Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe
-
Size
1.3MB
-
MD5
5a2a3612fe5c432fd073dadd147ee9c4
-
SHA1
ed798fe7fcb48ed9345ef35a9f2a7868d5dad65e
-
SHA256
328589c7e67b6b0cca942b762b56066b9c7b7f41e660760f1b1872b4cffeeb29
-
SHA512
cdae2ac37dc53ea51f15e6c6c54eb45a65c104e5a67bea55459af5351dc3745ef31e04f173ae554bb46a214ac78b25f295f592bbde5b0139dcf3066d254dd892
-
SSDEEP
12288:TtOw6BajMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:B6BbSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 852 alg.exe 4216 DiagnosticsHub.StandardCollector.Service.exe 4416 fxssvc.exe 2624 elevation_service.exe 2304 elevation_service.exe 3568 maintenanceservice.exe 2540 msdtc.exe 3268 OSE.EXE 1292 PerceptionSimulationService.exe 1408 perfhost.exe 3260 locator.exe 2684 SensorDataService.exe 4548 snmptrap.exe 3760 spectrum.exe 2180 ssh-agent.exe 552 TieringEngineService.exe 3284 AgentService.exe 2264 vds.exe 3572 vssvc.exe 1084 wbengine.exe 3496 WmiApSrv.exe 4040 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1e45ad5a4a48edc7.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000279e793acbb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1e83e39cbb2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fe65d39cbb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e0d939cbb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cb18c3acbb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b1cd539cbb2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024a5de39cbb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004e49b39cbb2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeAuditPrivilege 4416 fxssvc.exe Token: SeRestorePrivilege 552 TieringEngineService.exe Token: SeManageVolumePrivilege 552 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3284 AgentService.exe Token: SeBackupPrivilege 3572 vssvc.exe Token: SeRestorePrivilege 3572 vssvc.exe Token: SeAuditPrivilege 3572 vssvc.exe Token: SeBackupPrivilege 1084 wbengine.exe Token: SeRestorePrivilege 1084 wbengine.exe Token: SeSecurityPrivilege 1084 wbengine.exe Token: 33 4040 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4040 SearchIndexer.exe Token: SeDebugPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeDebugPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeDebugPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeDebugPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeDebugPrivilege 824 2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe Token: SeDebugPrivilege 852 alg.exe Token: SeDebugPrivilege 852 alg.exe Token: SeDebugPrivilege 852 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4040 wrote to memory of 2400 4040 SearchIndexer.exe 116 PID 4040 wrote to memory of 2400 4040 SearchIndexer.exe 116 PID 4040 wrote to memory of 4792 4040 SearchIndexer.exe 117 PID 4040 wrote to memory of 4792 4040 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_5a2a3612fe5c432fd073dadd147ee9c4_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2560
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2304
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3568
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3268
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1292
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1408
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3260
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2684
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4548
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4164
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:552
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2264
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3496
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2400
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:4792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD558fa19650b7d3b6783cc1f2caade2a8b
SHA1438cb88434d3789e4b468d9b28ad221c6e0e1ef2
SHA256d9600753235a7823a4b09b6750c564d0fc15df9703291518e20b809aa97ccfb7
SHA512e188c37ac0bd27aa7bcb465cbb41e26ae9d30772d4903310b7e0d74c31ce376d54c4fe80ef90fa44d7bd7f85a25603dbd6ce7054fc08e272717245609978e6bd
-
Filesize
1.4MB
MD5270f494505fb698fdb0214992ced1ba7
SHA1f489cfef44c5573a24a01842bf2d5f2d40e42c24
SHA2565a9a2dc7b9a9182a61eb6f98ea2d567fa1d7c4d5bcb77f3d18833974b8733f53
SHA512baec4e2e15da729e8242ff53d9fbb856de7de8941941e3b1a1a96daa89eb8fcf441f3243c64e7ccf2637d55cb06f94b37b1a0d6c8ef4c768d0b92ba0bb5221b7
-
Filesize
1.7MB
MD581163595a8796a73c4546559acff577b
SHA167ff6421709700da76862490206a1536492e66c3
SHA2561dcefd0c07f3b0739fd0c3bc7f33c23c65eebf8e3d0f32bed16203e0f847883b
SHA5122b2f5293f3b7ab60e7698cf3f9a1415e2371749a499ca343b974014544502b80557581b6d35650bec8cb6c052819c9c9e6e9c05892d57e983d63910b84891cd5
-
Filesize
1.5MB
MD5fcf8a2231393b067319081ea81243802
SHA1bf9592519068e7a7fbebc4734a612390ca788bc7
SHA256af58ad1249f96e4bdb546b5f86dbac7420edca02e7fd2ac07e0fd81764b25552
SHA512a6c28c7636434d42560910287e96f2a1d83a2f4e22e1cb1381cab90badef9fd5f563a6217adf9e88b114abbb029fb4269a1c070471ceb8f666f3c1e55807e758
-
Filesize
1.2MB
MD5512c5d54bd8664ef814741d12da660d5
SHA189cd149f3339c1c0f572d30c03e2eaf562eaab31
SHA256ddf3a5de340f75c5704f7d1f03d6e6936ee5cd66b1d68d2f1c9f2251fc0711f9
SHA512548bbad2b8f1b1ae56dc8ecc914b4afc4394210bc440ea1506697f2748195e02ed4590d2e0725b6c6118d89983a3b5c9db32ee2056e636166d2e8ce114d467b5
-
Filesize
1.2MB
MD5ced785ea4046ac613b6e5be24118b7e2
SHA13967ab121a3a2fbc6badb7f3f6d728e9712540ac
SHA256c00e597364c00516fdf8b5c599501a5d4d96b2fb714a39cdf90cf46e9bf26796
SHA512658dc731e832c0436d8170fddd7ad430ceb8acff5a2c59dc7eb7306e03200d0e95ad1eaed98de5ba870152c7ce02aa8dddc1a2a936b1db3078d0eb19c63f42ef
-
Filesize
1.4MB
MD5fa5a4c7665d0bd42328a819846349361
SHA10563534a132818ec6eccb1786b75b92c626ae809
SHA256de27a456213c83f8d8ab4e7f88ee7d636a12830546aeaf2aff91d051875326a9
SHA512c1d577bf3d4f4a52ca932e14faf1cd3b15d4cfcca39337da0729bcd65c6d4ea7e7b47d9aa24ac2841faf9b0148fbcc081195971867b995b65d03f5c0ac3262a6
-
Filesize
4.6MB
MD56393bdf0691a48be9f71e6a6f9ede9b8
SHA1533576718f7bb6b4b8da5b04bc0c315794bc16d5
SHA2561f897872d871de90380fcbcf9f5105c7cae88184ae09f3c749a93e11da76d9bb
SHA51259476c40a68e59402fbf712520d71dfd1d14c9e947b3d7a0e537a2f5fa601ae8d00c67c1a998b4f197c254cba976c1ef5c538e92fe1500bef9808bd47bbffda3
-
Filesize
1.5MB
MD515292c976882242ebff7e5b7a630dad3
SHA1b97c2a423ccae248412d18e61d4a0ee6122d2932
SHA2561ecc02dbe7d2d6293c44e3ed7057b3625c4942c9d8fec2ed47e79a4b9d4a62c1
SHA512b0b7a6d1716825da773e666405ec006424d450875a1fa207e0e16be78ed7ada2d76b3d512260049027d80d03421a073777271e743cfb0c49d689fb796db163b1
-
Filesize
24.0MB
MD5b40c22e310397892b48f7846e28af0df
SHA1d096699e43525f559556fa241be3fd730389539b
SHA25628eec4e12c98b729b9bf874478c5ba1b77204a0c0c89367b861670029408d5c4
SHA512083f838c3be9f08f3c430f049a8dee42d44d09670e7ef1fdedc7a521b01fba0e92affbacbc092ae3cb5dceb1aad9f971d1898862530274502770e6b0c412a9c8
-
Filesize
2.7MB
MD553f7755016e8c09007afe8ced7c2ff0d
SHA14fd399d94db16f6f1941afdcb4e2f1e744983e35
SHA2567ef8128dbf0db2c4cd158668fd667aa113a976105c35ef9c85dd32003e22c4c8
SHA51208b77e9b82f2c314bef4e33be27bdafefe7ff09bc69e793aaeac0bf56c94310ccc93dda21c061e0d0fa80b31df0c6a0cbf808717aaa41eb7a678a74af88db435
-
Filesize
1.1MB
MD568244d7562f91509347d5b85d9259aa1
SHA1eeaf38c65b2efa6120bab71f9034ebb289c1d996
SHA256b317ae158866020923c9aa1127997ae308d363a3dc454f6bd1583782b7db8123
SHA512390fb883e48f9e7ede44186a0af7d4d0ecf0d2cee36021d012303063133e7b5dee86bb57232207d1710aea1453252d1de0bb267b3d31e4cb45f57f9862d625bf
-
Filesize
1.4MB
MD57b07f3d1356a5f9eb71fddcae08558e3
SHA1a0e235fa0781c5d8340a488456d22bd0307a725d
SHA2563809fcf6fc47d7b8df1267d6eb9d71e8c49b5aa63731640abff97471ab83211e
SHA5124f05c8f68b54f861540cc97fdcc70ac3e5474042276294823fa657878c67b6d94a735f06b1e7cdd91e95b0be4d9636197ca15d8d5002aecd3417dd53ac462c60
-
Filesize
1.2MB
MD54975e1a0272fee6d2eb0ca246ae4d026
SHA106648a2d6fc1b0b738baa593a0e3e07cab1c6e58
SHA256eae8d37efe7c2aa94e6e7d77ee44d31ac7082c9dd8a70cbb96825f05c20c0c4b
SHA512bc3bd493c48d5cea1e7c89ede8754c36c6a1ca9df60bfc43ba79cf7077a3af22cafc51f1d10302e0dcf7881311363caa3d313a7993b54bcf547b061b6d2ad21d
-
Filesize
5.4MB
MD52dfef7b18f7a2e890b22014ba1b698c7
SHA1b0f60d055e49ec0896793140589df59d193a93cc
SHA25651d56d2bdb90b37950d3386959c5642504be1ce26c3a4f83282a494660dfd0d7
SHA5124c8bfb9f301185a73e775d3c204e255c36ad691d0d0117259681f4bd5e50d4b9bd780802852ae47e36798d5e8da1c2af49fc19e37bf6dedb9cdac7ec0374c9cb
-
Filesize
5.4MB
MD504291cb34418d522851dd1ebcf7052a2
SHA11ce3115908fe9159d6bed1e241fe911b34088458
SHA2563273533411cfc5967bcffcaaf9190041ff3df5e04844581c0d7721e2dfd57ed4
SHA51220000ffaa62acb3cddcaae0a2b11aa45b25aadaa87b5957b36156fce338ba5b2e65c2d0e325227fccbf767d11138803c31285768dd684004e1ab4304304f792c
-
Filesize
2.0MB
MD585bc1a8166a817d7b7f3238c26b49c45
SHA1f836af3baab4d3508bc809cdf43ebbb8967f3ada
SHA2564546f91eb706745acd8b1a803cfb9a9696134a1d7fe8df88b4569b23703517b0
SHA5123d134bea1453c97dcf0b4458eba7917fbf16e840224ca54f5385261063821e7ac69b9dad652e6ff52f767a89ee570dce7ec2454df8dd13e8d2933084a23846bf
-
Filesize
2.2MB
MD53147a41fce282ae19bb5de068b22d26d
SHA1209b925420a1a9483e60f5b59fd884e787ae4250
SHA2562f3c4be81074365134138cc31f2ead539ac7daea400bed588fb73fed4a62964e
SHA512e9d1ac6b3df327af371aed04d542ba0f72b91dec63f4fc06619272e461d049e9ba076f123dcfb35695cbb44bd5aeae3fe0f8760a1d07097933ee1f02b6a2af8d
-
Filesize
1.8MB
MD58c506ff8f6bc84689f8cf8364e4525de
SHA166e00513d0a8ecf64fd74069c0725944bfbbfc46
SHA256f5b833e6442e23540496d62c87206e68d3252bb8ec27163ad76565a9183b7d6e
SHA512b3d9242d8ce861c3c3d3b431fcc6c86d3dd9822752ce7a82865754eeddd7668e9427f427ea85e9caf4263f3794050074f8322b98b7b83b7978c07ccac8b1005d
-
Filesize
1.7MB
MD57a58ecd5bf4a096e2a34a34432f7807d
SHA18783b7413a07b20b1372c796b8fd7dca052f2361
SHA256c45b16bffe9fba9ed11ff84029fa714deeea126381c88f89c8eabeed98a87c9b
SHA512343ef9fc1a7d1e2d6dd33e24ad797fc63d7a16bb4cb85893aff9a20ac09dac54ec87718181aaf8325300a6ffcadea57c448c7fe6f52ea6ca2002d1a161be5f4d
-
Filesize
1.2MB
MD506a1aa1c320d0a454416e57572110ac3
SHA1a7636aad1f377e31466e2cd9add427b9923c8be6
SHA2563cc695a21674bbbd972a3439a57b23fa022b2541939f63ce05c506cb615251ee
SHA512fad12898a8c50720856cb39cf62e434a5c56e29a02159edba3337d47af4513f2b916649b1eebc637275e839e3dd40f3a79c19389f4c7fbca1759ba237debb6fc
-
Filesize
1.2MB
MD5aee37187a259108b84976139f00810a8
SHA17d8290493ba0dd7d55baf9f369d5433fae5db0ba
SHA2561bc5d962a95d8869716420434a47c83c89766162b1eb2bf66a7f3acab610d5d1
SHA512d2606aef9ac1ee98aba5d9b1e263e222d58ed40caaa6925527c112515d8ec7b7c462c4d1cec74b42ab233e7b5aa41a7e6dc0bb9f3650f0436fa93039ef0141bd
-
Filesize
1.2MB
MD552c10e4219c97194c81e5f21c4096173
SHA1ad8f647e816324d5eb4302ee91ae6f8bb542e88d
SHA256b5cb90a8f3d0e4e74215ace1ea413d160e76309ed6bd40f0ee54d873ba941cbd
SHA51248a8f46d4d76111905a44d9bb1d5fc548ae204e9ef23984e29f78e351a3431295781786dc4230e1ce2ad3b118c65b4c8aea95f912d0df274d796510667d7c3be
-
Filesize
1.2MB
MD53d4de288c6a83f4e2198c45a3fadd102
SHA170cb18c2f15bc8d2877034db8788d27c9a4faa80
SHA25605824a0c7aea187e3fa60358f174b574647e21883a92e3565eecfc8100e1e506
SHA512614d7c7b7d285a319a71bb08eaad0c2df9b945ea6b3bf17354510701d49220aace8edaab900dc0250f4a60d01824b21be32203841b16d966ad51aeb7050773fa
-
Filesize
1.2MB
MD57374a6d42051d1ee71aadd9d98c20396
SHA112e09534ffe0397b86dfebd390b892dd1322d4ea
SHA256a7da81b8f45c710c639427977b8f16ddd6feb336dfd1d493622bf1dce9e80af1
SHA512668d974eef23c989d18bba236bdac44d3683c6f553170128d2d1f26baea30696b294285395ddf124f1d8cd83841dd821a3a15b4baa9db15154e3419671d6c63f
-
Filesize
1.2MB
MD55d679f58515d5f32e3dc6761272f8c18
SHA10a39bb37d6ff7af1ed1215a8e496f2f0e288a2fe
SHA2565e3c8fc377222fb49c5e79a62b3cc0fd476f89b712d68cdfbc6d21a63650e856
SHA51201ee2d91ae35ac473b51cda1f904d23cc4e582e0d5a2dc78ccdb824774b0a980402afd68ab64bc112e17539ed19c1c590dfefba2357af1d3faa190fa63773b5d
-
Filesize
1.2MB
MD5e0898d8d27a26b0bd162873cb90ddcd0
SHA138b2813778c3f24938c915290d4d93e30db7acf2
SHA256446a35c243c1637c626c82c03b2e1071c8e3e30ba3d3fa0475525c7ff47bbf53
SHA512ecd76c04952913ff562479643cf714cfdb84987d545d0d84608869064f0beb2a9368dc44fc6f08d912057e31f66c97c9f2797547c2ad9b2c7fd2ee3f111825dd
-
Filesize
1.4MB
MD561c9df76953c253d67611a5bc8a55c4b
SHA182610e4a5468bb3ab722fa5f25ee0a04630a87b0
SHA2563e49c969e265e2ff45a369b2dbee5d6977e424daef5c47dbfa7c6464b19f9708
SHA5123069c04ab0e75401644e9b0e8841263752ffcddf161524174a09fa03bf6af0f6591708c4ee7cb5afa69dafb5bd82f97bb24df5998598713b611bcb7af0f0753d
-
Filesize
1.2MB
MD5b4d85f79f7beb20e6ca20a460bdb9d40
SHA12a8ffe6caa5118fa9251fca135a4f8cd03b7980c
SHA256347712aa92c688a208ef108da3711f7b466ff16459c1a54b7a48e35961724e82
SHA5127e4498ea8090aa75734181cdbd54ad19fe9f1e79216ef31e3db948ec86f68ca62cf4a09aefbb79705178f5a52a402ed0f28248527e393d5b69ae3f1298ee907d
-
Filesize
1.2MB
MD552c331584207e28b730912ecc61edcad
SHA10e96d5e731cd7e97282570c7c4e42665b1ebe4ed
SHA256073c81aa5f4bf7638ea094d491fa6dd4d937fa727be294c6ae2453b9221fc577
SHA51288840b98cf0b007232ad5af2f108ed6231a83248a77663f0ba3974240c6a984c62d2c082531e5aa67e1f15b8a76cec7a241488c2eafd2f599fb36869e0f62d28
-
Filesize
1.3MB
MD5a697d44febfdbac12d118d0aa641cec6
SHA1afb7cb53252e27ac9b836763d0490fd42fae5a7c
SHA2566ee62dfe54fc7f0510ed946372b0c6e33045085037cbaee0a10b45b68402d074
SHA512d3ca136de2332ff4dd4d0c24b6d5377e73e1d858f418eaa7ac0c391a25a27f8ec2c675caff3bd84ba3639507edb424c083ef754b3e7e41e79a25444419ec22eb
-
Filesize
1.2MB
MD53052f7a88b939d930831eca35b4e5e5f
SHA162ade0d44c5411ca02b2aa86ddff59bcb4949a3d
SHA2563fae67d88110650a0a6500ec318035c8685c24597f8ce1221bd5552f56c8b75c
SHA5123a2592d75441ab469104d59f362cc201b809f9895e67bdc9017e8186757bdb8430c5f78ad61dfa41436fdf831c69943ce8d1e8d7d0c707864aaed9c3a4a485fd
-
Filesize
1.2MB
MD54c8cbfa2c8bdc220a8fbeda47dbf111a
SHA102a01a31a4bfc90568eb82028ee1fa33bb1975a4
SHA256015c6b786c8e2e060f0918ec989b5598381f6394de0aaa33599c74fa804da940
SHA512ed42f25a6525c432b1f6f76fc253d972913daa8b5b05f1c74428ac9a384ed5909ccf8c4938d74cc9f009f7d781bc02e4339c0e85da67b951cb97fb5f62f80ba8
-
Filesize
1.3MB
MD5be4774cae97ebd102e53f114089510e7
SHA16b4ad65864dd201b7a08ca14787aa393ea5cdbb1
SHA2565dffa3bee5fba2d7e9f67d9e9b2c4211f09db0ccfb5a94e7ab816804c5dcfc74
SHA51297953616d2a7d790ffd6865adca7fe020b61175814e5e3e083c5ad8c52d7a1b6345d53c69a10f82db3408e9f5c4ef10c1281066821c175675b1b936b4041287d
-
Filesize
1.4MB
MD529b3bf08871ac88ea356e084bc09cf54
SHA18a3c07d3d0d0fb4777cd3cecdf4433f6fb8e5c1f
SHA25650eb69efc8b1885252604c293d4c0e4a6d714c07fefe23d984514ecdf004da6a
SHA512246db8498e5e3acd5d3eda715c672ab483891e25c1ebe9ad782e0334e87920792320fe415d85918d7676117dbde22b379f65f89d89a985fae4f69c44af5909db
-
Filesize
1.6MB
MD58626d49b5327826c92776ff51c8826fd
SHA192052419699fdccd5c62a5ece403f06fbdd925fd
SHA256d60f12cbe2547eb93c36af7d496d0339cb0a46ff7ef1d18b0e3c0493cf2a10a5
SHA5125a147b8216a96243ab20b9c916e35dc7e30f305f1c3d0329c8fc607eeb284bcbbdf72a61d13766d6974cd171d6fdfb82ea5c6c68b25dce45632bfd7051dc8fcc
-
Filesize
1.5MB
MD56cf9ca2445ac48e5736a788a888fa1b0
SHA1254181a6b0f0b571b64970ec544ec6d4892644a0
SHA256b4fe604998e516b718e2041785e6b3bd57ef1c79ce63b7e5cb5ce632f27c86bb
SHA512dbc539adedb242957043ba3974e51c7a631bdd132fecd2e9f2e328f6c96e29355ef943cfcebd81bbe787b03b0b9b4589bad422cc75808c119006f0430b7d9e74
-
Filesize
1.3MB
MD533c6eee557423cfaff9e236bc3530a4a
SHA1f3eeaecc55aeb24781b89e9f253cdd8935a2518f
SHA256b788452ad6207432985fb2bfa9271d25dd16d23d7f4c712f87cf33e7561d1c03
SHA512901e43c4976584fb80be560cb84519b778b5eb562070342fb946ad14749b0e81ace7cd0534ba5cd7412df6c92dd43b1ab1c1d417d256e6c36aff8f60d07ab040
-
Filesize
1.2MB
MD530d731d7699d83c4477ceb520d349bc5
SHA1497f3b89bead621ef3aa12421a66a1d248bc7d03
SHA256a0ca69f21fe9194e39c7cf0ddf9deab0ae3d5ed7401486edfa48d1b03b703be9
SHA512005e18c3e4ba9c634e9d8b2392b075037e27bac19d29565c6703ec4c7924bbdadc9d100f495a529195c2a5a860b1afe6789d5f841074484fbeff6cfafbbfdc86
-
Filesize
1.7MB
MD5bf75cf92ffcdb9c03d959e61c39fa497
SHA19e4fb02aa4a6beb87a75439b5449eeb41f057fc6
SHA2563d09968daff67d958fe76f99c5c3b0055f64b1eb9125c2d0badafb411cb2fcd7
SHA512dfa25770640cc0d792eb99475a9fbcad66a5abba0fd7a307cf1fd9b528993add15565effe981190ea925e476aab722ff9254a40f41705255b1ae4ad65e20184e
-
Filesize
1.2MB
MD59cb35cbe8fb73818183c7dce0d17cfab
SHA111b368e705f97f95a81af616f66069810e544cbc
SHA256de4bc7315baa5e7c2bbc79dfc56a0bd9f3e4074b5fedabbf9042d2bd1dcc433c
SHA5123b2a6cdefd9707e3ffbe9791cc1817bf2663446a22c52ba040c9f7853ecf9a31139417bb9c93c2d5c2e939ea184ae41bfe8c5b77524f83bcc75c8770d6053172
-
Filesize
1.2MB
MD5cf30b6784fbd218ffbcf31665129eb2a
SHA15ced4e0822bfb777c440e5453fe3a648c496cdb7
SHA256392bf0dc283ae3060e3b0b770c68fb06657e841a643e8e3c2afc1d931c09c99e
SHA512c4345edaa99a2b2338f122fa1936dd944f075cc717cadaf565ceb53752abfb6b63b5b8e30f4b4553f2953d823d8227614b15306480fdc9e317cc48bba02ee192
-
Filesize
1.2MB
MD58b7acca2a309a72d3b120aa10364e8a7
SHA1d471fe9036803921026f0aacb4fe1de6f531c893
SHA25625da609a294bb2de479225871c0afa9efebf3ad055cc213aea1c900ba7f976f8
SHA5123b866a65622d8c1407181abd66cb76e16b5eb46478a81c46b6cb5f2ad24f5259e9f10dd7183921cd88b135da445f011731e3cbc43a6941c75f73512146e6adc9
-
Filesize
1.5MB
MD5280f1a9d0b93571d0357f2acf760064c
SHA1b12d71c57e07f6e8bf319b988b9ddfc050fda707
SHA256edf69e72c103818cdc88f47da80333ca51b9b42a41bae7f7393b6145b552306d
SHA5120548de89cad23c97797b47909f36abe86ed0b9274334bc67eaa5df8c6f71967dcd05d6e5129b24418cf41460b23851ebeb4466aa7c418ac8ff185b42673f3cac
-
Filesize
1.2MB
MD5a54ad2ff9bedb4f466950275df0a377f
SHA1663a69f3da1a1be2a98df998cf3d83fd577bc9c6
SHA25635dcb8024880b0c2e6d4c5dad4d9615461440328000b1f1106c70f42615adba4
SHA5121d4146985f92b5cf7a3161072ca5aed971832e0516f4f21d6ce32f4e728bfe6ab8e4ce8eea53bfe2e0c7ef8f35ce67ad5dae218a235bb3a2caeed450f824e8f3
-
Filesize
1.4MB
MD5afeff38e1a1533a2a2b67e1fbe521b50
SHA1198af7c1cd777acf773fde2da990e7a4bda0148d
SHA256a360bd48b2d0090acd9606177b78ef3b75fadcc148e2a3f51da8751542d92fbd
SHA512f970abcb68fcd2b4e1019c0ff2b9cab9116eeef3e037e71e4c0af6ca067d3a09b68a3cd2f21f16e6d745c250def7354ad3e143be72a4cd8c41f817b76f3e9edc
-
Filesize
1.8MB
MD5084310ee98652de9cfad8e5f55df665e
SHA17840436655d5b332be55aa38bc8893e9ae5dbc54
SHA256514e4a8ea1db6e39d172b537c93997143e569ddfa5227cef23542134a221e181
SHA512f5868c79a047cdb612b100a2146ca5c411613e9964e4a66404ce201e0599a7c9c386961e0ca790eba71f2501cd1ed4b78d93360d21143a9025f8ed2f1e2cb03e
-
Filesize
1.4MB
MD52e2197aa024f442a6e6e399259f3bfc0
SHA1cecbad1a6876ea2e2deb11a61e7bdc17a172781f
SHA256dce5386280bcb80cdcf60c8e8edac2abed7edeba39dc2161dd38866c067bb7c0
SHA512dd18a3fddaf7d6bfc28a03e64947733b899fbfd77790726d48d5d3e1612edfbf5aa95e776faf41066d80c4c7140deb77f7dfda453c85206cb43ceae5d1cfc8c7
-
Filesize
1.5MB
MD553be2e5ff1918bf19ca1a3a2868f6f52
SHA197ca8a77efa9fe4636bc2317aab801dfa4de6a09
SHA256b7ac644cfc3c0e5c43fc6709490665deee36665aa90ca62b94139f731910a03c
SHA512d03cd34b4b8be813499be534e4cb58c0c25464afd0373318e644cb5fab50c2caa5ca38ab9cbada952bbce3568dc436d02258852ef9b2fcb6926e3ed7de8b25be
-
Filesize
2.0MB
MD52e351694b5f8042f71af685e596fabed
SHA1c2bc228ef4723920023b97ab651ded58852af0b5
SHA25630b2e35668b182e9f8175bdf2558bc4eb08bbc1edf5d3605add20af178dda668
SHA512aa7bae201325ebd2be65c0af4aa705b86ecf541266292fff3e0f18d723b773c88f342fc0d11a748d6522b2e891dcc80a4d0d550d991a3a1743c00fcb22c4f0a4
-
Filesize
1.2MB
MD5eeddb41ccf056406ed65c4cac7d6cf1c
SHA1f064d6fc9d22e2add2135a15372a739fad372986
SHA256dfea78f8bb001773f87d2bb6a3c187f31ec427bc5090037e688f4e87ef254b1c
SHA51293e449669bda75ff31e8834214ffa6e347716001fe16892a5214b5ea6a9409c7816ba5feea4b3cb7bc234a92efffbef2e9114aec98f24a9c105d29a39fc569dc
-
Filesize
1.3MB
MD5932e4d986162ec95d12743f97eb3ee93
SHA16e3ef0085d81ccca8cab2ac51efd591854c27a0f
SHA2565cdeb058ba026dbaa2397236b1a0197844db4744acc8df2b5292170595879932
SHA51259f06adaa52eba894990e6ea5df1bd124c5d11691062792ab72da093077525648f0f4902d0dc39e65fbd5b928e8ddad293c32d90175a6736cd40a96487bf9bf0
-
Filesize
1.2MB
MD59b618e59a006e13c03431816dea7e4ac
SHA10530c98edf30de7287c6c8a72fdff9c4ee1c02db
SHA25606a8b7a9f5dabb4dfb1bff1bc768a193b952c1b54f41b4950844d134a4094c4b
SHA51221d8be6f0de6f41062c4cf9b20874820907ab5d101e1381d50b5932550a05fdb30665680dc4611c817992f28eea01bf444b24d4ae9dd0effbc6aa97cf329aa03
-
Filesize
1.3MB
MD5c3facb228b8fa391f228ae74b7cbc3e9
SHA16aa4d351aea358ba7638b780ca94c4c17d2ad993
SHA256227ae50eacac7306a4c3c6fa967c234cfa61591e9038d76a35d8b3f172ad5d86
SHA512bac1aacb2ea269f8fa0f089ca4a19c42003dd32b79ee408ccf861e81420f2bd330fb002d37f6fe5627e46a7cb1fed49718eddb42e44380ad28e36f69ded6b1fa
-
Filesize
1.3MB
MD523d81083c5e3a6a5cc31e92feb529cc7
SHA177e28e6361f579c8bed41221830142f48c8a1674
SHA25652852c9a930bdff91543607c2f3e9b0ad9023b1d146b1a5d5217bcdbe4578d32
SHA512b8904bdd54ed81b49fb30867dd683018762ad99addd6e021ba5b358971e9bafd5db0e14b9d9dbefd6849c6a622da072d0f26aa8d88f31341107dbf14330a3e41
-
Filesize
2.1MB
MD57c771340bf7fef7e4537f7444ed33a20
SHA15f0670df24e7237406838b4eefaf5102cfa788a6
SHA2561abcdb9e1aca5390ff3dd3d54f088a923b5cbe1c54911414727e0a8c3c07cb00
SHA512ef0fde71968c27df8a283a26fed210a465f6eed41d577aaa587a647b2a8b71071bb264b4d896bae1e19e367bc48590939b5603ee0da7897a7aa103472e60d8c4
-
Filesize
1.3MB
MD5fd381ca55fc1e63d08d435278c060959
SHA1420371787ce001b3e7af671128087a91bcb3404e
SHA256c2c39bc39e82fbc98bf93553aba7686ff9e11b69a18d45473f7f4318e5a1f7a3
SHA5124dd2c01b2486c64c9a9455c1042b18d10e2661881472b9889ed3d9107be8591a8cfc44325a67261a13bcb9dfb4c9cb212de7e8e3d1b1c74d5a836e73f3e84fe8
-
Filesize
1.4MB
MD50bfb151018dd234c1bdf75b24b17428e
SHA14553f1fbdd1f0237ee81880f011b32403d2c624a
SHA256f12003ef5037b93eba912ad00201f6e1cdb72ad5eb910957a54e8fef1764206b
SHA5125ac4f0d9f8fba7e4e9869fcb9b03af38e58cfbf330de1b71089b233ec2a9ffe143be65a8f4a4fd54e1bc098ad42e8f97be352d05769fd90620773e0ec13bdd9a
-
Filesize
1.2MB
MD58d40ac90c956a4b474ff985d1586cef9
SHA1bd6eecad4b9b30d3587428d197aa616f5aec3b5b
SHA25606062b11d9e61a705348b36d9b9bfd6c398ea70b437c8f749d0d026708275451
SHA512c8b0e0ad2f67eb235c1308889f4090b6b09357e5cfc2081e1d9eda46bf67fccd52ef2a5e9378b00717a4722e76024618567d38a142c05f694eb909afc9c691e3