Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe
-
Size
1.8MB
-
MD5
132cb4ec98efb04f0d95c6b2b6e12db8
-
SHA1
552b78fb5bf9f36d80ba293628a6b3c0648817b7
-
SHA256
e0fa3ed1f36249f1ffb11b2d82d28cae466d6041939b3eeb59257293333d5bac
-
SHA512
4e69489859683a7b328cec595d3ab339816bf9e289228a558fecb93c668807e89ab49e826a405a32c096bfd775b4a268a35a9ac13a9ed0ecc553f297ebdec3a9
-
SSDEEP
49152:yE19+ApwXk1QE1RzsEQPaxHNgvu6olbnoQx1:X93wXmoKyu6otnoq
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4740 alg.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 3004 fxssvc.exe 4204 elevation_service.exe 3604 elevation_service.exe 3180 maintenanceservice.exe 2044 msdtc.exe 4800 OSE.EXE 4980 PerceptionSimulationService.exe 1040 perfhost.exe 4244 locator.exe 3960 SensorDataService.exe 4208 snmptrap.exe 1772 spectrum.exe 552 ssh-agent.exe 3560 TieringEngineService.exe 2912 AgentService.exe 5088 vds.exe 1152 vssvc.exe 4360 wbengine.exe 2796 WmiApSrv.exe 60 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7748160892be0f3e.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5f6c14096aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ef5c4196aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064c3774396aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002624994396aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc87d64196aeda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9fb0a4296aeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd11864396aeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe 1848 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeAuditPrivilege 3004 fxssvc.exe Token: SeRestorePrivilege 3560 TieringEngineService.exe Token: SeManageVolumePrivilege 3560 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2912 AgentService.exe Token: SeBackupPrivilege 1152 vssvc.exe Token: SeRestorePrivilege 1152 vssvc.exe Token: SeAuditPrivilege 1152 vssvc.exe Token: SeBackupPrivilege 4360 wbengine.exe Token: SeRestorePrivilege 4360 wbengine.exe Token: SeSecurityPrivilege 4360 wbengine.exe Token: 33 60 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 60 SearchIndexer.exe Token: SeDebugPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 3696 2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe Token: SeDebugPrivilege 1848 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 60 wrote to memory of 4328 60 SearchIndexer.exe 110 PID 60 wrote to memory of 4328 60 SearchIndexer.exe 110 PID 60 wrote to memory of 3568 60 SearchIndexer.exe 111 PID 60 wrote to memory of 3568 60 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_132cb4ec98efb04f0d95c6b2b6e12db8_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2512
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3604
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2044
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4980
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1040
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4208
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1772
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4964
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2796
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4328
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f5a087853453dfc3370931fa2ffa4899
SHA1440357e7a10ed08d82d05357e04036b6495bfe91
SHA2562ccc365ece3bcdd0a13521d41f7ad63adc0f639f29711f88ea18ceb94212a843
SHA5124f946451d27994661b83d47f7590ab3955db0990344755d08310db825cc126dfa1b5e2ee398b2f3bc7a033ec994d5a70348169d385748db83a4b826c45f2e0ba
-
Filesize
1.4MB
MD59893f2d80bf4f3a8b8d49b0db4184991
SHA174e015ae895e94fdcd59455a3a3511c8d6ee12ae
SHA256daf1633c7edd6323290ea08ed84eabc8df7202d990093b77eb13074c289bdcfa
SHA512d67f2793e206e67910c645f802368bab00333ed9f206a1fb01140ff1d23bc962661769ac4e6b2e87701517dc179d0a91bc4b62fc7b7ba86b41f22243ad5645d7
-
Filesize
1.7MB
MD5e5f1996b9dde0f8b00b9a3b631fbe462
SHA11ed6d85b048ca25834082f836e364d12cf9522f0
SHA25618f935034774063b194b5ae8f47b31057c650a0c7f14241c37f9b946961f3ccf
SHA5124a0a771c02f5342f0fc3b492c1f77f436689447339889b5ea62bb2ed2cc5aa55fec4275242cca42c87bdd5155d8cae830ae63def22d5c1cbf944e6054c5cdaa6
-
Filesize
1.5MB
MD514d6cf05f76fde78eb2442ea54655f4a
SHA115394733cd38d46a539b7098ef2d4f2240fde65f
SHA256bf9534c238ffcbde7ae6671709bf8721d384f4a818694ed62cbf9633c453bf54
SHA512769bc872459f8d99ffad3e1dfbd2bef8eaa12398829a20a6038e66532c4fa2929dac628870a25f506b852b87202d56ff4168a43ecdfb9bcc41e31623476412f1
-
Filesize
1.2MB
MD5fae95b98de057f94d72facc2cd1a971b
SHA1ca34040d1bb6ee4678761fe75cdba1a59b5019f0
SHA2564c12f0641b6bf272ef952884913f29dd734d1382c6d0ab4cef39da4510aa0234
SHA512eacd7cf53f8d2ba4d4bf7bd2f939c613158ff60bce062fe9a280f36c7d638d82efac0b85a66c578fef7cf8f675b3cb3e57e6aa22b5f69ec5fa64a61c92515134
-
Filesize
1.2MB
MD54685b04beaad41bc689265a0bde2bc09
SHA162e47a7c9e2cddba184492e57e1b9683a9f72cb6
SHA25637b96630d6165754b66326e3982c7885c4bbd5994a830e7343aa1b0d8e0d3fef
SHA5127100085a047e77e696a6f47a5232256e109f76db83deb2cfcd49e431989337b37c83efc99009ca4df95b29dc1ed62d2c379806dcc8fad0b1c315fa9aa7f3ec8b
-
Filesize
1.4MB
MD58ad8ad8a07f42e2f0354b11b17a16a19
SHA12c3b251b898cb8d50e42b10287596c85f7fd3ae1
SHA256338cf32347976d5a3ab09d8091d33a7171423f4d857ccc34634403a24a15f0d9
SHA51223d720bdaf87e2b37ef6b348920dfa4f9c32fce03feb574dd221f60ed36936401ceb5e4f130283da03c3f58430dcf235bf6118a7a6e8aaa61bc7eb1fd5354db2
-
Filesize
4.6MB
MD59bdc4abd834aa35a5f9c9abded68f3d3
SHA15bb5f96f6751828d9dc0f513d02623270547613a
SHA2561c8b73078a29f2cc5235cdddced8e17d1dc70dac999ad15cb54f0e564b69ca63
SHA512c4cd1060f59730d69d2e5428ad9dfb2063162dcd38a62b0b62c844682a91dcf0433b38e332bd4333a93db68ed502d6849226f78ab4b94fffbe9e1cc145f48908
-
Filesize
1.5MB
MD5426f72bd22448d86ca596708dba47262
SHA15d80e04e5cf766a7c5f0e4ccfcace185f91e468e
SHA2564d7764bae908f35407d83ab17fbb31e5f1862e419cb552b8e51bf10f905a5422
SHA512f3fe28d1e14c5ece9a826931d998432b02bfdeb4f036f9831482269f1983889c836da1dedb095eb1de0a6904526de5238c8c123f62419aa799e75cd5b7f9f5ac
-
Filesize
24.0MB
MD53f6ceb0cc49a91f8c85814aaceb08043
SHA12d7175a6bbb5e9880413f96f2acaf9ff6a1e817d
SHA2567e4b56dbee9a6ac69db8a1a363b563a8a9aeb8580332abbb56ac8db1c693a05d
SHA512ab64df6e39dd3ca13cd0ad0523813320563d7568ac2be353d3b445e35cd9f693717d61b51523c0f73390eb35ea391585859164cd31e02e0b819a6086b67ead21
-
Filesize
2.7MB
MD5ea8864276ee4df09c4036de3c0d72d6b
SHA1e36d3f358d4c8225168d00e6733d6b666f249478
SHA25608d11d2300962aa00fbcd97e2b0bef1eb20603ac14228f59c602ccd255054352
SHA512b8c718f3b25a452b17b091f7ec6ed8a22fd4978af0e9bf173ed8e26f42d7ca53e50fef4d5873e0347561194c80caee4ef83ca670c6c41af23b0c9b9999107d2b
-
Filesize
1.1MB
MD5ede39982e5c0f071d24955de69fcfbd5
SHA126ef05fe36738e0125aff900f0f9f857304f50c9
SHA2566f0de0864ceb05a7b020cb628e20b66ea83657688f1610572924afd80bb94316
SHA512a556b4111034b721d303b0cd5dd2f366e66a6e3c99a92e83248d6833bdc01f28b0300540c63c5c8e9feab1a69de3e90b30bfa228b87425652b1963412c949285
-
Filesize
1.4MB
MD58c745d8c443837a5f9972d86859a51b0
SHA1558106f6ae3dca9d563f8d5318f3ee13ff426db2
SHA256a025f94dfdd384d410f7ed7952652acbed97ec8a747114398807908b87465c26
SHA51238823ce27a98de2d3d31ea12b4c98c22cd93a233eb7c35d8306c7464c6d1f814c07b2b4b0095040269f8308892474c0502b252f966b35808cca20d4433b07d70
-
Filesize
1.3MB
MD50b6b177231d30ea163d3b9f1edeafe59
SHA1e4838f45a4111925f7abd5c16778a84c4055bc2b
SHA256d64f17d3f3027fdd5145d172d09a2cc87eb57a69c0a7a59bb146845fa8eb6b2a
SHA512e6cb22c7bd65cf5cf1f944cf82a08839a4c1c5f15db58425b8f6df8904d12852ca8b2eb5be1b241e30006426d20544a9d64e9406cc7ef56c2a07d6986970c277
-
Filesize
5.4MB
MD52b577cd5e2a70762ae3e33af541874ce
SHA1d4af57980c9dd623357533f68fe4090a66ed9ca3
SHA25635aba6b6d037fbbf092a2c39d258e8401a287b4c27e4d5cd81592f224ab052b6
SHA5128a21a72b4698cce2bfbb87e76d6be604381eedd7ba62749eca8ad3a1d08e14ef76bfcdcec18256e190ea378a957b1edaba71bf80117d25264f51b5c825f2a8ff
-
Filesize
5.4MB
MD504d0ecbaa06e3dabd02516e124c8ef52
SHA1a88e177a163dfa3fdb080855923a510db674d576
SHA256745a2fdb4a33e8b0973af7efd7cec0d12577b75fec4c2d0c65f340ed9fedcb42
SHA5123a0213a3570d338f1e88af3e542d897aa6bf6bf1287e7d76df3b4befe70e5b6ba522e301e43ba4dd2edd9a6d8453041d0163c771a641eeb9c4d3f332f3b8d2e6
-
Filesize
2.0MB
MD5ce23647e1fea5607089d2d949a325c22
SHA15281860904a9d3686be1daefe69852df3ef798a6
SHA256ac8954233dc0dc35bab12ea0e2b3fae355ea8a81e265df974f87d0738397d669
SHA51256d1b2b71a7ebff96f068d4ec8c5a8e40407131a0f735f39dea1c90a72aa2062cd93cd5fe3313b80ab521ea167bd748c06b5e167f36fb19dfb6f3e191b61c5cb
-
Filesize
2.2MB
MD52f17de154c9db5f9606a0d9ff820de07
SHA103de0158c97c5d5b27be1cb780d0208536e39b00
SHA2568e4f89b4fac94ed1538659b625b310cf0db4e8ff96e0679f26979b5a8a55df73
SHA512626ab8d69cef57cc756fc025e729bb30fc5f0bfd5c75fa4f7ef21120764dc77d4d8ac7b33c62554f2eba6e4b256ac4ca35c417a4c2980fbf4aa7a5573ffb673e
-
Filesize
1.8MB
MD5b7398cdc370012353c95824f6e88bba9
SHA152d2805be5629b4e229e5cc2691f28fd22c3d59f
SHA2563b17a8ab64dbe593d7ab2e160dddca8faf72105c703cd933e398b029ace2d50c
SHA5124376ca098b0a97bdd0de2c18a2e8c9901e665c173b6413eadda550733ac9f4b7f4abfad6b57168ab1dc3167806c3090bcaf62ed1d7ff00774765ad87f6e0d1eb
-
Filesize
1.7MB
MD56532aa232008bb28b92d43908f8e9e66
SHA16f35575f39563fab079e3e49b2ea373416d753db
SHA25600e1bd62e2b1224e49e566a9d85b662bdf75f0f413e7195849bd781be0c8a208
SHA5127211a84d8c77e29a22cc0f186c613d5f68848d9b698eda3c6f02c128b649687c089231c8af350a5bbb10abcfcf54006200ddc82a1faee3d78f8f1893d3bfd7b5
-
Filesize
1.2MB
MD59ae49ad41261cb42df645daf34f77084
SHA12a9ae41e85ed7e22453e8f673600549f82ba90f3
SHA256ab2eb47703604200ac4b4a1691180fed7a10062671e4ce512b3cb125a0019db9
SHA51214e370ea29ccf15c48d1519ae1307064f58de3f2f72862ec978814bece49e546cf01a4b96ee1b8104d372eb9f8dce93a07b8212feeb3a8c02879ecfac674039c
-
Filesize
1.2MB
MD5cb9d04254f3df77c6cc2efb625243724
SHA1b0aba93d0488c4a91d4d8fe79e01c964445767de
SHA256efc96c87ae5253242cf10f1a5526d73d969cb52820bab3ef537f03b693dc0242
SHA512eac587db459f4df8f77700047368b2bd3cb6c10ea5edef78d159f353c739438493c47ce25fa2481273dbe45741f343321e2e7bb8e35b1aa708ba7017b344731f
-
Filesize
1.2MB
MD5798c91d04f01c503c50a7fb251cb4b69
SHA1477b01be162ef47d2c2e20d92c7f2e53482254cd
SHA256017143c38811b4a7b9c252ef4b5c72836fb56d29092ac6eec67efc1ea4de4826
SHA512bbf74d4b77767fd20f8f597d43279d74e26a80847d9447634f7de0946975a555ea1ffd409df28f1cac608845cb9ed87b744dc5531c74ac09d467fa41ee547f13
-
Filesize
1.2MB
MD512221d8240f032bb196e41e7c8f33b39
SHA1254bfe99ef23bf0b23a724981eca9b5f9be204c7
SHA256389321bc1a1a0f9976b5290802bd7c44ff39ceb69fc79fbdc89c3e40c2581674
SHA51242072134f5da1141bbfa89c8db2b0f6d4f0ec007c37d27b66e78c60de1ba287150a1e05274ab88c791ccdf6f838cdaf9c53d03e576f1970578f5a11934441ef4
-
Filesize
1.2MB
MD5442e1f08fb76d60f416c31866f21f85e
SHA146b9d44851318599d0da2bf3e3b3200d009b537b
SHA2567cee46e8a1d296226636f3aea4f90a01fbed27c1b846f56daf364b71e89e3875
SHA5121dd5ea800e6831cfe2458da220f1ca426b966d95d32744f64cb3991937167f20ea4e98d630802755de08b452d80cb53d2721589a78a9eb23213c355a2e2128d9
-
Filesize
1.2MB
MD505e3680d9945a74b391aafaf247ccfd7
SHA19f4bd0e0f2bf63bbde186b6e099c0d1b7af36810
SHA2565f3056e8e9883a45461ac4af1580a8af0279f899a435fd6b7c845dc6b972130c
SHA5122062c4b0d3f0244eef8bfa4b4798f5107ec1b0819c3730b0b0de26b095b8dafa03ba09400acf2c7592d094ede3a721c9e696fffda577ba2a6eb2b65e54c06a5e
-
Filesize
1.2MB
MD56bd8019e0b8306ae171b291fb0b79cbe
SHA193adf2a50fc6eef3698d5cab4898d02e9864f830
SHA256afbff2b314dba3e525c81f8c5c90d971f73a01f5511ac6422250c05225f8efc1
SHA5128e0a5ac385459d81d862813271023aa493852f24511720124eeb0dc95360e01ed887a7fcdcaf66cde8566da71a8f7f168864fb26aa36c5b761ae6016cd8da214
-
Filesize
1.4MB
MD5ddaf7a00177a06cfa556ab409cb50ed8
SHA1fbe5984b7eefd0eaca34befac7455bae7978d78e
SHA256c7730c1e1f742c93e03cbc7bf37afd0e99f63e7388ec41ca51fe7095511913f5
SHA512ee6d5b0f0a7b6810eab9b9f42d3d30c0204d24863a0424913cb85d6c05d48931acf3d6844df92f381325ae81072e16f8422bddcb36312619044a7271a0981b37
-
Filesize
1.2MB
MD5a219cda0590f54204236f4569140cbfe
SHA1aad9f6c5d04bf256db834d725a32e766e933893d
SHA25619c7fb1fa119256f388f7d99bb593d9eafc2becb71da4091ddbd4505194cb533
SHA51293156e1c3235a7b9ea924f6301320f13a19debe17c3acef249a47517e582e5e573da0d3402331680ab5b594883475ff91b017fd43be04c827298834559d5e438
-
Filesize
1.2MB
MD5963034f29bb9320b73d0241ccc4a139e
SHA1039227ad97d998c577be4ea5b70f57a3a6e7eadb
SHA256beefd761b885cf7234e28cddb23db22232bf5a07fb25604e229d4dc1be0c256f
SHA5128b6fc0b44ba07dfc6eea80e80e47d5b20c700970fbbee20c41e9059457bfd5852ded6f3dd35b13c8347993cc08f9911f27c45da8eaa4b32b2fdc8947945b66d9
-
Filesize
1.3MB
MD5f48476f6d472d3ef276e76e97240893e
SHA103305ae115fc51782d15bfb934658741bb2fc264
SHA256e857473dfff96272a36335e4f962811886062c880993d03b9fb85a5af7dc82a7
SHA5128db496c609934969912246902a46c374f7cdf30cb8144d67709631d9c6dddd238fac0f07273ddf859cb25071a5239d93a24a0941e674674d9894883f1f99b644
-
Filesize
1.2MB
MD55fd8cfbf59bc343877d3cad7aab3b31f
SHA19f14c4a7fc1a41986437c69a52170e999341263a
SHA256b5f4d77129f781482dbc09142cc0fc70fb8ed276abcefb7fbf5dea0372f27749
SHA512b5a8348d156885cb8953a9f457bc02017b73c88c15e38bd3f7176e719b9da6d7d2aa1444765900bcedde5c0d9a8bdfd353b0259997bff7ff7a88ee89cfa123d3
-
Filesize
1.2MB
MD53ca12b5f9affffbf82d68953042f95a9
SHA1054ba423584b4bd787c6973a3957c101501c8703
SHA256ba54b7fc693a4c011ccacfced2e9dc80033ae263d8b0a76e1dee0ee5d9013ed3
SHA5127b517ee196a159f5201805be0aef5cdbdca0be0a30621c32ddbaf4dd0759d7ed40056008e340781236c3c6efaabb873638da6cbd50d176105457022990886949
-
Filesize
1.3MB
MD5681b01b554922d720d90126b93578199
SHA1eaa74d697477722cb7bfad52ccc1da602d523fa0
SHA2566fb5a19f62b32c16bd26498e8182784952e510cd46170cd8a3a71b5ba267e8ff
SHA51264227b571a88075af9d7f1e3df8a8ce9a5e453c3bcf11922cedb07d07762d1a1741e089182db8395820091d362bf578c3318fe3f6838f61a84655265af6318f6
-
Filesize
1.4MB
MD5ddc4fe306be4b444291e6189b355bcf6
SHA154fee111280c9bb550216e958cde5b39a8420f4a
SHA2560d9a25907863ddd1bd293bad67fb2f0e7fecc495af33bbf83dd3124ccf088684
SHA51255032863a1fe4fe00db1ed7e2efb188e5c23be1ce6451e7de68959a0a5a65e76ce09826bc36b254d19b40ac6267addad05066e52fc9fbaddefd147c90e4df507
-
Filesize
1.6MB
MD5a12513f77434c8ff949a47a88100701e
SHA1469082995b2f3c4206cf7eb4a0e137c61e4197ae
SHA256b5b433967f8b527233a9927ec0b5df63a9492a00579ac557212b60b82c632814
SHA5125e8cffc5d9e9e79c1955e1d84e16b06cef2a5337ea3490932d65f4899dcaa742d7c994e3c01ecae2ebe89e995673d98ebd3a696367186c3b91164b371b046374
-
Filesize
1.5MB
MD5cbc8bb8a205a861b0dc47e025d35475d
SHA1bfc7dadf1bd83e27e17b4b8ded36e08e0cbc2ec1
SHA2560e9fe51548c44e87a81a699a1b90ab98d4eb71c27e1049abb440f107cfb7f419
SHA5129e61f6c245e13cfc0bdacaabd3ad81ea0a9d52eaf4cf5bff4a0a31165e97e7d08dd7b367dbe0a1437b8043d4076e2d8cffafa33e84202315f68107a42cbcd9ab
-
Filesize
1.3MB
MD5a5f2ef099994071c1722db737e328ce5
SHA154213a910ebe355502d047a1001c7e25631c4b7f
SHA256e64d27b55b1b9615c020f9d69fd6f4624eec0843d7ab6a770a7fc957e04fda3d
SHA51272ff266eceb27dbc60f62f4c5f42eadebf056ea9bc6ce79a3bf822405c6af21a2b71966b18d67ab583ff9e19cb73afdb47ad80655084678acb0ada24f78d9c48
-
Filesize
1.2MB
MD582bd025ebb8e5a2cf1522ca532facd4b
SHA148f8876d8e7ad910b3944b639f71be17efa403f4
SHA2564ca5820522751985ce9d88da41ea5592aa058ff1ba8057e45a716ad876dd03d4
SHA51279c6cd5ba96ac6cd02f82ddf9fa4f614e9cf5b7fbb870924118a9b71c55d1502dba82744699a719d3dbbead89be9f95604f0f0773f25fd1c3563675e3ae623de
-
Filesize
1.7MB
MD5a6cd7200c10f67b733e73aa0b7ef1e50
SHA12288d9b2a103bca985bfbb6a88023b2cee7f951e
SHA256b7e24feeef441ed1578c460371e0bba29cb8b866d9f8afd3e4e93fb32fa8caf6
SHA512a8783e0eccd0f63d26d3263bea2b3b24f1ff652af8400c37e13d25986eadc4ac728a9a6d826c5520fadcaa09e0d65883eef3da9697d1c5afc3e430e4c1543b0f
-
Filesize
1.3MB
MD5ce313eb7c1a873918b1626cb030b1208
SHA1c030398dfe04028f25ce17cf9b348e154d62cb2c
SHA256ba50a34e8ab25b2722c641d4cf593ea584ba22f8dd2ae5a49ed233fa4f0ae5a7
SHA5121df9233651a0681c097a51ecd520408f91440ee5d40abfc67f6fa48ed5806096784065a71fec1f4478a71e22dfb505dbae3613640725f5e31e7078b8e3271a67
-
Filesize
1.2MB
MD50a5a997a4678d28dbfc535f03eb714b3
SHA16a3565fee51921df96b2d281a39932f13ff7a01b
SHA25627cd92555d1dab1636ebfbbd8646a7598faf53f914d3325466fdec1f53c80947
SHA51242f5446c295e302e997eda4cca10fbcf411c3c6deca275db2c9f0fac9cf6ecb45f6191944aac8f4bd5dfec1f4664b8a8ff2b6662b0c1f33fcf1626e78389b261
-
Filesize
1.2MB
MD50109910e29d029a4c05174a06342e1ca
SHA1d118f72029c0924585504b595cc3ff60cd5c9992
SHA256248b555cf0ec9afe0779257641a865dbfe36209dacf3c44ebd76d7f127aa49d0
SHA512ff55d958fd7583f9a85b4ace2a6896b88b4940dd3723eb9db4ead3c01c1923786e316f6c3c42005c21f6baf5af2c7fee930fd334ef602a7d747231321b448d71
-
Filesize
1.5MB
MD51a853352eb03b4ff2d98e3838e4310c3
SHA11c50aeb4c3aa51f9b547e10ec13543f5c66a113f
SHA25608d9a43253231271092d261e9bc887ae0dc3b828f442ab1de21d27754b62031d
SHA512f1bfea3a1ef1af3ef4029fc87ea0ac5bf359f0dbcd0cca5e4e4ea6b9becf794e8c9a1f6ba4833099523fbdd53de0a592c3071654c895e5ca2cfaf55fc9bcf627
-
Filesize
1.3MB
MD5c641ef3c6c0212d6a2991693aa118dd3
SHA1bb0f4c07bb60f6a59b7e4266b53b817a89ff2c9f
SHA25652383bb626eb14da7a0e363c47c1339ad2a1d5b4e820da71425d714aee263765
SHA5129bf6433082cc0f7893ec9f51d852e3d1844bd5a1f6567062327fdd2dbf6b7832d7df71b14ec8572fc97dd59938b8fa5cf84f0b87f0fe203630a9fb15fed4f15b
-
Filesize
1.4MB
MD5c8bed33d6438301878afd73358fcc75a
SHA14767e6a2497c9dcbe543950fdb7879c1268751f0
SHA256d2df93d9b1aa8a48ec7d71594a8e8f01be6da75f807f7cd5fdc8eaa91187813d
SHA512200f7b675e949e97226335d8668e2a16c6a7c592d421d8796505d9ff0ac0fa8a9d9da4972a7078970ba194bbfc2c85f5b858d2efa210b2574f45a6cd034b32c6
-
Filesize
1.8MB
MD5769764177dd34dc25adea767715fa888
SHA1582d53f444f7f1850a95214439353a86f9dbf831
SHA25656dca6519249727541664f353f9f92eeeb3bec9e3d69f1d77ae0c1c79c819dab
SHA512c2b3e83a61fdf11d9ba62403e2f81623d8d82ee2e98de4d91586cbbed2bb2d0491e0d66bea839f1534ca15f02bb50d80abc52367892d1ead9ffd1fbf4ce3b437
-
Filesize
1.4MB
MD56b3251f98231725fe109b205870ed964
SHA1a00185aa8ed389eb4a63aa334ab586768bc31b35
SHA2569488d5795046b7d6c276a53065698872a835927f502d99404347eec078113344
SHA51213a8cb6d6229331dd34345da8594e42c7fa57bfa45845d16cc1260580bc35de83559325b11e000baa0354ef9d96c79dd7f465920514e09ed7f827de4fc91503b
-
Filesize
1.5MB
MD5ea3d1b5d443eb4ad25622607484276e7
SHA1259c65619de39a24479ef367b08316fa744a5f5d
SHA2564e5a9c536ef4242d3299cd213808348e8c0d93d67cb2d98e13beb503788fcd74
SHA512685548e9b0d13cbe8dd4fd3ada71092e4b745f80e010755bee28764a234e830cef525a6259639a206e07ed697145488fbef12204cf8adcb511d61e6d922f9cb3
-
Filesize
2.0MB
MD50c38d87a8c8ba05dcc289b62589af2d2
SHA1dc3d9412b541f2e5200e42026ee1eca713d67998
SHA256a952bb7898f8e1afc1bbc57d1547c050535381a802b5eccd8290196ad8e2a5c9
SHA51270cb1c46bab3992e6dc92dbc61ac0379285d8bbebd71bb8caec2d9a2598e1aecd2cbc53a01373b41b27292fde4254dbd5a59585028d598ba0a1e6e7efcfec845
-
Filesize
1.3MB
MD53352692e8cbeb9fa64cce626f3aa7f07
SHA168caed4bd370df6c058cdbd5a742129a080c992d
SHA25652d34512a7450e8c534dfd6da2f173c1a8f65d43c5c7ece82e5bdd421d19f758
SHA512032d9d689e56d5aa8772da93a9323634791ca2d847fc6912b988de944db98fcbf2a1ea821e00228e46b342f097b886afc79e85ec97d99c69e4fe4d44e52fb882
-
Filesize
1.3MB
MD57bb206bf3e9ec5a52054a33fb8906a9d
SHA1b0c6d8c06a50497f4d5d42159f04f45b624a41ed
SHA256726b8fd8aef99015cdbd4df227c00c9b0432c59805fe5ee39d7ae68a9d08afd6
SHA512cb35b429f060914a7a0ea9fd62221d529515c65dbb299ca72c5208c785bd2d6f9cec6cecff8c09a07b0d1816a76de93f8888cd4f755906e66a374cc37e08415a
-
Filesize
1.2MB
MD5a44de9aa437d17a711530d8d5caefced
SHA187226afd341c349e75f92ec2c65b8d7932a95833
SHA2565e2774f519b5e4e5231a1b84060e426693776034a3ded900a88b392fef844e2a
SHA512c313852f8ab7c259835ccd462d49314bece329a01f746c5238577ed6926b5d1576cb4dd932d832e308e4177041190e77ca92fc6730759bc0b112ffa865e7555c
-
Filesize
1.3MB
MD544d7f681634ad2548998c82141b07c46
SHA16d337819a6a6bb3efa159507e251b8cb065eea17
SHA256ac08f80b6612c8e7b0f160c7cd4f6a42a912ebfdf58e84278915a1cd187365dd
SHA512d6a73a93594375dffaed3044de60dbed0aba3b7297de03e526630b1aa7bc1c809178c6002848886e96fb9e6b50d7d37efb0447f1a11560ab38e3062d28f6f930
-
Filesize
1.4MB
MD55a2abba2ec0f2e59f55f7ee9d55d3b53
SHA13f3b42cfe98c29da71539a6b57c2a74a8ced655a
SHA256504d5588dca0317e9adbcf2da0149cd052b8b269d7072ddaccd7a52d11342839
SHA512c4193f086d960cef811821bf0e29704334fc6adc8586c7e9d37c30de6a46ab6e52f68cd37d457dec6eb3a41e87307a957e4f06848b43b7463247ca8e26df9334
-
Filesize
2.1MB
MD52f94948793fbaff49ff86ece1ac14a44
SHA109184a2cc5794124042f2e3f8bc93cde6ebc27fc
SHA256a791e9978cdadd2ac7eb8cd97afc8e137dcd4ca09ad848d0bba911a27d37a59c
SHA5129364c3420bf43dc05f0010cb1e1a5e89f4051d81b56331ad5a9a915db4768e9280ebcd46ed86e0773979e41409a826cd80d343321f1a610a3b7e7cb49d64e157
-
Filesize
1.3MB
MD5d8f2a22406c517628f43ac4f86fc508b
SHA18bc4bcd9734b118104b6446969a5f5b95de9f2f0
SHA2564fbe8c2a23ace474a5cd266fe6bf06d21e4237df433492276aa64b68441c9ffa
SHA51264e1df0d6201f911303415afb1eec4ea0e895643f3e3cabb16a7449842253dc9ba95c12d39e3484d649d9cd04009050fd853a6aa337eba6b486d204a77e06a5e
-
Filesize
1.5MB
MD5996028629e7979a334bcb0ec9dbbc8ce
SHA1a4df403766cfcdbeb7a9203ffa2c27bf8f88717d
SHA256810dd985166eb62ec1960f9438ae24341420111bcd5456cb754c44d3885fb39f
SHA5127c14caf0f94ce2d7ff18c63b32791233db5f5b93985ce1178fea45f908c3a6c2322b5d9bc7be8cf01285e2618c3eefbef659c70d564d52e7fcad6d216bd2c3a0
-
Filesize
1.2MB
MD58c4b7eafb587fd2475033378fae59872
SHA1d06b387632cedbdf3949608e2f249daa4bf0ed49
SHA2560919cc6c9cf406e0d97278d91e0a9bf7ff4a5938f840abed0cb7b195b060ad62
SHA51200b3d7bb9f17e7d210a9d4d596b7054a11e9bf85a1c0697f2543437ce6841011d7607097c7da20cf9e6d3accba72381b799059f52a2794fd93eb0a3b1f023c72