Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe
Resource
win7-20240221-en
General
-
Target
2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe
-
Size
1.5MB
-
MD5
d5621e65b95b35a1b3108b4de28871a1
-
SHA1
b46cce772602a616d7a31a31763e43c01cb5c5c6
-
SHA256
51f9d538fc4b192c269b593103d2869dcf4b5b4aca5e2151bd805d1f6d8691e1
-
SHA512
324f3400acb0002d5bdf14d0e1533c9ab3e1f21657a746a3c8c276f3b6c71087b4bfd45c8670ead459605c3437a93deb49e4a676063d0a6c8e59ed274cd9decb
-
SSDEEP
12288:fvXk1PGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhq:nk1ut/sBlDqgZQd6XKtiMJYiPUq
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2432 alg.exe 3936 elevation_service.exe 3228 elevation_service.exe 3968 maintenanceservice.exe 4280 OSE.EXE 4640 DiagnosticsHub.StandardCollector.Service.exe 2072 fxssvc.exe 2840 msdtc.exe 4844 PerceptionSimulationService.exe 3712 perfhost.exe 544 locator.exe 4268 SensorDataService.exe 3436 snmptrap.exe 568 spectrum.exe 3648 ssh-agent.exe 3928 TieringEngineService.exe 1784 AgentService.exe 2668 vds.exe 2332 vssvc.exe 3976 wbengine.exe 4052 WmiApSrv.exe 4808 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 28 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e6cf3f9ac3136770.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000143355c343b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04200c243b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082b634c243b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f88c8c243b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072d5f5c243b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a46564c243b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008910ec243b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3936 elevation_service.exe 3936 elevation_service.exe 3936 elevation_service.exe 3936 elevation_service.exe 3936 elevation_service.exe 3936 elevation_service.exe 3936 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 752 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe Token: SeDebugPrivilege 2432 alg.exe Token: SeDebugPrivilege 2432 alg.exe Token: SeDebugPrivilege 2432 alg.exe Token: SeTakeOwnershipPrivilege 3936 elevation_service.exe Token: SeAuditPrivilege 2072 fxssvc.exe Token: SeRestorePrivilege 3928 TieringEngineService.exe Token: SeManageVolumePrivilege 3928 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1784 AgentService.exe Token: SeBackupPrivilege 2332 vssvc.exe Token: SeRestorePrivilege 2332 vssvc.exe Token: SeAuditPrivilege 2332 vssvc.exe Token: SeBackupPrivilege 3976 wbengine.exe Token: SeRestorePrivilege 3976 wbengine.exe Token: SeSecurityPrivilege 3976 wbengine.exe Token: 33 4808 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4808 SearchIndexer.exe Token: SeDebugPrivilege 3936 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4828 4808 SearchIndexer.exe 125 PID 4808 wrote to memory of 4828 4808 SearchIndexer.exe 125 PID 4808 wrote to memory of 3164 4808 SearchIndexer.exe 126 PID 4808 wrote to memory of 3164 4808 SearchIndexer.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3228
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3968
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4648
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2840
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3712
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:544
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3436
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:568
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4152
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2668
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4052
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4828
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:3164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50dcca19b65a9181c61cf5f9a9101790a
SHA1282bc895bf82e388d2041bce37d6d3f1bed32e47
SHA2564da2ced6ef5cea5342a13e99439d0ed3b39427015e2578b358af1946c6cd8459
SHA5128365fcfbe4a6e31273f0d6d9f3c643df79c6f7e1cddef6dc52a713a86850201ce5b243421f570b43de0c1114645ac509575004da8bd17044467efc6ae537e203
-
Filesize
1.7MB
MD5e422453807a7c3fadb06f420765d90f2
SHA170393f302db2570cc9f50dcaea268875aa8c867f
SHA256ee952029fa94ecb7f8f498d4bf66e4c8c6660ddb2ea119882bea4864abd75d61
SHA512839571a4ae297df169d53cf1eec3cff33f5f193350c7babc3d54f2ed4d1010c08172bee9594ca8704f11a9e5c70e7b66e4071a8fb6fae92449f64f1202c80b00
-
Filesize
2.0MB
MD54485b4db1a218b152a6ff9863ae353eb
SHA1c6c88d8f15e12f97c481fbe77ebfa5d8d4fbef1f
SHA256f6ff2ecd27d26b734bbfeaf07500ca6f1bdbd56a4ce78d70375c94aa48042407
SHA512a15d24e8aa53adaff97a253e2f07c2bfce5fb6f18cbd720d7d126168adf7ec0661419f7625b83b72f44c26831df843260ae2e12538e3ae64ec9862d9bd4d06d0
-
Filesize
1.5MB
MD5471ef2e8d1805777d8a875fecb1c772f
SHA192ecbb7c372ee61bf0382abd25cbecafde5f4a7c
SHA2564341c8feec03e80dec7cc5493025c9c8d14ea98bbece7300bdd4f1457f9eab17
SHA512d30e2bf65280d03b0ca453e6545ec3576040d1dfa0fa8a520c653339bb49fd66bb47ac5fd06ca02df0c865f84c35028ca0177c82eb3842b7b243a13b8f0759b1
-
Filesize
1.2MB
MD5e287bd6c4df01b11bdc86b4093379416
SHA1284c68b8b1c16997fbe7d7d3653e03b65feb5b51
SHA2563f7787bed43ace05435a5fb0e5e842a4a358f38b6598f1ca04d381b8fd6c71e2
SHA51249f791eb847c4e7e2cbab25dc34964a724b8b762d4fef3a57d413cf091f93dbfd87d1a33f1cfbabdeb7baf7fa35bedd79b16e71e20f28cf9e6ff053eb7c574de
-
Filesize
1.4MB
MD5b514679034e1917a7706c9a1c53ba471
SHA1fec61a997759f08ff4a346b998c9debb0178d67c
SHA256c6ecdf0e2a2a0efd0fcc88a2bf72436e2e4fadb9747ef9e87dabed11b336f763
SHA51284d298b187803bfe0c0f9eb6880cecc4d970ec4065b75e805e4467923e10425e7f84a41ff1099726da368f85316cf0922cd33dc252e2c8d30c9a0c813fde6817
-
Filesize
1.7MB
MD5044b086433de2081a5d185788f196802
SHA18d1d7ed21a543c646bc4dd86959a3c2442d7a84c
SHA256a3db94d3fc5766c7e9dee809e4794dc132c3666c3890db4c432ab2a16d17c2f5
SHA5126e99b3938af4b50405c3537c055c6c51734cf151b7121d980f9d47817e5196aed63adda221e9a2a77fe07ff200d10bfb70bfa8011b4071f080b9478167f34e28
-
Filesize
4.6MB
MD57ed2d77b38c6ba943dbd5b16a3813c02
SHA13ecbe33d1bec3b0b24c78197d1429e41d5fa8c96
SHA256c39fb783af26506f4528e24063aaec7df7f7cc8d7c8f06e21dd3388045b8213e
SHA5123a673982fd4475d2ac1624592bcb833c32d05e605e154eaadf778738a0d872bf9261c8a606b00f57c25b643b89b28314b0777dca7beb474d59f7d98eed425e30
-
Filesize
1.8MB
MD509e8681ba9aeb8740c7c365568c67eab
SHA127fb8e5517edfb5be194ccd27f1b3a8011d937d6
SHA2561cbcde1d2f491ae8e272a739a01040e71284a18b9887bc5b0205c4819cd3b1e0
SHA51257262b99e0e2d1f80b859f88d1e8a8d0397da703d3774d231c29bc8deb3f0e5db98bef82f60947766ff7a26c76dde623a84fa812dfff77fa007fc73efebfb979
-
Filesize
24.0MB
MD5eb3e97611b06b68f84d23b60669fe65c
SHA1e2ca449939b4594aa0e3a5f8af7958976cba1abd
SHA2567ab522e27ae2296666fcea3abab2484a01b0d8a74d6509b4213fd3d0c235468f
SHA512e95a48ea9bfe56ba8b9de031ad3ad5abe4ad53507b63c01c523503012ff2ed209d3d927ba2dc106bfa03776d7eeed06eb61d6e40c8961957867122b5ad24aac8
-
Filesize
2.7MB
MD54a0baf82ed6553e2fe36adebe1caa63d
SHA179fa6dc8a898c8ce9f0f46ce2c23cc0327409c7a
SHA256bae02a37968f3e970ed632ebd84b51a4d108d8ee41e6b247441ff8919ef2b465
SHA51202edf0871b0584a32be719d458ad8be8466cd2ae5af55cee901eaff57b8199c4b3fedc09cb947ddab48b66af56f63f1ec55abf0c91088a3c647d569208865fda
-
Filesize
1.1MB
MD5bee316b921f0d6574258b413a746e3ca
SHA14330cd2ff1d39c2d470432f7813ed44b257a4ed3
SHA256644b1103c86a1c710973fdb6a65a1441ea5f6d8b1de4ac8288d6478db5fde3fa
SHA5120a3dbb85f2f408f93b557abfa6c25a7e8b6380382cb39059a2dad7e855b96891f8fe272576e8acf07318b37a37ea570df10a08204d240975598dcb693058addd
-
Filesize
1.7MB
MD5930ee02c703f06783c63916522ea0ffc
SHA19c82b3cb2e683568e3cd5f252d6f981b8c776c67
SHA2566eab3a7e56e37aa2953ac82899a32e297060b19eb6d9a50dfc4b8784f6bda63a
SHA5129a9132b7b4ab044905458e2572f0a9d606ca5dcc137696a33311ed0cda9146e2eca54b8cc669d467552750f52788a013470126376b21eacae5dd86a7d294cd07
-
Filesize
1.5MB
MD5dc8fd27d130c58926afc7ce3ff884a4e
SHA14f4372fde81b62f598575337a07c87033b1056c3
SHA25666cb192559c34f74c976683d8704541a74e3809d6e34eb7c357b4411760fa1e8
SHA512440644928699d0307ac0e2f9dad6f91cdda85a5be8a7cb0a6fb52c881b47b5ec4ab4c41cc7851070ec6286e1087a4e4e9e107c2ce1b1d95272b4f26a6db9a875
-
Filesize
5.4MB
MD51b2358b14f73606fd6a8e355c024f7f5
SHA15bcdd09daef4fa1312cce9b0a9b2395d13539590
SHA256141c394ba5cee8dc5a413cb2c5162574e6ac7df02ff233c9f81909cc444a50f2
SHA512a900f2510cbaff5dc1f1196b17c853bab3db218fefe98ac1cd8c4f58610bf9c5bad48ba388eecaf47522ef516a806f6861333b4b83168d42e1c5cc5da2a5b4cb
-
Filesize
5.4MB
MD59a8e6276f3bc495f2b3dca82a7fcb63d
SHA1ee1015fbcba8a4c452bf43ed390e9ca679abc47f
SHA256e69faff071c202b793c24c02d7924bb847a65ed7c8d5b44961d3424ac1bb30c1
SHA51235afe295ee880283f33129788c3d74e943e01cb6cc51aa494491da8ececaadeb0f442a1039785fdf668a3bebe90273d3a362d28b9d192fc4582ff65e679c5b55
-
Filesize
2.0MB
MD5a7b03084af010bb871746c8595878eae
SHA1bc4fa1af2b9b7e6611df0c462739a13ccdb58141
SHA2566879c7413b65850547f482fbad7d9eed94dbd623a6786627d55436f2fe269cf0
SHA512140ca7df13d6d6b4fc921eea6d3a045f606d732e94e8f5d669d701501e642e4a73d76278b8b6a398a120ee7f6c64914be1b8ec0a92f3ed54c842c903bb5fbacf
-
Filesize
2.2MB
MD57ba6fba453b5711e6f6f6ca262f4f5f2
SHA1c9b24331f1268384ec36e6f7a18993cee1371840
SHA256e1bde80362ea940a32c2e8061166a7e65b06b82dae4ce36d7f433b86f6df10db
SHA51233007dfad4e3b02aeeefeccb0a70c420ad3cf233335620c2dcb5fac7ec765b61ad51d2cd5849278a2f611332503c25846f90dcec13ea795aaf742112c84541a3
-
Filesize
1.8MB
MD5d43334ec14851d83f168fd9cd55758e5
SHA10efba393db533a53e0732331c481c92743eb77a1
SHA2564a610ce991528f0de32237d2846862f3300bd6fa93ce1140956a56f31eedddd6
SHA512081673cc8c8c614d3f15697340f3340ce7901a0e1e2b672995345f2f0a16326569aa1ebc1bcc25de0eb854ec7ee0261060df6ac7d65e8aa1cc57c4b164e15460
-
Filesize
1.7MB
MD5add4c53dde0bd14caaa166b44619d2ad
SHA19af032b8b434281f95b10a37e3b6fa4ddaeedaed
SHA25672574db0ee4fe426b683d69e1377ae326d7566e7c42479bb5a381c989d43c4ab
SHA51272a278f2edb5a9e16f7c4f2c389a0f21daac55238cc756fbe762aa203fb4b229cd898007c344e004bfd7c2344b8691b17e7986faa78315b2afc0ef04e94a8db3
-
Filesize
1.4MB
MD53cba21c9ae0dbdab568a3fab76edb478
SHA15f8b88fa0ab93bddfe28f4f3fb823d15a025b13a
SHA256adf45b863652e630ec3543730f27c8fb8e2cbf92a1903d47af1491a2ba015efc
SHA5127b073a34c7a78e3178fcae74141e1490b0961096f4b35dc50b66c3a5a2d32c27ce8ea6cab47564e120cb21a0a135fbbbc5fc797ddd4b5409508890d1f1296322
-
Filesize
1.4MB
MD5794a2bd810efc3c59a94d5f0621fb853
SHA1fdfa5a7066622563cee55a095098876ff2fe1f16
SHA2567a5c9dbc4f1f69bef62e39da597ed73eedd68b3ba5b2661c42c92b9b44552cbc
SHA512fa5838f0967d0e4cf36881edc9a756382f24e09fc4569c48f696c6aeb4d9dca71aa77c699f22694c74af6f24f7091845f894717a3ec332444ed59b45f9f07b42
-
Filesize
1.4MB
MD59cafe94dfc65354366db381056c13941
SHA1a4d45da3289a03ef4924f4f62b1df65a8d2d53a2
SHA256eb3bed0e580a454c7565860f6509f24f4a91c6c1098c65a658988a2f9cee0ac7
SHA51251ee6f9d16977b6e72d2a19bd969b3f3fe5af9f61fd0106378225fdd0e13c0691a5a5b2c8de48b4dd57fe1255c8c6d75053fe4197bc497ba612bdb039433fcf7
-
Filesize
1.5MB
MD5b7bfbb8d144bbbf579bb91c3333b36b4
SHA1b92b2ffe26ea3480a43f6f2b678e5c9eaf5ff1fb
SHA25693efcd21259368de978988ee2a9ba8fc2df2357083062dc71f260ef54073cc66
SHA512221d4ba1d469047f020479ad9f4a4c2514d3ddfd225e1bc2a1d5bdfcc3dbc5cec81cd57a3594cfca195afe52e16f29308ba4799d391052b5a14bce7d26866059
-
Filesize
1.4MB
MD52f48535a352352fa189fe292b5574f55
SHA162f5963f2ff3012085d5ff0059ae5a19a580fd90
SHA256558133870f318e5f0a7221dc6b60acf6ad3b91db87cd21bf1834d023b0de6586
SHA51202b62b56121677d1b8f9be11a7489a9d6235bdf1571001dc987c8445fe094f9ffcaf086a602be181790bfbfe978988cbad6bf347311525f45bc095281f6354cb
-
Filesize
1.4MB
MD5a0ff7e2fffb5ec8b0d9732e15df61cac
SHA17d1b292f365c52e327b1e6dd057605c650fcc9fe
SHA25664f61626b2ad272edee9b99809fc17244d368c9285021c6d818e978ca1f9bde2
SHA512443af59c5c2111aa4cb2a5e8d8473e4b95be9b65b3299a9e530ce047809501c8ad16001491adbd92c8215638e270aeca36c7b12fb1a31a1838fd3370529faad3
-
Filesize
1.4MB
MD56b1f37c7e3c878e151ad8e8d8809f27f
SHA17540195a8f3de3a629dec97dab5442ea2cacbf26
SHA256903377338766b02d486bdd3b2c19a1589991733ac494cafc76959f8f2e888e72
SHA512ae417d1f50c05b6390e7f102dc928809baacb2317f14b25684f33ac0a3dcb531796a8563dc92247d04fa827e2535385858c41f37f4803233b57a597ccf84531c
-
Filesize
1.7MB
MD5ba6f7c41564a9cafb5464baa63fb5283
SHA1f628c66d1598ba1a77b55fdea1152882d52c71d1
SHA256ad3b88642faa88720fffbfcf93e8317e2f42d8d83799800bc359a981dd82dea8
SHA51215cfee018608600bc9ad851257269b90145cef59c6d1644a92272fd4cf879f605617a04f22122b4e975ae2e1099a9fdf5133ff3d8e15ba5990b64aeb93b33e0c
-
Filesize
1.4MB
MD54ca1f30ff2f786b7d3a4fe745f96ffe6
SHA11fe2b31a09fc6912340a5cadb31304e29ee3c37f
SHA2567b565af79b4d307d16558058b4e33c11f652915425c959477cdf71e2c866e9bd
SHA512323cd167ad7464cc1e4a15a7872d50d2d99ba7c30f119c7433355567604270632279fca81c5f935c98f4be95d09e2ba8cd5ea9d11171c9de22078051f5d75595
-
Filesize
1.4MB
MD530c944236ee530ceeeb8c6e95a973f50
SHA159285f8671b6e37a985e48f23d79535ae158978d
SHA256e61eb2e2d617a4f14b97538e334a05bf55e2c57ad22fe309696a6e0abbc187d1
SHA512671c90b60f6008bd7d4059ffff7abb9c9afb67212d5847f1ab1be95bb65bffbd338666cb92d6cd2490a28340d28fa67dddb2c01156ad1aa18b2112a5adbf3265
-
Filesize
1.6MB
MD535edd3f7c1cfc2a7ca799df68099a3b8
SHA17b4a6f288e0cc9ac4545d4256a26051099b8fb46
SHA2566ca57ac88e7e8022d79f5b9cf0374c4e8eb2a98414a0b100d5c30278718eb8c5
SHA512a80417ae42ee3b59563193c9fe90aba547a81be809dd1dd23664dab5d97a9070cf770d39b2aa2911e2027756dbbad112217dcff451fe0f92eb3e987bed76fd81
-
Filesize
1.4MB
MD5c85f3c4b84046a49e6193070f93da615
SHA1173f7a3f1e6dde60cea76acfe8228514bd91a0c4
SHA2567541bc329ba6efaa0aec8c68a8829782942838fdb70ad7480b10e828d161c14a
SHA51250854f690749404bc7127067311d066d920994432a0c8edd3566b13563f5ea2fe9ab0f4f1afb9ed582f14948e774db93eca0826277050f15a8917fb776428392
-
Filesize
1.4MB
MD53484365d0e77992774e8ecaf8831f328
SHA1b870c9aa88052d0483d9f062e4984b80ec335cd7
SHA256491b4c67280b99918df1107c51471798ca23fb08ed62be5126061f02b2064ced
SHA5129af327b88d711c7093a64a31029e048cddca68150aec4ed782691301c26f4ed52da51d9ab57a8909e68da396dbae1f8fde741f689f5fe9bc458efa893f9809df
-
Filesize
1.6MB
MD5fe6386b9001b96f296ba54dc0c5df3d0
SHA1ccfa813a3c94281017855da126ef485e41908c6d
SHA25622edb1328a3b562e9842fcf22533f5294e189130e5e7e301828da75358fae4b3
SHA5123bc3cc48548b398c70de6a6f8a533dfdd3109a918887baba42b5fce140f23ba5d6af7bf7ac574448fc353a533460a5b7156d4054b63616b439d210392efe8185
-
Filesize
1.7MB
MD527945b728d98dccf0b6f9da50e9e14de
SHA198f376c27f2829923a6e7090e9705d216f8d338c
SHA25632f978e8f505b3cbfc86fd524ddde44cf03cfc3c2af5dbdcfbf21dce18253b50
SHA512b8f6a36d7831c4aa7ff0afd0a6504cc0cbd15cb16f5eda223b2824e51ea29e1cea7621bd4f402bc8b23640aec94d46b1efb88ea9dff621bb1fe5f83dbdc69e72
-
Filesize
1.9MB
MD59c32b95c70777a11c8a82ab4d2c1e372
SHA14023d7f317902ffe4303911aa37f5abc96365fa4
SHA256fa9c38f44f7932d3fe350775570a0760bbd9b4e2cc95b7bd0bef6446a92c2f54
SHA5127da9f84d09777211080a9bf1cccf23302da86faba6e218db557172318cc41e09a6e0b371947be1ea31244798d868b18635376c687015254182346b98b79b55ae
-
Filesize
1.4MB
MD52cad77619880beef19a3b4dcba1339c6
SHA10f58541a66576c2f7db7aa80c2698d628d918988
SHA256477510d4f44ae96a5bd34a8b14ec4b10b7305d2e74932ace77cb3c81e3fbab98
SHA512f6d06e504f63ad45b0cd78d67d8d8bbbe6525a89c0b967de1b6f6bdaa46b9c7e199bbc9c543d85ed352805db1434aeabbf0ab6a4bf424d28216c12f40ca8ff7f
-
Filesize
1.4MB
MD5b2cbd9155aefcd668042879e5c2f1e33
SHA105c1158b0ef237f332f9dfefeb8e4e5a90a9c7ea
SHA2565830db7898f0a0c6cd63232ba4a82b748d4eca8164f4cdb66996b205e605063a
SHA512bf6d03825828e4275c1bf2afd46e97a4e61c38047401ac4e3ebdaaad3c8b566c6875994897a7b36306f873f67fca4e447bc68d24be8fe2baaec68d0df71c401e
-
Filesize
1.4MB
MD5aa18320304e589ddbadda6e214057b18
SHA19ff671d4a8e8c35301631cf05533eb682209249a
SHA256e7ffd25a159940973b9ba3df53c3969fb0a56e76845e743c67d45cea7e46c426
SHA512e8978cc5b1d7dba3f6f8c486ba676cee9f98c889ac63a59684cc8bde7126074c2612bdcc22eab173e3dcb3522ffa435a0621e5feaa7506df6ae46789591b0c79
-
Filesize
1.4MB
MD598fa35c524d158ec595739e482d20888
SHA1424044486f7a60cd2c0342de12d3b7f7e6c176cb
SHA256c23b811301cc03481bcb665fa2857ec095b25e6cd82789ae5e34405e15fc7b0c
SHA5121d8702a6c6d39e5c660f652428369945e6e862fb8ef803ec3dedbf4235d3dddade29526b5f795e7603d4bf84ff5bf2a8a452dfebf4e5b3ec90b65c6b46458fe7
-
Filesize
1.4MB
MD53748cf254f0b0c7f23ad642d063b936f
SHA1780ad1795dc5511d2701c497132a4d2eb0bba7f6
SHA2561b546bdee6908cd0b89bc0af26979ab1ba1e707426f3df17328f3484a1eb220b
SHA51261055b434f19b573ef1967ee529c46d5c9e0f86d97cff8e3aa8f92572eaae023aa2fa81a645a499fc0ea3e5a47793e75461efe59048f18eb7e3c054676277df5
-
Filesize
1.4MB
MD53f6f0c81c37c0f2d20b30daf2270a88f
SHA1c0c4164d563c275872de6901a901a4a2e6124677
SHA2562345a2312bc269289cbea409a05e432e1925684618492fa1eab1236efefcb72a
SHA51248f8be1e8ab3646de70d53b6b3a5360a0c6bad7988302c81ad0ec6a48454eb738c77bf843f9cb0a5ecb9a1affd9c0bebd6787d1b2fa2cfd78d283e95a8672bc0
-
Filesize
1.6MB
MD5753f99a82b0b811af56ccf5f9c008d04
SHA188924a4186e9cb0dde2a4a2e2057ae519039222f
SHA256f178d42697257c93c40adfee2eae8a5dee0f6267be6d57823a96c2998294cba1
SHA512c53783fd80352bb05f4cbb335c5739fdf9ed7389ab38ce31261d785e8673f2b9dc4357b6c301d82667eee6d7e288233112f2cc04d5d2f9a83f7a2bfdf640dc5f
-
Filesize
1.5MB
MD5d2f7793248272e5bbb1d648a75b3066c
SHA1f9b27d89d1df81ae2955bbb3728f072755c27bb3
SHA2566f0a0f9e96608e3e5f95f83c94e4fd5b4681d6ad31208a460c6474ae5c2319f3
SHA5123eb39fd7fa70279dcd0c0d6b198bfd7b5eb080af8d6648830817b06afaae123bc6306f8457157fa9a86159fe85dfb3ed3d1abfb61af157c5125862ef1ab4f69b
-
Filesize
1.7MB
MD5484a403050ab38a90d313b3bf03b35e5
SHA1ae098c84428c6ad69de510b41b6b2c71cfddbcf4
SHA256191a21ed018ca3957c9af8b26189a66e10cf61ad7cff2934df0932038377d833
SHA512a1f3025f2e67cb3c1ceb9465d6cf009e86482c8746ee3da9ebc48264c351a1bbf734a16b75ead7af128a052d14ffac4baca674d64ae9642661fcc1c736f43df0
-
Filesize
1.5MB
MD5aa92ad51777d54a77bfbfac524ecc2c0
SHA1b9b9a3f6c4234e68b3912f3ea3fe7722d157e575
SHA2563b480463f40635c1408baa7c8ec4e8702046f0d7aa83cc7678588d0b0da0a236
SHA51295140d7d19e756daab69344894b4719eef6761316913dcbad03e3bf893bfadd5ff2e9a7946dae5d3f0afb282cbca88819ba04a17772bf0143834f318c87a4177
-
Filesize
1.2MB
MD5e1362c9fa2c94a5cb96820225f4f30d7
SHA18ca28b53ec0f227b7b81f382fba81740058403fd
SHA25626b43236234cadba33e66103784ba92807e9c91c7da768cc5456a3646f3925e3
SHA512e585cc6c1c7865bfecdfb867b4b17acf0ded9dce489116af3aea0730114a5aa1ebab5b9c7518e19cd9713e8a0d0be6541d3cd159a96bdc478b28f39d07ce0ccd
-
Filesize
1.4MB
MD52f6dfbe02a52652f229311da6aa75740
SHA111604131fcdb220d169ca2d8b7ab346ff2dbc5e2
SHA2567c757557323979ff329b21e0cb53a1013af11eb48c7c36a0c8f0e532c42fb155
SHA5124228f55b40c0f67ab216ee2d7a87067b3923a93278eebfd464d1f17c8873352f2710131e9926bf2a10516c47b8fda90f41bac0fd917c6774d4be55b1738b38a3
-
Filesize
1.8MB
MD5214d81a9aad12d09212747fea5d196ff
SHA1911335ae57866dcba4b9a161edbed78953260741
SHA256e3aedda1957f43d155ded6c3bc8026f1a8013d456c0ba2f8d97bc3d714980535
SHA51221fb053d6cc8a1d0159a012018b7af0995d6f2762ff8d7fb8105eebcd0b17a96cf09956093b203cda9b9fd25e6199193261765613dda15f1bf21bc3ee51dcd5b
-
Filesize
1.5MB
MD5319d367c3414e895a52d9a4f508f6723
SHA1df27a1bd478ee28dab94b7fdb5051cade288c32c
SHA256e912bec5ab76e85ac16b97237d1520b23dcbc372f7afc13624527bec9e4b1343
SHA512eca8ed75afe69f6db4261d17a0477af5b40409ad490843f4e2ac61d2a736c32a1757846956a645ddb227b26d1d509f1691ae2e87658b221695370a3c61e9c651
-
Filesize
1.4MB
MD5504d2ad49f6009432308375287c35a0a
SHA10b8bf8cc34e5af9aecbf01e66659548e9f1c71f6
SHA256efdb2fe68883e69684bfe5db9edc60c4ab84da55bef7217bc8d91f66f87b9f1c
SHA512975d0da1b4ebd37bfeae9e80bd48d772d6b7fa9cb982f8e1c0e076176e01212068e2829bba6220f051a13d94c4802720e3d2b51090cc535b34f14ef645a1b5f1
-
Filesize
1.8MB
MD58bb0e5fd8c66a018055a97917bdaedc9
SHA1ca1e51e00db31844950a8e60e07732b079782795
SHA256f05c85dbae4cbe17d57508f458ca9594478bac3afa5fdcab7497c6f4efeb882b
SHA512780a2d126c7e9f763f2ab91fa84287891033cc4fe39f59294d4f2afcdb05e82c0d472511d2a59e65c1f2120d3cdc5d803f30c37108db7702484b5bccbbd1f443
-
Filesize
1.4MB
MD5a14c16a3d55a1eac2aa42169a1481dca
SHA1ad093ac1e46d86fae70ca4a5edb3d1248677e82a
SHA25638176c7fcb8426d5a8ea6adfd0675081eeb40051f87721d6607f2fb0bd71da78
SHA5124a001c60adf79de6d3af148d822eeb1b0cbc10e59fb0326f104b81963384e2691acbc1d52c0fd9eec412788734c07d135c01dd55520ff4d3755570863def08fd
-
Filesize
1.7MB
MD5419cce58dd4fe6ff0feee92b9e7c6e04
SHA15bc1e8e51e7be3adc6b8fde80adf5b0714c23bf5
SHA2562c60d4fae25a71988f3a8fc3c51355e1d65b7545c2cd7801e6a93921a05f8f6c
SHA51287e80b620dea5e59bea7aa8d750e6d8ce54adf0de08498f863a874e12b7446ac40d677d4824b7e7ddf5d8ced5ab2f5f572c160297d752dc208e35f41d948c7f9
-
Filesize
2.0MB
MD5c603450a69dc7e6efedf666f53e13749
SHA15855a2f1ff8bd08d1fa1c9269ede69c421e9d54a
SHA2561028993453c5e5a82597ef375d91d9b5000aa3727c9293b221a47cfa012bd693
SHA512e55b52c8a04370b1b6dc3bf502635d3541d43553a59db7709cb887459247f98fd0db8fed6b0e00533f21f0d94fa4cd3aa8ad30b217010c203219c4c72b7bbb29
-
Filesize
1.5MB
MD5368844ea5a2622e81350240cfd049e25
SHA1775723a35c3fe4b05617ed7f5ce094a3df5c5f1f
SHA256053903da77e2018859a85710d3fc1fca46388ebf272cc66df2483308bbf28ee7
SHA51282a4cea011df4e8ab42fcf4f5c8645ed55640b84add7de55132d3fcaaf67ff9a61f485380f73eb664591953d0a732dc619b6bf3f14d869eefdb314b8a39cf787
-
Filesize
1.6MB
MD5a448b80ae9dfca960799b280bd019fc3
SHA11de034714de8f43ca3b87d6fb41a7a28c074432c
SHA256896d0fb0e5ae0d6e93ae0e93b9e9c809e4ec0e14eedbfb944fe584c1937de7a5
SHA5126790715e97b5656c38859abb50718f898201a49ea1caacaf0b2eead3e9903ff81bb155cb19e198fcb702c774c0be3d735603a24b305ca5eeb0c4114fd50006db
-
Filesize
1.4MB
MD53c1cc68a4438f5f048941eb8d94c36ba
SHA1bec1a0de9ba59bb9ef810d2b69344baedff6e325
SHA256116d21aa0e2edc8bcf05d7ad4458e6ce28d8bf1f3661b0a373abef9014aa9898
SHA5125af629d7df8c829d94074a171f0a1173d00c083857a6284a880e0389daee21bd776449c79d56eb63d9d1a0b2c5b2d00afd6ab45b2e20eb984dd31672834b7d89
-
Filesize
1.3MB
MD51b9265140b47379b95699accac7ddcdc
SHA1136bebc244ff98995a1b35589f46be25000e947f
SHA256eeb55af8ed17e58e00043e0c9466059422a3b1c2d9cd08f65a70a0e6db23c1cf
SHA512902a1bf151fd3e14047bb53863ca86e1514e2e9ec63cbdfe0b81a4d3b5d53bd1b856977c5282b373c799950d8294e5a9db704e533517797a60437fc1d2c39c7b
-
Filesize
1.6MB
MD5f1d487ac32df8c7922c5dae5aa5f6bf9
SHA1dd9ecbd4ecac29f9b343fddce18f64a47323f262
SHA25631ba817c133642602da2c136c2559ba2f219614e896cf01ef7383395ce75ce12
SHA5128cc1df54f5ad37820a9588352490577901c62df4fa412c9e2102e658ade712b0af3f965928c5e2170c4825564e761aede4e100f466931fdb09a86f8ca5e984cd
-
Filesize
2.1MB
MD5de0f0f10ab18f8c8e93946a6d9e43696
SHA15843e9eb3dbb1c48414a4dfd79b2b85152ecfc62
SHA256ab779faa2fab9635f4d4006d2a211702fd3fa886ecbd892f203b46d01dadaa5b
SHA512eb3a1cdd480efbb66217aa3468c32d80901977a4104211f86427bdeee48c4dcd02e6769de1dee9c3257627aed887e2ec32ec46fbf665fd9c8f4258075ea015ff
-
Filesize
1.3MB
MD5e648bd325b70f6f58d2858a279c672c0
SHA196788d50836cf3a4b7d6a51912738eda58065f94
SHA256282e2b79a3d1adfade73e300b240eef0971e84025ab28152e6b169db1d33ddcd
SHA5120d1d9fbf200ca11ad0ff59af37437abff65822274c7812f3d93892e217f43f7f7bd246db1cdee5c7742602b5cce7bc63c24f070ce65fe39b35695c7f5d280f29