3c46f79d20d60
-
Filesize
582KB
MD555f036e7393f8869df01bde3c7768055
SHA1cf3a0950f91398720b1bf7bf6ea980344d50eeca
SHA256f117bb84f1d3a4e2d3fd0135d7ed8e48ba598cfe797f60bc1eafec2897f29c31
SHA512549f9e9bd84b2d50c71ecc75a67d3001e3a93a953dbdaabbab67fc8a10daa6f574744176b96bb2d34988273cf059aca638cc7d078a677c7c58c139a186be2184
-
Filesize
840KB
MD58094f9c35b868b1ad21b7a302e7426a5
SHA19c015485db696c896b8b2e3490db0cad4d5b4609
SHA256d4d8d09024bb9b2050f60bdce8fd9ddf2b290464a497acefb9eb9edb0ac499da
SHA5125d54177c929583e36a8a5c81806ff4ba2abb129cbafdb6139e94cf921e1833762fc944c09923fe988912b554afd76e74be712ec32383f87a82589bec16a5f2f6
-
Filesize
4.6MB
MD590db52d9f02254d9997fa08a09314bcd
SHA1c79a015ecaee742f4f0e37b26fde89740da79b31
SHA2562b415875c91bab12523c9b9fd6043bceb06f6fbbef5088bceefec61a04d57b66
SHA512eb50ff93bcf4c3a07285e72fb52e29226afa7a1ca446342a45fea927f024cb9932c9af28b506a3d06666be551c923cbe4a0d56c4e3b3219a567707e27e0a606b
-
Filesize
910KB
MD5fb1f73e51fdd5ad605bda70ae5b70d32
SHA141b610f894a3b7d2c6b340f04384c1e47ac34177
SHA256fe55e6e934b66916aeca1a3f15e2f88ddb87a9ef65baff85438230a9c80217bf
SHA512d88b3a4b6ccc0e7b00374ee10aad63d0e08bb92f60eddda1d70963836b5fc620a77683f2e1d38516796b87b68f246b36e1c2f028358b2f0d2381a699bd37c8df
-
Filesize
24.0MB
MD5883763f06053d5c41219789a7163d6be
SHA1da79a34607b658b5cef1513e2e407b1a153099c9
SHA2567b221607666b17a14dac78f2c7a717ef8a517e086fcee6b437a9cd66ebe23fe8
SHA5128d8e4cf24a223d12b73d146da2236590010ce7e3332fcdaf21051739e2d6babf2825e12f55768f6181c66b7b33858a32180f9e7ef11e44df5509b222feea3f0b
-
Filesize
2.7MB
MD5d9d51449119eaf5384168a66c9e13251
SHA1b228e567f314134d444af5df08c612c17c9dd43c
SHA256dc4f39c1fc215df200153f23b897cf758cd9668596a92a3355f46002f07f98e0
SHA512edd0b81b5e923dd409f38e95ad644d9f333cdb6ed84f7660d0e6808e6143a9f1c26387c42962e89050b49bd7400dc04f31a3ffdee9d179594920b9ab6ee5d568
-
Filesize
1.1MB
MD55fd7d87c0682b6a01d9b580c2b09761d
SHA1ae1f29a71e7cb2b919e6e992387e5751840fae4b
SHA256a360357a405afe8f4262c9b8a5bf67573d61117cc2ab434ddb1d1286a583ceca
SHA512133dca764d89790aa676cf37a3cb8e1c121e88294e1691cf4ee3700b91865ee676c430c3cdb615135b627f43e2fca4364738196c3732c36d7461134d4196625b
-
Filesize
805KB
MD5434e482d5b2492c61440f125bd72ffb9
SHA1df1758f55abe83d34e62d6b7486ef7e8089b9cf4
SHA2568af21942ceaf5bbdc4c79fa123e9edd30de1fcf9182a25a50287bf27ff17c87b
SHA512709cb571e351c4cf982001704e5a2b625ad33071fe6e75f715c141c319ba4686a5bb9d6cb9ebc3ab96a836c0648db8ed2f66f5c780745b292b093a6af4d2c9a4
-
Filesize
656KB
MD5f59c5595c716e51b38dd4f17533e5997
SHA1333e2f681359c987d248da777db63583abb4bec7
SHA25647ead799ee86aee1608d3b244f14bdf81a97d0dda2a920c8a069e99ada6261b4
SHA512a6a8efb211f929d4789c55096cf34c39420ad0aeecd82b16495049bc02bac9b92e8b4212630fcf1194f0b1cc17a7ab53a9082f497b62d7b575ca3e9f1cd58c87
-
Filesize
4.8MB
MD5c8fd2178a0710c4a124f9531c8b91bca
SHA1c724fa4df8c31f872f23e8af2ca13c3b55df93c4
SHA25690be9044406210898a7de4bed2ff5ce10f8f8765e166eca241932f126d507e8c
SHA512093bf128dc61e62504c4b1c07ae4f0cbbf154d3dc7ae62922543eed61e1d9f32010fd433cdee77f3ddc9b23dece0d5b5d86053db98ef61dbaa580bfa267671d6
-
Filesize
4.8MB
MD51cd6574807ad9be23a1e4c74cb401078
SHA12ef76f39f14ee409f9c051a273d5643040ede592
SHA256506dd5fd4a6959c6a9dc6f7e2a58c12c59480676aff099f85d05721d75cb3aac
SHA512e2784d749039166b3693544f8aba901cd69c8344696080c2db5b2d61c2b227e2133a523e337486d64dc49e35e9a69457852e0b7bc1156ae998d606291232e4cc
-
Filesize
2.2MB
MD5cd44943338a3d185e81c2269ff29a9c8
SHA1317956b8afb4e896c286ed0446e8ac0548d69caa
SHA25675c5d855a8ec9393f2a4d4d024d054a7dccf86e09de103eb1b3922ca0b1d9c80
SHA5129d23b3e8190a415049d02d4410c804ca7b4b5383cc3c61dd4b5e241564eb49b5bfb79cdf00fe86a06c65d1830a9b70f71fdac9bb8043b4d2997d358db8edd6a4
-
Filesize
2.1MB
MD58c9514c70b1f7a4761c60935f1be260d
SHA1efdf5cfcb16591bad9a24745048af5a4a3d32121
SHA256ee71dd20bbdba43745d56f639ccc4bad15115f8ffea384c1c07434c3a5d61bc1
SHA5124ff8c33dbfbfd53871d6a11213e098d5c27322dd65d64d3a4d303433fd182e2cd37f7ca9fa35fb52bd56a64c3fe7af7eec437dda64ac6c41505370e3d18de8f6
-
Filesize
1.8MB
MD5dc1baf989880b06769049ebe50c40411
SHA1de55d28e964151a378c53f09e167397b9b2d0928
SHA2568cc9cd5f1dce25edb0950ff8e3920ec7c426d1a907e32606f894081286af5739
SHA512ab617b35cd02d03acfce1e3f790df254da21f688d1fc36958f9fe8e2e3f1ca4e6ef2ce69751c7b47bcd76fd70aa5bc48f2303e607749fb8a3fbdb77294c73fc4
-
Filesize
1.5MB
MD515a28d7d370bc03e339f661dba124a16
SHA1595448b5c4dcc039149b5458f506bd75f3112096
SHA256c7b487f82a1636b52a674012955b0eaf1dbebe17ecc508aa66d172126ca4e71a
SHA51203a9330fea0907aca39eca2254ed6971327c5275aed6617eb44c79b7e61c98521880342492fa04baac109d56a1427ffa26f3c0944d0a51c912bb85c80aaf8f76
-
Filesize
581KB
MD588e6be169d03902b1dd1104ba2307b6f
SHA162f38922a6d813af6a179b3756178bd5180d7c27
SHA256f8045bb374b809e85f3a5ffb9c04ae95de18d65670ab29e0e2de351deebfd2e0
SHA5120e18dfe2f6538b7e8b094d0ffbea1565dc21cdc5bc074ad99324d37fc7beae942e694a721a201be3fa16ef3956ab1cc53fc1cd0ff78185146cdffe3691e98679
-
Filesize
581KB
MD5bc045cf8b9822a53cee6692bdc3421f5
SHA15a41316eade6bbb781087bfd42c79a1e203e2159
SHA2565d16374f587be04c2918da006c8fd9e5627b602d5e1350195fad12a059df8261
SHA512dacedc4d02d45a2c2635a223edab6d492f9bdd7400a58861644bf1dde8185cd01031b1487721fd63932020bda75ce4a9d7508c917cae3b5787fa53f6ee6e80d5
-
Filesize
581KB
MD57c5016ad427795b09870bd8a25c84bbb
SHA1366ba35ef4dda7a4db5da2762d53c57969e15da3
SHA256402ea574939ee13846d488fd3f45e842a126353013f78f02b4f1b03d1ebe92b3
SHA5121472888d5986e8ddafe7b2ea88c62b29b1a73dee41885d4689eccd7fd7c6e471bc2797d2c6a4807480c936b395b1a8fef306d6a390af3f29e6960b46f4f1a120
-
Filesize
601KB
MD51d0e3e149a5f77e0b99a756ac02cd1d0
SHA102a27c80958c2fcd86e6897cf4de371f0d01e81a
SHA2567f83a0e6e356e3bfee4c7e79661a75d384e9fd09eb45406872797ba7effd9f46
SHA512092e60ab00407375bd41de194c61221e7db162fd8b9f015c538331cf9d53ec2d823fa686b57073bc9f15bca4af4a02a807b07e726e249f45511f4f30ff607a6a
-
Filesize
581KB
MD53ae0fb41437c7b10cbff3d525df8903b
SHA1287cb41f93d023e2ca48cdf84ab6012a7c11d088
SHA256eab763d84b433a0f71e818420d2d3047f111c066bae68e0124841fe9713ac5ec
SHA51278dbc05fda709cb6cae41628c455742fd21bc9bf9d1a073c9037009f45a29637834a39f57f3db297ef372b7eb8d8cce7bf4817880a634b8ce13eeb6b3650ea15
-
Filesize
581KB
MD5a871af3645582077db688f93cd7cf7cd
SHA104719ad3622e7f0c4594e81452251212fc78104f
SHA25662e9456d40b8ea8a5e5741f0b3ed85b68b368065d15387d8c9f653955a1e6a41
SHA51261d589beea906d65590880d3475a0113c6a614667db0621c803150c3920066925b67856e366d253a9f0ec2715a67c6672a394366206ea95bde127ed48085e057
-
Filesize
581KB
MD5b6697d42c510694f9e329d744ab426ee
SHA1b915bcfef43eac6c2a2d85372fad54910ce25eb8
SHA256c9ffceb44b85fbc5510df9c239a7908518ccb45fbabdfb70310f4b54f3fcfbd6
SHA512a5d3b45f64f5778203a09a4d766f1a0897f5fefdcb65a3d8bd0ce2b54b0f94a7d1f1f7f39a2b4b093fa624a60195b1b973dafcef6adc2c0695050f431f6d9dbc
-
Filesize
841KB
MD5d6e1f80a401e5c0ed25308a47799e055
SHA11728f95bd7189f0ac25e49c9b7010f3ae1007987
SHA256620659a76e952f9d10d646c4cdb0afbfe19436c3b3c4bc324e769a6d55b7a462
SHA512c1f9b536fbddd3e664124061f79d5a85330ed6e1b23c531ceba5a844a83fd3bc47bbc2d39ecd0f0d40bbeb328809dc9f52110b9c4f90d652f0c06a7e8ac214f4
-
Filesize
581KB
MD5c31c71168131f37030f60637ad3c23df
SHA1a90b4b899741ab7db76f503493b9b7559e97ac1d
SHA2563027874951a4713490458a9d0c68b1738308ea366128e986131edc59cb0e4ac9
SHA51247445034db69343040a4aa3920e82e9db5120eaf9c8efae7603ac3c3b5ee47f5df9a5d3951848c929946e698e57aee85805f5d0c69c6e1dbb8dd8e93518515c7
-
Filesize
581KB
MD55d9190bac22641ab1b588c1a4ad8621f
SHA14510eb8d36bf7b1f741d36634107cb81b83316d0
SHA25688baa672456edb616733e13343d04b0b2886630520f0aa83e78146c446a36b90
SHA512ed7c248d3c05cef665bd4898713c39aaa83538cb3b6483d5f8165c45d446333c9cd4f7a3f6d9e0f6b7ce6515f5cf5c82c91c1d2126c678b5d8f3dc113f3604b7
-
Filesize
717KB
MD558131b4e33d34b2aab265379fc23091d
SHA1d0d5a05520d8638edfacc03b7d1792f89e43f961
SHA2561a5198d221303e83f3920dbcc52e1374460de63c91b3a14408144592326014c2
SHA512064993778c687c46c5ab085a4c24aac6a67a93b87941c5cec1b12ec585bf2eda4e58cd73109f7aaa35b3b674db2f5aa3eb9efc9ee70d6dec850e0e9e82968a48
-
Filesize
581KB
MD5b69b4606cb9fc06c6789e89ea718e128
SHA131771409b4e1a00bd408cf19c8752fcdd8c65be4
SHA256cef2530d2549bc61dccc073b26f27c3946d27eafd6c36bbf92cbb1e09e0e8429
SHA512d300e46a707501198ea217f64d3b861f2a2381960c849bb41fe6365efe0709079dc709dbee76426a3b364b16e5bdd738297b51b376c06e49b76ba84e19c5be3a
-
Filesize
581KB
MD554a44d22ac98cbca602d4869762e3ada
SHA110b6721044b2f8def14596c0b26665dcabcd5132
SHA2562e057843115e560118958d1274e939b1daeba2940392c95042ee1235fa28d514
SHA51230a179956fd263f68e7dbc9fc6df76405f1ac1c6c78f15902fb023bdaeffd3f0ee05e3f89b48ac37a92bf736c79546befae538a6ecd3536dd01ebbfa3968add8
-
Filesize
717KB
MD504c85d194f1489171de04851e21010a5
SHA181a9321c5019d4fffb8ffea15e0054ca260c3638
SHA2560deafd5137f8b647a8afe230d37681d2794d497b1eeed0c59a4c27c98c138c7d
SHA512155a00dbc46f6b4d56b276a937f6eadf1c6eaabdc9550486308fe6ecb1e08e7f081d146f06913da3d7e5ba8accf280af091dbeb902303525d9395653e4739455
-
Filesize
841KB
MD50881778f6e9e6e374a7c59c6620ec0ea
SHA15bcbfa11b13d5cc2929e728442b726f415b4697d
SHA25690948d7837bdd778348879db6e61a388dc3f89175b8914ef3215ed83c138e113
SHA512deef07f73009f45a877a5e02f04f5677be358a65586b8b99c4bd71592f7a4b236a8309d7522a8a77c72c6d89273569a394886410e8b800f257cc01c4b40c075b
-
Filesize
1.5MB
MD5665c37dac12be203bfc385a32246ddb7
SHA118869d244d9c75fe4519400eb28bfe41e7bde763
SHA256d3da36c8c34936aa5cf3a078f4be632c59bf95789990de34a4385a48ce976855
SHA51211d37b0219f4df0a8720aafd2ce90d5ea5b8eedf768e0d1a2d934151464542985efc2be3f866727aa5800910c8fffea06f4a2474b44a16ac1ebb40e598121df9
-
Filesize
696KB
MD5d66e1d9a0cf778ab284e4d3ce7ea6291
SHA1bbde27ddfd5ffa8ebeafe2b4406ae9dff3a58d1a
SHA25612a2938fd3d8180a35d720e16ec39b0fe1d371c07a1418eb5e438736954cb919
SHA512b100c35762cd18d9e2e272f2e9574fe21da8591a2df98119dd104a1d2d3dc441387011a5a3bc18d88025253e6430cd4d2406e07b66109b6413fc6df8c8f92899
-
Filesize
588KB
MD58c45193b276e3f0e7d05873ce212e2d8
SHA1a8d399b5866f5f9ed38e306e5581922e033c1b7f
SHA256efc07bff988d6750a3138760122dd19b9101ba400f666a9d4ac2b119bc6d8452
SHA512e96278d6481ac75818ec2d8f084e9af91b11387f1b0697333298f708076a683707750c9b52d5185a1c4c8068fd757d641753d64012a7472823656e116a9789f5
-
Filesize
1.7MB
MD5aad5d20f26d5f9e554568581a651396c
SHA19ee2126223ad8a47d238f7ce943cb1815ecddc45
SHA256f0b833e6b8f44dfc9358c20ab35186ed7adc222cc8221571bff49dc5dbf113b8
SHA5121d75922133509e27f5c27230e4ac0b4ea504a85c870bf632c4041c208fe4ce6ad154472906d19e1a6da48a57a34b5d2d21793160c697247b38a28f46faaed9fd
-
Filesize
659KB
MD54f16cd0c6dcf8ec2ea7fb7ad8af56a79
SHA1c27d115829d20981bfbde59c5fc5b64eeb31b73a
SHA256b56964be0a42c53311c55bfca75b6168cca569d552bef51c754a4b2cc9b9662a
SHA512278b723c36e35fe35f2713e4f1e82c150c8a76ac285246c032d88045b6bbbc954c66464ce84a5a7f167d39f7db34d263df02a0bb1b223fee4dd86a90524e4738
-
Filesize
1.2MB
MD515b4fffaed7d6bb909b045ceda3d7c1d
SHA18291d7ca6f531ecd412e9d428adb0c9b50c9f19f
SHA2561c590d55fe7ecd329ece3c4c726872e8ef4a11b33ad91f78b24fc14cbe8cd032
SHA5124907a3ba31cf7b27346d485beb53755f12634436e4597795c4937b2296c07bf5313967264a0f73c043edd5ed90252841cbcd6c21f9021f456030e4336cc24eba
-
Filesize
578KB
MD55a17e2e6284bcc26832a3691ef413e86
SHA1c3633e25c7654a595dee11419394afcf5748c33b
SHA25697cfbdd0f4cb6f18c22385ad689487af4c4e2e74d057f44d54ce1d35c0214593
SHA512a291b87e0243860c9a81b18efb0c7e0945655566695acbd796c5f3ebbc5b95b0773ecfe4028c4e686271fdef75acf4383306a9b97454d5938a345f8d2af28701
-
Filesize
940KB
MD52c8d620ef055c920be9593f310b03b18
SHA1c136bdff40a478d1b80027be0b73da4b8a8519ca
SHA256b9d30a70b9245e100ef9b84a92f5e9f076d2ed67a6f8712b82b7924ec44cf536
SHA51221d75a623b30a4fc73336286d56bc827e779400c31afe7a04fc57b09bf2d9bd263bd92a1f79ddb97408cd6d21a47f5e046515839c354b3c4673fe9af80edb9d6
-
Filesize
671KB
MD5f8f6dc6ef968e266317caee5d46f670c
SHA1c9efc7eb5604e79f3b7dcb1e898d7597d746aaec
SHA2562063379739d1553185ed454190e87bddab8d0a5b42bba3e3dc7cd4d0dd40a0fd
SHA5122d1f046876ac718a1529b254851f72229bf8d65dd9db10e687573a8823faa023640daab75ce0cbbcf5829cdce2b71f57225bf9caaba2fae3f211858d49f1c89d
-
Filesize
1.4MB
MD5b615cf2d03eee4398281b200af74b247
SHA10262fff3862ee9e8d90c8de0d5762c194debcdb6
SHA2567238e9379e72b19833b1d5ecc49f701da17aad3a4f906436b1fef015fc392044
SHA512e0d69c9431e4c0c33a32022723b0ef120df354253817fc1aef74ee2fd9adb362849ee575f5bed46eaf5c375adaf91b9188584493e8d86ef06fa0a32e153bafd2
-
Filesize
1.8MB
MD5662eeb53d1b44ee61d5a717acbd9678e
SHA181415fc4d6a330f0ebbe345ef7f694de917172b8
SHA2568ffcceeb768461d58fe923af3c7e233d4a92b050319f1522b5300acc99c64d31
SHA512745a1747a0b75b8344345ca1fa193d1fa9421a508c8b0e50f2f1d26fc661b97fa4602493fb787831586aa3ad7f6a67410a45a84ff416281af0356abb8ef9c7dc
-
Filesize
1.4MB
MD595dcb69e97efe5f6937dc17e7da430ba
SHA10a16d414ce81c3047bdf86840bf495cf0fcc873d
SHA256eb4ed43f3e1d059d1780ab045bb6d2ab7885e8d6309edebff648c0209d3e3790
SHA5127c65208b39085f7726587ce4ceb6417e8399fb163a4c2a92e7dd489fef4b36949ba006719e86f22f93ebf56c0175359f9ff31a3375ebf91a7775e2cf56da05b3
-
Filesize
885KB
MD5335618d227c0f6e252554f7d60cb8b23
SHA1fd0d5ab2290e4dcb2ef3208d94414fb42f97efb8
SHA256a4efa24e68c2e965029f1021c517a18d81e73354cf735d975f9de3407bcadd2d
SHA512914e5682d1f785b30ba3954e89fda544100d3d79e8652f950eb76f42d772b88c15f07c21bd8c85c639b1b3fabcef49b877dc9f3953aa1c4906cd1bb75b1ad413
-
Filesize
2.0MB
MD549984989d15a4b8344ea0bc796c43707
SHA1f8c9e8e4f0cc6a16eb127e8f437d4e39af8077ad
SHA256448b315772dd3f10a468e9337b11cd3c71ff720cbb2683d44c909bcbe15e4c55
SHA5125e184aa84c3d8f1d438502fa554dae6c56ed95298d93b60f537963207872d422f3bcfa3cf4207969dd691187e776a4f10404911f2001eba151a2aa82db130f54
-
Filesize
661KB
MD5a11ba2c542099cf5951b8a872c721881
SHA1bdaeebb7c82766b68c4302ec2486780820552126
SHA256e8d4a4828e8a00b108f2cb0163fbe261a42731c1264acf18a7bf4cbfe4c87ef2
SHA512e44fa5237aa2fc086773f40cf2a4e42a3417e6cac75e702d37f93f826f49234c1ef946453166acf1e0ee3df2534e6654a487d5e7a01ba53650a8bf08de120c8e
-
Filesize
712KB
MD5c398497772b24ac22b925159f60e9a1e
SHA1cf80893329372eae939e8c39bb66c50cb7c45def
SHA25684840b5ae7e7c72afc4c703ea96c5b6c63f892604a4c43d628cd444effc139d9
SHA5125c7f786e86f843de2bbd66d89a7d4014321ba48e305d40748e173d0dbf2c3b275f1ab1791d92fa787ed9bfbb7233f12be0860af49233c92d71c9d2cb8965042e
-
Filesize
584KB
MD53b00c8dd4403610fd56bb11591d6ab9d
SHA19b24fa451b39829a316978f4b80fe04cd9428480
SHA256c14260b482266de54d2d00ab4c6a3185e9c66f8ba6512685ac4a55721dfd99ea
SHA5127a6b0ac0e885b5774946053de29e2b56591f72648eb4acf94374d3e90fd7ecc104a09eb28f4cf5b5fd4b5fadb5bb78bcd4b719e94b981fb76101dfe038903484
-
Filesize
1.3MB
MD58335ea4088a1ed7d80776bed3ccaf7f0
SHA14e6313779093fcea82d02a7b0de126be5d60e6fc
SHA256ada6a402b36040d1bfe4702a4dcd3affc0a97c4e839754a2290a422168c497d7
SHA51200c1d7a6a8d18e8cc3380ce5b85e7558ec94f9e9c15e3a42fed381232ad41dca41e746bc468c1e7832964178c9b22efdfb0af640758c30ee7e36560a99403c0f
-
Filesize
772KB
MD549e534ef7cb77c6177e21916aec9614e
SHA1763fd028917e88c9a7246f5443225bf881b209d5
SHA256f7e4f5b8521e28289be16a835278665b1338d18ec5e2e61a010b90e042995968
SHA5124365c5338229609b8cfa837e2a84a02d4d09a6ea1ed49048e3dcc89cb9c3220710494f9b029ea8fce0e55ea893f72faa4e5148b2408f048df46a67e13a3aa1fe
-
Filesize
2.1MB
MD566814ba336ebf745dc9dc7af7f8f5b9a
SHA11284ec8b92d9180745829637a42d7b310d6bdbf5
SHA2567d30d6d2a6b009fec375dc24e8a7d6d7b3e3bd6c4ff4120c5879c255edfb0b6e
SHA512fac4cb59c8f7cf5c23435ebf6919bbe24788a28c44fea07f0247acd2377cd79ed4733577c35350c033a14bec63cc1391f45a5236ae9dd3c168c628f1f394bf64
-
Filesize
1.3MB
MD5c1d36fa5d369c984b08f193ecc8c9796
SHA1b66498c835e3f69dc0cdb490261ceb469639ece5
SHA2561b6febdd7ac560ac7dffff9c5bfe2621a8f92efe21bd169691760c1706bd42bd
SHA51248f493c66e3a5be3400bc91277e84f4f6d9a268a8dc845a44fde3f75d17c018fbe31de217376f2ca699de7bfd7d98fb85e2bca941ef95b0cf9755f6a1949ea1b
-
Filesize
877KB
MD5cb99e808c2aaf2b77739904a36a82d78
SHA172e78a9be9ab94f00633f0bf0cce7c441382b3de
SHA256f56250161d3067cfbad9e10f4432a228afaa20abe711b781cda4d6b500091ef1
SHA512c62787664d3717adb86d4964ec785ed0e70783bfe43ff8035dc87b7fa1c1fbf6014143868bf3557c6e2fb7e605d0cd591cc5bdf5fc179861ae1697c121e5ef88
-
Filesize
635KB
MD59feda0b6afd676b6ea7ab54fe626e127
SHA1bf95b3b30c135e5114a88ba26a0e085db78825e2
SHA25638fe2ca4068e3e845cc15b46e57d4177484222ef16d40f65d8f7c34be35738d4
SHA51265fdadab700a97ef159819770bbe00db29dc359197cca9af0f4353142e614d609221c6d8002c549e2a4f0b1e776091ede2a57d3b14f08d66247a827e68357187
-
Filesize
5.6MB
MD5fd9fdde3e6fd4fb3beb743997972dbc3
SHA19ce5cdf30dcd050daf9c44e8377c7671409c661d
SHA25660a7132620d4b06250b6fe09d97bff2ddd99279810d57521977899df68f1d6ca
SHA51274db26ab31b9bb9f1a13ed90daab3e3d665eed7cd406a04da7106da584cee685843f5503969e8fdb93be219e78aa75c985c6d9f57454dd7fc276cf29364f05a5