Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
-
Size
712KB
-
MD5
d148d068dc64cda5e104e22ae8dfb02d
-
SHA1
15247999b3ba9affea86fce2919d6557c172bfc8
-
SHA256
f9f47f043a9822b04b5fd5d40cdd2624946c90228564ccefa3f246dccabb25e4
-
SHA512
991e57e3c34c38bd0f2603843548326c53c6e19b78ca17e4aff3f73bb3a1a3b76bd61913b50182428967fdd293e00f1fa510a938d1b9fec5405abdf0166c0e9e
-
SSDEEP
12288:VtOw6BamGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:f6Bst/sBlDqgZQd6XKtiMJYiPU
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3984 alg.exe 2500 DiagnosticsHub.StandardCollector.Service.exe 3744 fxssvc.exe 712 elevation_service.exe 4388 elevation_service.exe 2592 maintenanceservice.exe 4048 msdtc.exe 1928 OSE.EXE 2708 PerceptionSimulationService.exe 6128 perfhost.exe 5332 locator.exe 5808 SensorDataService.exe 4468 snmptrap.exe 3140 spectrum.exe 5824 ssh-agent.exe 5012 TieringEngineService.exe 2304 AgentService.exe 5600 vds.exe 6064 vssvc.exe 1256 wbengine.exe 4752 WmiApSrv.exe 3848 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\74cde8184a48edc7.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004504b70c41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bc3370d41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f23fb20c41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f52abe0c41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfb4c70c41b4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1253a0d41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011eb1f0d41b4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004612270d41b4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeAuditPrivilege 3744 fxssvc.exe Token: SeRestorePrivilege 5012 TieringEngineService.exe Token: SeManageVolumePrivilege 5012 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2304 AgentService.exe Token: SeBackupPrivilege 6064 vssvc.exe Token: SeRestorePrivilege 6064 vssvc.exe Token: SeAuditPrivilege 6064 vssvc.exe Token: SeBackupPrivilege 1256 wbengine.exe Token: SeRestorePrivilege 1256 wbengine.exe Token: SeSecurityPrivilege 1256 wbengine.exe Token: 33 3848 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3848 SearchIndexer.exe Token: SeDebugPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeDebugPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeDebugPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeDebugPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeDebugPrivilege 4028 2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe Token: SeDebugPrivilege 3984 alg.exe Token: SeDebugPrivilege 3984 alg.exe Token: SeDebugPrivilege 3984 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2828 3848 SearchIndexer.exe 110 PID 3848 wrote to memory of 2828 3848 SearchIndexer.exe 110 PID 3848 wrote to memory of 576 3848 SearchIndexer.exe 111 PID 3848 wrote to memory of 576 3848 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4044
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:712
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4388
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2592
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4048
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1928
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:6128
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5332
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5808
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3140
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1740
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5600
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2828
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD589854745eb8419680fd0288f840c09ec
SHA159cbee0e683d51303e04026ae6616b5d5e8362fd
SHA25615f97ea0dc662cf97a20ff64f9ef9e19425241322bb22e4befdbe357a1e7ea00
SHA5124fbcce70ed168c2ccfdf38569d3e9469bc16ae53d94ecf68fff48c7874d448fc3e4f5ee9924dfebf52fb522a19069125f4fbd275523c4804950b599caf140bc5
-
Filesize
797KB
MD5ca77644d89d06811637295d6a10ff3fe
SHA1d50c24de6eed1e4c435a55121ee1ce24a97b6512
SHA256aee10ef95a4ca065fb32b27681b7454a518ce15866afb6610ddd4b5d79f0ca03
SHA5128e4c6e7e1da6b57449ea1e7cb9c527ab7c85305afddfc8265749e11c8c85b641db13abaede548ddb425921518b953613bf709d0e4f3ecd572011a324bdeddb77
-
Filesize
1.1MB
MD50d4681ddfe91b87b1f413ae1e5e8c6e1
SHA123640f087b617929fd00d9ea9aace2987e4a96c7
SHA256727bbea37ebe7d76ffd4f46f5d4b97b415555adf683986ecfe080dc6e2aec98e
SHA5125a501bb4480e760397c70a33219754208bd68c3fbbb459b13bd6c2bd8bcb52c9bc2823389f747c7c7c2ae83a247d2ec0f10d0f9ba86ef77fc3506265fbe1c1a2
-
Filesize
1.5MB
MD5204edbbda98fa87cca5af4b87f161bb5
SHA106d0cbba18e370f0b2da966f1de559c2394d8f3e
SHA256540a37fc3cf71f4e8b227d28fe9a6c8cda6df3807bbab9a146e28504c0c5cd38
SHA5122b380ee91871c8f897cabf43545719446819839eab6df76ffa6bb6d651b79bbceb383c39a7e89b4a71bffad5bdeb70a8185b9639fbceaf2b81dddd3ac47f0319
-
Filesize
1.2MB
MD54fc36fee3727df6a4d499045ba0b84fc
SHA15f789d61d9eba4f50dce7be3a25166a7c22bba2a
SHA256d11a0e70ee49a8fa17b123a22375369690f4a7fece6003706b31b1dd3ae84df0
SHA512af3ce98e3c7225fbfa036dca89cb96d336b9f2488707b5d98307b69cd9a40afa50057fbc99aadd05dd335ca58e5329a705850a660a8bd57429bdb892c5294788
-
Filesize
582KB
MD5d355afca82ec7df27b9a85ccf7abd392
SHA19a57ec288b83d13ceb8079be19aa62e667f12608
SHA256a8482f7ae721265efd6d8c05dbda8095bbecf8064b41842f5bc0ce67a82a6cbe
SHA512ab9c9890f4086c6dd48663255cc3827ae8edf7618acd93ea0b2325cd582ea17ecd8803fec89d9ee1d9bde45083a558d4f191e10713b1c6ccc5d5be1a2157cf9f
-
Filesize
840KB
MD54a32df4105d11eaaca8249e0662a784b
SHA16c517605c92273fbd3a5e0d3e3cb758bcb1c87a0
SHA256aaba99bb133231b360fb257b952265b579cb10399f3812001ae4c10827ba14a4
SHA5122f71be8ab322ff5a051a63d93efb8f4f138a356473dd7436806938b036199434814995ff8be711dd46a734bf6be8e2f33ba507d0765bfb07ca2faef2143097d9
-
Filesize
4.6MB
MD5cfa8f78f89674ddcc43b9450e93bd497
SHA1a01cbd638feefd82dddae047006190d4537603c8
SHA256b3f9b5d1ea4d858608fa0e324587a098a712ecb87523bab1f378e7668dce3d3f
SHA512e7724c3d1a236644f631dd2e94c0f22d5352830b03a9eaca54fb58c9ce2f6fe93bcb2eb215ba7a22f75b912e0c9dd88a81b3cba1ba2f78e23a044be8e3c44f73
-
Filesize
910KB
MD5e0118a596399f85a946b26e1391d0b9f
SHA19675af29e607765378cb09d3fad4d3eacc6dc9d5
SHA256a4638eceaf5f551c103ce6776e7b60979711ca66be2d7e07d228ca2a4880c5ef
SHA51299e4b5dca14702bbb4ba2f4c5704d4bbca32077ba0eddd25990dec1995dd7cb8b9b384a7179b5bcea68d2baa7daa8946fdb054a5b6508b65a2fd6c87752edc18
-
Filesize
24.0MB
MD50f21e6df6e6516f9093a5d3e9db1da0f
SHA17b94ae272e7eee97c368b7a34f5f8620d030abc4
SHA256a38cef3dbd9bb5edbb215589a63f63e8abe357f600e3d5b59472cfa9f3514d7d
SHA51288c52dbcd648513987ec3f1ff47cb3c9b387d702208a5368908b8860ed4a2f3ebc01cc729557a93c46a12389e63afff1e6718d4735293ec79224d9314e0b7700
-
Filesize
2.7MB
MD5925078d22db8fba944b47f9238ad3822
SHA17dcc5c93ae47f939f11a1183f371224c5702b344
SHA25651c07d11aaa22a802d6e6480c49261229c9ee4a855fec8c6acb93fc45d1212fd
SHA512fba4ef5862b481454af6c3fde322036a72f708ce35c22a954b12cc5a4756c3459d2e30cf2aa95c9a13de3190f489cff0d7d127adcfc4f4d8d90fe2de2f912b39
-
Filesize
1.1MB
MD57f2b0bbd1473c32377eb8d0e2f09edbd
SHA175c13f0568a5145fbc5cd141bfe117c3e7fd90d1
SHA2564aad033d8fc119bdaf365bf4bf02d55eac65adc54ddbd698c835d8bf7b0ea2a0
SHA512ee21133278d2934b3d8dbedd4aa55c870533994138210e07bcf90a9a3f87c187142e69fc2eef95649bf8fcd966e5e80d290afbbdfab0ffdb648ee5cb08996081
-
Filesize
805KB
MD5536788acf51dc5366c2ecf75b8861312
SHA1531bce8a8d9a10fa70d6b5df1bce5d2e3e30df6c
SHA256e9dfc8fc29d81bd9b200575cdf30ad0902fbf1b4541ed6c6f5e174da70493984
SHA512924bbcb69998d2f29397688e7327313c2bd96c58f8643ae230ccc7376f2b39dc426088caff4b01c53700edc5abc79f985deeb8a04d8d61aea2ad7bb93226ae41
-
Filesize
656KB
MD5454abc4ff9faa533b82838951da04f0d
SHA13075a18e13c61fc3dbc5c954a6f5a17c4e987d39
SHA256bf5619d84db38aa5d649e88724afd6252e5db5b239ae00a8327c288caa02f401
SHA512b784a869916dc614efcc7cb32592fc5fb7f0fb333fcbf856c0e6aaa4dbabc59287fb97c300213c5b4cf0d9869c764f2e42fb4d533ba5688c0be9eab85f06f70e
-
Filesize
5.4MB
MD5b5ce7d06965c188551da1a84cfc41e68
SHA199c50d6a5b9653ec1a5c1a108966e85940e2aac6
SHA256c00c20b75a5d25bd659433ae7f151184e1a83ec8094b333cb4813176f6fafd53
SHA5122968ef23b59166df8d33899bd5a26e31f2cbec4bdfc84829a902e01ee13ef834855524459b28dae42c9316d9614d2ae1b4f99c102e43dbc6166e71778c8a9d50
-
Filesize
5.4MB
MD5e2aa176861f7a8665e23c67dd20ce4e6
SHA13ec85b48de69cb57a675c481cbd826102ae1dd08
SHA256d29d72f3f2aa6c723e15afe755c66c7d84de2df3c477c0e0b8d85a6b18ea654e
SHA5127ff094b20b201b5a40a3872e0ace85b0d9bd54c00ddfe993b21ed69635e63daede0cd9544213ca11bad3fbff7f84932ac96b2acd85d534822fd88f49461eb8cb
-
Filesize
2.0MB
MD5de645b58dd0f1c9fef530c0390a2f5a7
SHA134df3c41d7a06165a28122c452500e905ea616f6
SHA25670b3c1ba14b34d107c8f1fec567597fa77211cd28f7f485807bfd1e32e2d8b30
SHA51251ab345083d9c952cc697fb1ef1e9ef1d3a234b38bece663134080871364199d725e545c3cec00c8a9d7fcb35c32e374ae52343486777ec8052c3c36f524bc4b
-
Filesize
2.2MB
MD5414fafabe36b598f7c4352e1c7ef8021
SHA1d821184e84d1b981feaf2d99f2ba33c13cfe846e
SHA2569a20fc641bba723c2df4cb1568fb7bcbbdbcc7d0d4d2aa20cf534675dab71beb
SHA5125a4b1e6410243a5c7556503f1b8efc0906c97d01b7d863d659188c72921eb4eaf85d2e5becf5867a87b903463a1fdc3b04ef3495f72303bfa44c0a8c71b1fa3c
-
Filesize
1.8MB
MD528badf050de6e85c1e10ff3587c8b263
SHA184222e46ca466110aa0c502c0f564deb06fb33be
SHA256a81adef3efc5be2cbab2b4392195b22cbf44587af1fbe5422f53289ed9123e26
SHA512a2ab12c7155537180857a9a58f11f2b9cf195a745407eb2f57b8cd55fd5ff3cc7d028233cc7ced0fd6d8b13888cc056e46040b9b900f1ce182dc96ce8d8ddc66
-
Filesize
1.7MB
MD5ff64f46b74747d46f129ea927416d996
SHA160e332ebc1ec786a278593d70cf3d7461b39add0
SHA256c82736d1117e14dfa8f3d56c56f2cf654b960c43f002808773f6a2b04ce755c1
SHA5127c19b7357a02ab3a3c9000716ea7e32b8d731e4b6cea688fc9324d261bda143eeff908dddcd7eeaacf152b44d591509baf1679a16eebc11133d4081ec63a6e11
-
Filesize
581KB
MD5fa000d0668164e94659a5cea7ab016a2
SHA120d142767984732a53c3e7813775a9b1e8304fc1
SHA2562f6f6be35e7be9163d2cbd6ae77494e924abcd4440ba954d53f5abacdcf2cc97
SHA512d59230a71de6061e43578aae1ee6df871436ef0bec63d9fdf37ca7b32f627d9b4ea7d4190e435077fd7b4f3862b163a81e866c0c1d0da4a06069a1430b813cd8
-
Filesize
581KB
MD5be69df102e7b26785dece4fd1bb6d6c9
SHA1837de5a5cf410cdc0508de5e22633ea5fe49921f
SHA256aee724ba100577fa4483e857f32c5ae01ff58be75774aa7cbd12b4bf4f8da01f
SHA512830c0e659e7ba2a93ad7fddcc8ad9c4ab9c7d938f1cfd8976b579f0e37af74947c79905475853ffcc1df74eb68acc8d14bfca98fbecd7efdcab6a15d51ca1f76
-
Filesize
581KB
MD5ac9a840ae9303126c1f0b838b1ddf228
SHA1dbc8464149ecde562070ed74546b3de4499cde0f
SHA256fb7fd60859b06f33deb220ba73766a55445b72385209b48bbf16abf5169491f0
SHA512f27474527b2009cd6f0d3543aa39215ec3507272b4b110bd119e8d1e09026868e242278e22f9f7fe5ffdb2b1e33381744336d945e7f37eced71e5c28cd2a10d3
-
Filesize
601KB
MD538189f6a934b0363d4f58a2361c36e60
SHA1fe5f9c31570fbba435f19dd57dd68f0221bb3ca9
SHA2563eb0d242ceeabf9c20b464cc085d352ad4e691e36028ed2103b0fc0ad0e28446
SHA51287a3cb20b2bc9103b684d4957ed105f47c50d41f8f33a702eb5c11e2031f8a23dba463056d7e7dd574c99f6d45ec6b016773ae177ef82e1b90da01706104efe1
-
Filesize
581KB
MD5094f71c2d81c5c68b0277dcd1142e13e
SHA1501959f83e3074450b7aab1b74f4311dadb7347c
SHA256a0333e5b02ace526b61451c9e1c6e11f97b246f5f82e846741b012bcaa1a4a79
SHA512db8e6c091da0fe6155a5a7f0c26f348fb3ad9d7919cc235f6be02f8a53d15ee9e6fb635125a156cedc5346dab4b1e20b5f2ac55a7e5f288bb9ef812c649f308f
-
Filesize
581KB
MD599141c0232c7ba6efc82367da39499fd
SHA15de69daafc9698f60c21214319efa4dafbf363a9
SHA256a55807802b052990ee3c256234329ac438cb124bf627804ecaebe8c66c530eae
SHA5125908cf2f27a5818a7b51ba4685b70aaf9ad680b66b9d61ae4cbb257262e2d0a245fa30a916360716a427cae4d9ff2810a8f8d788f67443be373727b4689a4492
-
Filesize
581KB
MD5b62bfefe584afdcf619479da1ac3dd89
SHA17ae2a0eea0dd43a45cce832c7595b94b4dbcc664
SHA2562edb2599171e2b4f9ac96c710cca98b374741256391d5d5a09e21bf1328f5c03
SHA512885e6454709999aa734ef08420edef9c456addcd79dfbbcdcd7a115bc521a914c000c6eeb6606cc951f61d2d51de4d937f48915154d339b22b8c8c22ce9a751b
-
Filesize
841KB
MD51942cf9b5a55c19d5dca89fb594eedda
SHA13a3cce84fe833728b0dda65e42c8fca4ef76771a
SHA2565feec29c71d6680f9967ee4414ca653d0176611f09643ba7bcbe5b4a684c13fd
SHA512aaf1e66dec50e27ed5a3855058382a3d769a5a51b0755329d0b47c17bfc44c3614d720d11ac9553bdf15c288be5cb86a3de70ac3a072e548410012847ec0c346
-
Filesize
581KB
MD5a82408bab439f4eb3ad9fb3bce21d235
SHA1b6ecf1233a73e23040df9824d0d9d6f93a1d9ad4
SHA256086a01c69b03241c66e240d4c494504f38a611c77d27420805290f4d3c9145c3
SHA512f54bd7468b6e2324efc1e6225ed84ff18f30643be70b863abc4158ba85fb5328a51bce36c40c3b269dcd967da689d64eaa0e9ca7e2b6b0934c34dc84c8fb0d99
-
Filesize
581KB
MD5dddd96e8bdfa171ca16e2e395ce24e64
SHA189bfcf5126ee82901035c2f6f68e4a7cdaf9dcf5
SHA256da85ffcf97cb63db06906d9585f95ebbc66cea354c71b1332e8045c8a72aead5
SHA51213de8aa9aef0efb6a974ca43a184cf1b9f6f7c1e8c1b1ae7efce5f45f3c1234a5462c9b8cd4f3eaac7272583c71a8c5c1642ef53b2e823fc82018a8a498a9b90
-
Filesize
717KB
MD575b709a9b2dabd44484c872c810f5ca8
SHA1e3cfff38dee34e8c2680223389ee73d317a670fb
SHA2564e597b10c5e25c6c0b323b3bf985c49dfd9241cef4efd8be182fee2587477dca
SHA5125c8aea4b55a427b81e0ec8d172b549a3bfd6d7c03b353f218b2f250d9aa57ead241fe25e6c026599a3711457bf574c7e7173349853ad8cd61e40f2c4f3959201
-
Filesize
581KB
MD50ea5e416e4787ec22c6980ec1109dc25
SHA10c6cbcef8736bf7831545f21a1565128835b5e6f
SHA2569cfe8ea7e49aa2cf4134b0ca3b9be83895aa73e57da79a65cb245bff6a526fda
SHA512072a1efbc001b5f97fb04a3aea12b53cb6f888fddea9b1e6ce2615aa395620b0e65f37a19f01abd4a0f9ce516726c2b266fe27cf75a5b767a7fcbeed814d7f35
-
Filesize
581KB
MD5f0cf6bb146b4a74b728fba20cbf8f1cd
SHA1561a3452cf24378428a16b2f1c1cfdc012a537a5
SHA256f49abd7903d1b8092df0f357a5673f615a280e5bf11446bb59c72858870ac301
SHA512db658c98c09bcafedbf675c0eaa3e29a41ff3bd740b5e4aba889d8bfa81d89329de43e9460f861a3b4733669aaa124ed81fb6e07223a848ddd2f984bb8161530
-
Filesize
717KB
MD5e3eafdb4d5d71d5540d3cee33968bdcc
SHA11cfb1e7cf873baf88ff9628cc5e6f11ca770a677
SHA25699a9d8c3d6477b64331737cba5ad48f7107dcbc571992409fc02e932ac2d3ffb
SHA512eeee1fa53483bbccfe7abb717f7d5d5ae03a509045eaea04ac58fb1da13caf497d1cb221052c6a8aecf0f0acffb0115f3bf0eef3959e046f71d8f1f85b9b1940
-
Filesize
841KB
MD517023a336e2a9ecba511c2a0226eeec4
SHA19d5b2ba37d2cc46e7058b54790f8d57e049eb162
SHA256cc7ce32b005f52a7c8d37703fd1f684c1756c2338859ee0318ef8de331d00a6c
SHA5127851dd902538fefed0c0a9b67838ee453110689c9b870edc603fb57466218b414417526641e39d63ea387decff76eac04693bf2f1081dd8197b013301bc12d99
-
Filesize
1020KB
MD55818a419b117660de0411fa5d1b025e6
SHA1f3c37ff1a81d4bc91f606946e692c7d157ac71fc
SHA256c3ea41840ee2a3ccac1f1893bbf146823d2c212665a5c6483b8786315bff0f73
SHA512a8a5e3fdaa86141daaa93fda01a280e49c887ef37021f1f893736f95d20afb3d69c7ed0655068271c9178310327edf3a6299290128794ac70e806c1c1026b56d
-
Filesize
1.5MB
MD5d049483187d411a526ad94500b7ce596
SHA1b84f2b2f752a75f5f787a67e572d158ffca233bd
SHA256a2abb482187be43b7bb2f1529debdd0b815062fe4d9fc9aacbbaa0bc3cf85c66
SHA512868db2d41cd095e2976c634a02acbf86961b6e59bedd9b810d09b85a6a6388cf90f6361ea2bcb327cc6e325dfda3a87440a8a48892c10d19137b3b8a96bc59a2
-
Filesize
701KB
MD5f08b12a82a1180526b1b0e18f5783c1d
SHA161afb19235387d7fece8c7da0d2c49c875cbcb2c
SHA2564b3c8bbf1264667ec388bbfac5c61a7877e3f6191b17db92a22e419a51a954cd
SHA51291f812cd36994d08670c500b704984dfd9c4ac7d4784c2784a99799daa1575fedf16f5b5d40feee9d90011e3fcc1a2fb2319a20f820239274ab4426fba569725
-
Filesize
588KB
MD5eb2b51e7c4f6acf8f5cfc30b0493d266
SHA1976a76f8d72a2e0ec7da714341dedab0e4458690
SHA2569d627a3da3d8901837468ec739b341d5fc5159ea55a9d1ef6d4d755f8013b4da
SHA5123c10648b61e9c27e242c94e8285e334b40d7c05847188f6670dcd273362d1f757ba2b244e638b2ba1feab2b64e7eefa0b848b72678af413377980fc62048a53a
-
Filesize
1.7MB
MD54519b0a2699d3c3f6d39efadc5a242a5
SHA1ddd826af6cd6628b16e43382ef7d3f46650fece8
SHA2564187f910391940ccc5714b8b5dc9f811594642ae9ee6fe57aaf34f3dade409a0
SHA5129efa84c8e0099d14c6b6dd11e58a7a32dccf524b1bf61f983c72b6e092bd021643bbfec0384733f503e7d9186c80bf21c1f4767d060ec88ee7655fb0286af3b5
-
Filesize
659KB
MD59fbb58cb9d554d71da416905ff8675bb
SHA196158554088c68a2c5ae5c4a41b40f3823d90a7a
SHA25661ddcb722fd5dff93f715bddaf5497f746b0e67fa6575c8a11f3cf7720f8720c
SHA512557dc29060174063d17f110db3a52c4187d5a9f67db987178ff6e7ba3e9db1f932e6e6475f08feb83ac65efed323ce7b710158d90d8e88e8533a8c956e85342d
-
Filesize
1.2MB
MD5e1a3ec5a6ef5cb23f0f54271564dfec3
SHA19948a9e382ca9510992a6b6fd643ec6ea27b1c15
SHA256bed0f846510b2422c31e14b40c8ed18a5873740412be88c53ec21dfd50cc21e2
SHA512ac2299b6dd85c5e591dd98dac8b6b1745c1c7d18e296f8d51860d2cf835c25b5034a3e771686eacaf99a646056ba2b8c4b85321ec6a3898637fd9389cd5ad54f
-
Filesize
578KB
MD53f279d9e486e19647b926e870420d741
SHA16d72bb7fdda98c1a08858dc3cdfa0f874cfa9a94
SHA2561ea2b5224f0b33b93160a22adfb754bc959f92c1b45ecc308d3409eabee6eeb8
SHA51224a2f75c526b5366895d59fe9d652bdd452c38858e1bfc83bb6483f089e069195b7c6a8cb8f9501d7e3815703eb30d9280a92078a29a9b608e29fd44dc278d0a
-
Filesize
940KB
MD536e9605434de34e31a9a610d8782cfa0
SHA13bcfe59bd55b80f26cd85d2e9196d2ac8bc2ef78
SHA256afbb00a28a283f0c6e7b53a4aa00135323ec48312f8ab316a43701f2743376a4
SHA512fd0871f5f50539824611722cbf1654c3b047cff58cd613b9a2bb4f85b95ff5e6a0a637adbc218ab7f68ff9172f07e7f577e99ef753cfb08cae5c88b439d3afa3
-
Filesize
671KB
MD58f132c6c8ec47378ac16d0498ca0eb4e
SHA1586e012efe7a6f1070df86f5561f7dcfd3edffd9
SHA256c28bf8b5867bc609ba1210d11f723abf29826ddcabf095c570e760c96398f299
SHA512bf071ee13c575484b3af8589d410fa4ef64b61722bbd4fdc8499b4e21fcea26153933099323f5893510ae81210569669a0a741c51bfac9cd0fca13612b030220
-
Filesize
1.4MB
MD59cd929764b5d0ba8af1cff27993b97eb
SHA116b8818faa84e0972dbb01fd7bd1d48e409c8b84
SHA256a0171fdf6cd514433fdd587c4615dfc8921a3ffd636c589d58b47c1c3d3e68bb
SHA5129d8869849bfbb55684df303c867514f1f7cdfd1ea3f321e53e5891e60a17c4e3ddeecbf170be9af2c7775de71ca639e7b72574e03424c405f6a62f44267694a7
-
Filesize
1.8MB
MD5291045e2d8a6b46c4899b758d6c74c93
SHA14a4dd7771b2b3ad1dc4417e796f94276f5aad5ac
SHA25692d36df3e573410bf2b82222d538a92277cae9a2e0c6e517d13e5372fa37b206
SHA512477dd026eca705056cb6768b40ce7100ee9ed19efb0e23d9188cd991320ed84e34b1f9881425ad1fe6df0c97814f272a8618756bce8806a9ebd6c6a0b99d6f5d
-
Filesize
1.4MB
MD5f1eb24498de1a9305f22bf94df716d94
SHA1edd29c1fa483e28ad652fb290db023fd62f2f067
SHA256b4659112091780cc07f945694916ee401a74af4786baf2950595aa4ed60bdb4d
SHA5123273bc137a7d9053b132a4391aab3dc56aac74947b00130be61964b1369778562a05694050b42326a5b7ee0d254dcb7151bf7edbc1255f91dae6d5690af173d8
-
Filesize
885KB
MD507eb910fc48ba69e2bc2837a36a8dc0e
SHA1c98d7f179d3d6de1203effb5dd828745d2826752
SHA256617069a18720311507975ba1df3def6380dad5f4c33cfb0ae2e2058048585a8d
SHA5127d03b9146dc26b882c084e7cff7565426f6f07328703157a442ea335efaa77964bdb211827eeea863d9da156ea557bda8bb9792cbfd71b39bf65f0e77cfb8f6a
-
Filesize
2.0MB
MD56e0f7e674ddde3b8ffd46380b5722771
SHA1b5539b1cf43c82f8c0ac8ebf2f3d07c404a810ca
SHA256a50edfb923940523cd2d2ff5f958b0c9a2261160c22afb834eec3fae1abc9fcc
SHA5124ae652c6f8e064902dfca707a3efde905604d0f0bc01ed0b7ac1ecd1b896e953f6f9a7794d11361187af05208208d5a83d22c6f92cc4470dc091fc64abba4f48
-
Filesize
661KB
MD547832288849cb1ec385ba6890b9a6847
SHA15457e19a9fbb8ea4dfdab075ce77f4eec090f931
SHA2565c9af2ada4e1ddf39d1c5b04d8963596fc3787c7fd6377cd7ca6497f294620f6
SHA5128794c57125c186e6d2943c760d1ae68572e798c2d4daa5dc0019dc7b3f8121b2ae60f658e52b43b069ecd57d8d2f2af85bae9c6b8f5ce2191ecdcac19f871033
-
Filesize
712KB
MD585dba1d990d5a4f5e36eacaea6927eee
SHA142f2536fb1c8a4b7cb03307de51d4e3a837c907b
SHA256be8c0f23cb9ea8cea6c24b756047b11f2b88c32d54245821dddd5f784555e9ed
SHA51252a69cd1a3935b3230644a26c505430541f0d3e1c0c11202f6a0a2c742b20dff3038a17115f26238cefd71b6176a03f6dac5025ff6763e2b0af57e2b2ca125a2
-
Filesize
584KB
MD502369bee56b0cd4c24269e9547838a24
SHA166362f4eafedcf0a2010ff4919b18f751e4cfb42
SHA2567ec539aee66a5fe3154c60bd7f1b80ed3221af4d07736ed7453b71b1fa0ec5f1
SHA51284f185f12ae1fdac8f07d4b6022d36d65034ec6a6653cac77e5012a3ce7fa794c2c00c141809abff3408031a6dc7f396e73af708655e395b7b49973225070233
-
Filesize
1.3MB
MD5f8388c2c02a19f3d407a75e1820118b5
SHA1870fbf78135308117815aa7654692ea45ff96984
SHA256c4191bfcae4d7c774769e8737a6e169ed982ffee40c9a4f83706ad744ba34038
SHA512cc37611979d7acb6614e3c9aa6f7337fa107a068c81d69adf24532710418af9803601a73fc1128ba617f6afa083b8caed078b91eb88955d8d4816e6398fd9f52
-
Filesize
772KB
MD5c7b058b87fbfa1d2f3e2f0525709657a
SHA1d22aeb21bde7b782a8cf4a889867c7a922c063e0
SHA2562e88a6835718c2096a951be5a333d9de4566d4eace14384aa6ed50b35ba23a21
SHA512bb73e7d13744c5579992f3e4f72531beb22399b016fd1907d2f9255aef9679447a698f8737b541abdab97ccb2d8e6c806ac03e8d323933db3f555c5aea4f05db
-
Filesize
2.1MB
MD5257ed2837a37dfa6e8588e740f96b908
SHA1bcba84c1fd2b984044b2d671445709f1b25063c0
SHA25698cf8120656c2f2593a0c8d6071ea6f226ef3f7748371ac6740c53c11c54edad
SHA5124f7f3aabc1cfb363089725cc6908c7286855abae82a22ca17bb4612956ae3fc2b84794a2fcda5d9baf13514625b47dde578dcecd7c5c1d4f8f09c7ab6a13aba1
-
Filesize
1.3MB
MD5706abd45b18ffcfa00fed039cee8177b
SHA166be30b1db8318438ab49afbf2c04626aa3d958d
SHA256cca6ca5bff72933d31f75f4b797475e869e447e2e68173b3ae70cae7a8b856f3
SHA5122ebe0286519d33eae4f194a4831877bc087a64f63dde389a90d4c7c56a78e516647a3b30d6edf402855c0fac73e1eb9728ae082b0d21c7f446a4d0a6f800ebdc
-
Filesize
877KB
MD565765a4e8f7ab280f0a47ef15cc382c9
SHA1bd474ca8de17a65283e3e6eea63c8398c36e851a
SHA256559ef64024fbd9699d372fb185b6244ac6b19394d4a06d6b0b50d4da5a9fcf60
SHA512ff58288019f447a887fb7d023b1fc65aa1be0c4d4367980cfd5c7431a72385c1ea7080ec7902bfa946a9791c09069e17ac693dbc66da73d89ca69bae70dcf3c4
-
Filesize
635KB
MD5989e485ba10e87e57b799f0a0552929a
SHA157135809846a55a4f1f8833152592cc05566aef8
SHA25622d770df31072673505e89bd1e6a8fa9d37e7d5c7abe22cf77bfec39715bc475
SHA512b4e69206bf86815c1ff6be9e2c8c8c242984286a98b6b8a6c478492d68afbebf4909a9dfd5ca79e0f865fdb7ad2cc75ed42e58eebaa7ef58692f31c0b511d4b5