Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe
Resource
win7-20240221-en
General
-
Target
2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe
-
Size
677KB
-
MD5
831f305c732d16b80586ec0bae4b8c2f
-
SHA1
67b34e9c98d8ee83f098663848a654c185875ce2
-
SHA256
28ad2370504b82fb26de82032133e80d789a21002d02f01887943276251ad670
-
SHA512
668772968b1dc2ffda4e003a275aa695c0a6c2449ac6dd89f017330d6da583a7e4b3719daf06e134df9909de011836303e7b0a3a87de73085c30e94f8997c204
-
SSDEEP
12288:fvXk1HxzcJsxDcaouKmZk3SPJ0Kpt91AfwQ8X2e/eVRlhwVQXGw/1+mgmwjjxo5:nk19maouGSPGM9ZQ8GYelhwOXGEDgm6
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
pid Process 4152 alg.exe 968 DiagnosticsHub.StandardCollector.Service.exe 4308 elevation_service.exe 1460 elevation_service.exe 1684 maintenanceservice.exe 4280 OSE.EXE 4512 msdtc.exe 1056 PerceptionSimulationService.exe 1696 perfhost.exe 4520 locator.exe 4620 SensorDataService.exe 1340 snmptrap.exe 2028 spectrum.exe 3308 ssh-agent.exe 4156 TieringEngineService.exe 2996 AgentService.exe 3196 vds.exe 4576 vssvc.exe 652 wbengine.exe 2892 WmiApSrv.exe 4108 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\57f8d60c8beeeac9.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e95300ffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e685501ffb4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092998300ffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087186601ffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034f7e200ffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093105b00ffb4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2d55f00ffb4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 968 DiagnosticsHub.StandardCollector.Service.exe 968 DiagnosticsHub.StandardCollector.Service.exe 968 DiagnosticsHub.StandardCollector.Service.exe 968 DiagnosticsHub.StandardCollector.Service.exe 968 DiagnosticsHub.StandardCollector.Service.exe 968 DiagnosticsHub.StandardCollector.Service.exe 4308 elevation_service.exe 4308 elevation_service.exe 4308 elevation_service.exe 4308 elevation_service.exe 4308 elevation_service.exe 4308 elevation_service.exe 4308 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 684 Process not Found 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4980 2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe Token: SeDebugPrivilege 968 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 4308 elevation_service.exe Token: SeRestorePrivilege 4156 TieringEngineService.exe Token: SeManageVolumePrivilege 4156 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2996 AgentService.exe Token: SeBackupPrivilege 4576 vssvc.exe Token: SeRestorePrivilege 4576 vssvc.exe Token: SeAuditPrivilege 4576 vssvc.exe Token: SeBackupPrivilege 652 wbengine.exe Token: SeRestorePrivilege 652 wbengine.exe Token: SeSecurityPrivilege 652 wbengine.exe Token: 33 4108 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4108 SearchIndexer.exe Token: SeDebugPrivilege 4308 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4108 wrote to memory of 2112 4108 SearchIndexer.exe 117 PID 4108 wrote to memory of 2112 4108 SearchIndexer.exe 117 PID 4108 wrote to memory of 392 4108 SearchIndexer.exe 118 PID 4108 wrote to memory of 392 4108 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-02_831f305c732d16b80586ec0bae4b8c2f_bkransomware_karagany.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4152
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1460
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1684
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1696
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4520
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4288
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3196
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2112
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57748ca2bc4cc5b99ced3a5660bc781ab
SHA169d95cffd9afcf0e1ddb0d717c6a58546380da26
SHA256be1c2e09b8929a9c1aad063def37ea18eeca8d5657f41dfdbe7b61ac3939c95a
SHA51233de3e01c7929b8300e875796432f870437e7eebad986cb71e56d992da33e6b94729338583af31bbe56d747a9e5b132fbe94f8cdb53b11356317001da9ccdd7d
-
Filesize
797KB
MD56c1e42fdcc1ffd3598b1f2e31310461b
SHA1a8af6115e7def3d1c3ef7d625f5539c678bbb2f5
SHA2565222b94d44e92bfd012f4ff104793aa64cd5a00950415d0cafe9cb79526ff0c2
SHA512df6abd7fa2a7d5f85cd9195c3eee1723bdae35547a31b4ed6d8c4a29a63625f1a4fd94c57c845ab3979a625946f445d8de29c06003f0644912ff9c5f1562553f
-
Filesize
1.1MB
MD5a7d3fe9ef9f2367476db687a01acbc9f
SHA18a5bc4e04c39b7f418349cc10fad5050c53938e7
SHA256aa2ca75fbc7874b13fa6e2010cb90145ad3086aab7da747ca2f1dfeae2d0334d
SHA51284864a8935cb04c457e157094dd0deda5a7b2eaf3358469ab3bbda3d003119f08765be328c59a2b550046b51f036d024c0f46afea3fc27631272bd1a42f8c47b
-
Filesize
1.5MB
MD505fdfa07ecd85a527ccf80385807fc29
SHA16f7235cb0b141051d59a2f62f6d6718b3e301717
SHA2567a50b7d99df6c07bfc324514f9b3c661927f11484f20cee2cb7807c4665d5533
SHA512646ba3a0664a03d65aff13b61368288a1cac556cd34d445a5e6847168b85579a0c8e36df65db8b73884b3aa4c28754aab603c3808cdcf422e804a957c0c8888d
-
Filesize
1.2MB
MD59d644fb811e2b779881d6ad87064ec91
SHA10432697ebea3538805ff068cfb56ba3020ee9462
SHA25645c930218ea44a1d7ede46745dd965f218c1b3014d4d7bfeed8c80747b3d02b7
SHA512608e6ffc0659a55b19bd26552a547d3b3651f58935d7c714c15cb860f753f01ff1ca5836c7719e0a035a87c9e4fe3c6b6ac1ac383b45fb5b9ee96b43f6c22ade
-
Filesize
582KB
MD53ebdb1432c4871dea533b958eed6297b
SHA10b75e3ebf3c8058a34bde724709f7bab6984e156
SHA256bce37ae529d2abd325ad6dd76c20c585d0edeb65c2c766401af11540f4c0d76a
SHA512628376df0afdf646e47c05ca8dc1b98c4d86eb48b6b93e6659137d56ffbc8c0c7a58730cd97f61eed7bf746b25f9e96b4d2817b3c2fafef63d7dd541d7963e75
-
Filesize
840KB
MD54c58c403ad153fd9e75e7db62648ca4f
SHA1b674d75b3b02fb766d2b2f3faaa5de4362134800
SHA2566ca28f5d4954ff092b2d0e70174ba36f94e27c4a8357813982e55801225e19f5
SHA5126aaa4a5805143ad6bc801e6848d2845197fc591b8299716133030be22946e4a5d6b59d1253bc8eaa2bcc698356c9d9ac5b4870e5a8ecd2642c6a00072efa7e8c
-
Filesize
4.6MB
MD5fb822946258f979dd0c1d81ef203b4ad
SHA17e5e7e64d7e4b75030abb915745e6a6cb9870cbd
SHA2566ef0c21e2b359b011a672b28bbedb99090e2447af51de3c8c1c06a4b9bf89631
SHA512f31686c84eef44d16698da45a33e40eb5166eb33a7f60cc88ec14197bda42ebd6e58a145b65c2b5e0b1558c2aab70215a760129f28959355bd878a3495f25cdd
-
Filesize
910KB
MD5868ec2b5d347443d34338cea8e22d221
SHA156d22395476ab41b202aba45924e27b849eddc5f
SHA25650f3ce5d02395981612e22f4a2a2a7ef73e1b863a9be39e375bf1732adc646b3
SHA512dadf3ed74018a27ac9cc749ef1bc930bcf3396d4f4ae7100e28ea507daa887d1bf2efd8e3861657900eae990cdc65063baa5a8d422a2e9eaa6585e5ed69972e3
-
Filesize
24.0MB
MD55146181b5c59e8f2885322dd985cd804
SHA13b46504659883c3017483554176e02b7c6208973
SHA256c72aef63fd029903e5312fddc153cb015c502be74b36bf603fc680d71200e6bc
SHA512a0d657ebfa760d9b6133eb7a5eb0429c7c0829e35ee6a550cdbc9318d333ae3161b0fa4a8a8fbfa6b048f47c4041865d77054c0f50a1ea4743dab5fa082a71c7
-
Filesize
2.7MB
MD56a62448f17515c1fea7e57108dcda362
SHA15dbf3de3ce2f3f918c9c58c7dade6a5615c30b0b
SHA256bf19ff4979646715c1fcce2fd8bdff40920489608cac4123e284ad0ef2c70c2b
SHA5126b03a19c6aa90912888b06edb55a56c386f5775686ae02eee3e3d99fcf1db06351c76a67236c3aefd0ce220a7df9badc4958e1915af0d790b68cdd638ef9e54a
-
Filesize
1.1MB
MD539b6d2053f598192bc4df72452e0f52b
SHA16418ded258f440d490b1a72cf41c7c690fa6986d
SHA256f15b61d213bd56d0c37e8e6796cbb721e85109cb95d4be75bf3cd3d5105b9809
SHA5120d42b8a30187723c2e70c537d52929cddcefd846e37cb8e66eed5de4ac717e257ec91f9477f713698a2a5a34845c7fd979ce13798e0972ab433104c3c200b5d5
-
Filesize
805KB
MD5c0f81c1d3aff407136723ec5390e6ed9
SHA13708741dcabd35ef86a54d6944bd4cf86013994a
SHA256a60f9af2ca4be34f314c7b3a7b340dc46b5b268bfdb821702690233faf16ddce
SHA512d580a12d1b9e4526d3fae749999cf1fdf8eaf876bdab2973bfbd325b7e9c57c752c14204fec855a4ac4c19aa97cc705d9f7d4d622d86de87ad6b60dc08f90d44
-
Filesize
656KB
MD506e251d60a3f606f44a15a1a7ad65f30
SHA13f7aad8673429f1522e387ac30983f8f6c00bef6
SHA256fd116cb86d1cd235b72cc351589978d30c83212dfa9112afd76abcb36e3ba655
SHA5128e803c825fc976e396b341c18a76f3d89cf5fcf013bcb574e418e99a49192918479b309064026ff069cf079f59f5ae7b48fa7a2e9422096dd91f900a5834bb1a
-
Filesize
5.4MB
MD520f2b7c697580b9da8fd07527b8a3465
SHA1e44507fb5a860fc8ae9142e9bbd84d9514501d88
SHA25620335317400bff5381f9fe909b8aeddae016344d31341b47f5a972a21f9ad491
SHA5121f59f1477febd571a7c37049665de1dc141832b081daaa1636a06e8fd1563a7e16da78060345573ef0825d7126915ab47cc05118bf874d802e986db2041926bd
-
Filesize
5.4MB
MD5d09ad50de6146d285113d2641da72298
SHA1dd8cdb7aa1b0fbe4c7e10931663d2f68e33711a5
SHA25693f7a4ce644ecdb7c6419946b1e9711be742edd1a107d7536da88dd3e8a08a7f
SHA512e2b8aa6ea0623954dd30a3ddfde20650ee05c747108e3964f343c08ca1282080eba3e5f47f770a8b797103eaf493e142012e2c6947a0690a78ff41cb2c3420a9
-
Filesize
2.0MB
MD563bb14f79d527bd705b637e5d41dd068
SHA1d33d97d09a8f7f0d3136916af36c63d99bb6df8c
SHA2566e75c348b144179c5b82cdb02fe4a75dd0e1289961d0489b611511972e355578
SHA51215d7846af4edd891da1e3636bfadec399227101078afefe4867d8364a76c378a0db1c15724cb812322174e5ab68362fc2a15e57095591671fe3e1abbb2932429
-
Filesize
2.2MB
MD53f1e32c812cd781fd906ebc23d06d136
SHA11b9a20680e2a0f3eaeca96697170a66cbe46f820
SHA256492fb28986db123f3cc0691393c35505456c468f2062d70a76679cbe4593b8c2
SHA5129c5ef69beae8b73475cae1ef48a0254cc1bb49d6c02b2ccdaba88e8d19adf03af2b3640aa8fe090103aa379b87dbe839386d164637ef128899a2d1e35bb444a8
-
Filesize
1.8MB
MD53647038827f41e9720ed0232bdf81637
SHA19d0256dd44a744af10acad35f702938a9435ee63
SHA2569d44b341061064c2affa36faef075a0ff7e4f67d7068480b6b7f2a3317d6b56f
SHA5129db20064be3c507eeae145c3c975eee1f5270b990cce36838faed491c5dabcdbbb856f51e0cb087c8c5db933fce1c98a28701201283879c76e31a7f02e6992d0
-
Filesize
1.7MB
MD567154a92d9e804b640e49a9be7ef07db
SHA1473d936a18b41ae2bc0266a09e47371a919d7a12
SHA256bea8da4b12cb5ffb34704278976ade34ece8448073aab2a1dadf6fff02ba7852
SHA5123f98e57bc3871f5ce3b96a81efe6e1dd3be3ed1ab34800aa966b5231873c38973c354d1f189746331aa4d6604cbaab8c0fbf19784f48e3b88fca735ebb3a407e
-
Filesize
581KB
MD568d791bfe60936bb710045ed49309c5b
SHA1c82bb176b5038cb1ce18690e40aa9da85100dc61
SHA256d9178537562f1d44a2c04f24c4bf3e1ead9c9859f75088e2ae0ac1a9548da1d3
SHA5129f322e1156c09e101b376b100ad478c02d2a962cb8ed8065188673e5cd1958cc80b3fc94a86ea8512e7f73b68e59a6a8294cedb9b6426da592bc6269724c4197
-
Filesize
581KB
MD5f9d7c2a42ff78183f6660e047e26c603
SHA147f676e49c2f7075c9e4b78e8bba5ef4e1eb6033
SHA2564fcc1bd7e1ac714d72acaf2637d108cd096a3610466864af1f827721954be6a0
SHA512125ade8e2d39fd0bb08e891d18e6397a153646d1e8d994f72a288722fbb33af2a46f9b13f15aac84d79967d1ef33f8bed4feee29d5137f330e3891458b5738df
-
Filesize
581KB
MD51a7fb837b1e46f020caf61e25c012a85
SHA1d5c830fdf5c182c4710894a27b49d72a38c54d2a
SHA25695b598959e614580dc0980bb5a00b3203c5f413278b99fdfabef1a99aed0146d
SHA512dbab92e25c9789af00584df6ea4fbd58ae88d1a297aa49674c0882c1731dd9de9d172cdf78e6e080a9ae3a77d08219faefb1f6cac2d535acf33a33378b482279
-
Filesize
601KB
MD5f11848631fe9430504472cb63119c7df
SHA151ebe2a8f1aced900e8c6779b4b7b986344a9ccd
SHA25663cfaf78516b21cb738351321a943ca6f70090cabcd010abbace1345f7d15c16
SHA512d3c08044c7ead2825c528789dd5dd4a3713cc5c81a362b116506efdd78d9c8c6c2b4c1716aa0fed52f9242f0f35277b38c51b5a6a7029f698ab836adb0e4f51c
-
Filesize
581KB
MD59b0eef016cea399c940191dbaf3ef7b4
SHA1fc56e7afc118e106777e5d7a479a318dbd4b0cee
SHA2561c7109564798ec01650bf7fc09f8cef6f322fa181a7ff6a79101dcfd5e4e3fd8
SHA512d7b237190d216557082876ca35bab5b8a2f2867233b435214950a2e607c76c7e9de0489c84e3bdd5cdbde3f73cec37bf9a1404375f7ecb01474845ec2ced5d10
-
Filesize
581KB
MD5d7c1a767b4b6bda66386898a8b132e61
SHA115d86bcf5931dd790300c4e0d5a98850a801689d
SHA25657fd5623eaf6f5033fb941b09d8c69844711352aa62f2353d6af8ead6a35154e
SHA51231b46438bab92d30042385e1e0373e0600bf2cf021f021a75fe67d83412e531540876afcca34544708442d28e3bce5ff1f306fd7788e922cdc8a9f25bf71cd74
-
Filesize
581KB
MD516dcb481a1b63fec8e7c62504aba5a3d
SHA132ae4383c9ba9913b87c0e5ec989d0402f939f06
SHA25686a08a610a8cb54f6d4808d6f214f850a568332d9533f38d171c09072b2dc70b
SHA512df376e5d7244e578a2aab6e1545e77ff8e5537a7fbb463e4877699515d6cf80a3ca435f7020f5b50747dec3c3eb4518958c8cac08e51c870a16d82ed5409f8e3
-
Filesize
841KB
MD5ca3eff645167c89c38ea5a45a34ae1a0
SHA152d24733f2cdc9d8f7ca041ab1ef90e7b0a5ff84
SHA256f1b168d11ba32dfd120d49ff1fd8dcbc8448db74e91eab8dc57116d2943d463b
SHA512d8c2a2f0785e6c9996ddabdf10dd4dba773b521b0045e4f62121ed406723b5d5c653cffc6b149f6c0d0b2a3e0a542347208c006959bd5e22f6b37f5a8816bccb
-
Filesize
581KB
MD593c2f652786f0325f6af7da8ca291d79
SHA1d6ff59fd13fcef3892ea30d42bf082a8fd54e94a
SHA2563b1f59bffc3b71129553cc6d2c0bc28a42f5486be81cacf12e22dde6ac02ce2d
SHA512fb4ebdb2b87c872aa21bb84120bf06e405ece15d473c49cf2203525725db3a793e5f7d74fe3b1d958e9b5e390d979636f48d2ae57a7276451aaa7007cb27a4b2
-
Filesize
581KB
MD53b00b23780c95ebb95fae5d7b48e8ba7
SHA1e5d1e8e119cd6873efb533e6d6ac55d1bbcf6e0a
SHA2566958645046ac9d97716676a3df09fa65f79e24b253b30b95e300956df305113a
SHA512a05cff01e9d8a8ed3b762e78c5f7703ab7f4a846b6f258c9ce16dbdc8e95319ea382a667a9516221474e01e9153171befa7e3d181280dc88b51192f0e2d375de
-
Filesize
581KB
MD5ab7eee1e8b73e6006b3a67751826b608
SHA14f7c252f0441347f51754de32d12a7dd39d5243a
SHA2565d7a4b78e6b4c5bfe017ddccf9731dad632cc90ed24cc541a6ed47adfb00cb56
SHA51207ab62309defc2593c725cfc8b6bacbdbb8b3dacf1fddb52e58770856048fb7cb113d685845d9388ff71633e02f01653e2c11933b40848e586e5cca39e193538
-
Filesize
581KB
MD5602965b67756c4f53b6e3ee8089c5f95
SHA1356bae7637c40067836ed3c179243202e9d51a0a
SHA25653d1e216bbbbfb2f6d25117f48595ccb4c3da53014e1f87ac3fc0839aace162b
SHA51284567e30fa02abd42ca54db54a0b272be2a80c2cedf6fec01a3e6f17f0288e577ee8630a7e8aa2dadbaf4011f18ec519ef8666f31a90c6db7391bc1467ee7594
-
Filesize
717KB
MD5fac85889ff452b173ebc11484dc2748d
SHA1913688d6d537108b51065e2ca47ff44387940277
SHA2563bb663e19d98f82aa24da90241ca3410f04f4a570c8be1d2587875957c0a6183
SHA5128825e1d67d6a2c5d4cc9d8e4022d56e8407b8fd2d631385d08a622f356045d16e5456db3725511fbdb96c655f558ec154b0b66bc0a8472f2766232ab6132ae75
-
Filesize
841KB
MD58f4bc3e6b143340a62f94ec51745c618
SHA107cadc6f113fe615383303f51f2c540b69267e41
SHA2560e7eb9868dc7791287d18ee55838bb0be51075ca24f42435226e1b983b2fe596
SHA5124e271aa175aea63462df674369459c723665f9cd9672a956f7ec3c604ad1313e258836556063f1840d8fba708f21181c2aa131271720d93b523a04406965f552
-
Filesize
1020KB
MD532b2ba64d87e9d9ee2fb0703624ab10e
SHA180a97996423ca702d0ab308a8dbb8405a1ff9162
SHA2563cdb5b204d745f16e471562c58049a4cbee0adb995392e4f580fabb352a24622
SHA5129fd621898805fe4845aebd10578f50ee843d8ec25d4f917d8883cbd6c125dba2e3408510d2891aa0ee8073e5acfe169b6190093da4ec0b35326762ce35cc2978
-
Filesize
581KB
MD5d3c2affb51a624b835eed191581857e4
SHA1af2f9dde181594b4d7540b90ccbceae754967ca6
SHA25682f96d50b8c49f6e437c4071c9bbeec3d493eb1abb2e1735164675c5a4934df6
SHA512a04ca6e3c8ff932247c4526940f4813647d3eeebd8786635067b21807b975188b841a6fa4236edb1dfc18c27d9de333a1143036d1161deb2c2a4fe6cd06ee4b4
-
Filesize
581KB
MD53ae40ec1daa6d47456a67024969b5b82
SHA1e86e3e2f4a4f18c6e83e1b040adb1042cb1fb437
SHA25655e486c653e20e5729ac3ba13dc6eca766f1df88b14e48a3c199e4c3f74bd388
SHA512a5f2a34f1685fce38381372f713c1145f12dfc39fd46675fc72bc45b7036fa05dd7fe290de84fce393963c6e01031a1aa39ea82bdd4504079f536676ca6b01b2
-
Filesize
581KB
MD5e6814dbf442f70c78cedbdc1c3dea242
SHA1f59dc8ba5d6870ea189dc822f503fd39a39d3598
SHA256e1395b3ada06830290816d2579ac3bcb58c0bfbf8d2b579f8d0ff168468c58a3
SHA5121071b8feeeea4a13119a8a95c706dc481fe3f68990b0b7c7643c58576df32b957b8478a85deeda9a75e35712a58435808d6018cf37056b7eb46c6d9ba6f76228
-
Filesize
581KB
MD5daf95b69072b2009e4c037eacdf05470
SHA131a08971c9589378e415b833aadf30bb9d1a0548
SHA256d95c421d326d86a172654712c88a95060e560164fe09b25844b075d3f2d4d61a
SHA5122149c77dd8b14514d6517ee77b8ca6da7d6e86adf42f0d9fd0e4836b8a7d7deabe04458557074514bef3908a568afebf7c0e513b4c996ccca6587183e8d0b2d0
-
Filesize
581KB
MD574b6c4efd43dbcff971ee1feb5115a09
SHA1080123da5a725021d20f76333b54dde155de85bf
SHA2562c7f8d4fd4b511d732bacc887ce3dffdc982fa5969dbf9c4f4e56c721d619880
SHA5124590ce1d7cce8ccd9cdba673b766a12200331f97802d827b5502f0c5522ba0394e8e88876b2d178761237e728816b1696d5aacb70cb70fa5f17e0f87bb677900
-
Filesize
701KB
MD53a0e75c931fb176a8a537547b186f509
SHA18fcf4dd8373a13bc3dd76dbfc6e31459bd280c41
SHA256bb710055926351e1199576a066c904226ecb30f03c8404a619b927358aa1b514
SHA512f5f20dd25de0be3be9cf5f98289464c756c9396a006a3ffad9035c6393a0e0112eab79de4c52ebef0f21019c0fc7d5ecb7b1bb41b5013dcd2b80963c68b7c29e
-
Filesize
588KB
MD50aab14f7bc5679834076ddd76edc90ce
SHA1dac87331f2b4a19808b2fde7b558698f93b0bb3a
SHA256b2ede4be8336e83e399bf7061adfc8bfdbeea11256cd5fe86b6fccb38b39d032
SHA512ea692e37cbcf5a07b466cb6e67723470440813e1a7d5a369fef3651821ea5bf4275a8a9fecae82337cb8ae34bdeea45f8c646a421ff1f110ba1e4f8893f1e98d
-
Filesize
1.7MB
MD5c55f8825efbadff472a74435aed1fb23
SHA16eae3421723e41f9f3d005b38e3b80046ad5883d
SHA2563a5823de1d7149ff395280135eac141e7d95aa5f9bf09aaaac6650b60cf791c2
SHA51292c1d090f3922f1b056aafb21d21f1bcb3fdac4260f3cbeff7fc6ea972d55b92b4d4df2aca2e5b68575ace270174dc6f3545d1f2cf3872e9eb826b1dff0d68f8
-
Filesize
659KB
MD598cc3306c088a3de8551b95427efc44e
SHA1198deaaa6723b32d0a29094ffaff3d932240499c
SHA256187e9699755d15a18348798e0bbbb7562a087e2850d9fcef4df8d888b794b97e
SHA5123e0687c50a33c0e7eb9371ea9e14080f0b738a13c6c7919d4f3842763c6473d593add3525d163af2df6cec78a4ae19b121b43f0ff9f5b4801545c10192c23f6e
-
Filesize
578KB
MD58afcb9471789418543119415a7eea777
SHA1eb201bf2c3183bf9cb328a658c4581022d38f7e6
SHA256c988b44cebc9cfdc69f570bb6d2ddd8e05ecd5b267d51f194a065ccbe4ab9495
SHA512d14bb20843c21de23e01a86c2ff92d2e30949167bf86946165f2f6a488009ea2135f28b9666be4e0931e640b2f2037b6a224508e8168f95da58a1978fb93c321
-
Filesize
940KB
MD572398f7666fd42c0aa5a0eb4ff28a054
SHA1c32bfc62edf3a9af749d35fcb4648d6c980c7bde
SHA2565e667b909e7983a323282abe73900959ecce5a2cc568e81f973f2638c8f3f061
SHA5126e5b8ec4f90575bab3fee8bc334135e1f2deb91ecf5918327cb95864f71903c9a10038d67a2c6d42fe53fbc70a22dae1a365a47c45d33f37f1a7b9c443555b45
-
Filesize
671KB
MD555f7b08525912fac013311bb1be58775
SHA16748b1edc7ea3bb217f422f1e0b264ed5b0e3967
SHA2563cef7dbf6a6a5523ab588ed1a9b57a30d3572af6cd4b50eab468c1089722dec0
SHA512ca08a91c3639daa7642dd4d77045ca79c385692706fd04b45ee2a004a3e3ca8daefd30c85a7c20e3889e53d54371e59b2e66948326d093c6ca8dee58c8fbe4a0
-
Filesize
1.4MB
MD55b5d38bb0aa87760171a3a0df5fb3aa3
SHA14852383582d4516c00798f1e7610ef47a1fe5628
SHA256c63a54f6727ee534a8a0b22bc3efd138a676aa1815d5ea1ab0afb2b549347760
SHA5122490822632b00d576487d8365c6108c0a49a184c7efcc166b2ae5da47ebb16143a4c4958741d0ac0f8cb9cc779ba1dc45d36baf857de52b3594ac14b083bd30b
-
Filesize
1.8MB
MD56b8d3dde2c695d7e22f234f92faf8f1f
SHA1df8da5ca2ee99f8b5d89d0676788eac48f58a577
SHA256fd9088ed89252e11aa0200171f7cb913310e1eb5785c8459a390650075a3bf0b
SHA51227875b22d956b1447d56b35e0063eeae400ce4467a9500d4cc608e8ec86ae49a02ac5e67db871a36119ac72e115b35ffe8695231a5790d33fab1009885342249
-
Filesize
1.4MB
MD5ae162cf5eb0ab43c63aec59146ef39f7
SHA19ba948985030bcdf8d63da32a55e0b8362e2cfd0
SHA256278954b172fb26be9718b472e17b2379f8aca601dd920d816a476ee09a96ef88
SHA512001e6d0ed12c6a714dfbd2c54de035c8433ed8cdc258415074634a127aa5cdf5a0c672b21d1377dc50d8ab1886040b717ba2af537ba6047fcf55d09040352b8e
-
Filesize
885KB
MD586ef9134b65705309b84c06219770552
SHA135232376751846a9da9065b071d78c9b8e38e638
SHA2568093fda981b6c3f86d5cdfc2400349b7c61d3dbfaf31b61b41376a3bbda2d89a
SHA5128099fa162d56d6f9ac0e601ab678ad50568bf1c86862e016c0854790e99b7ca59f16cc1e7e01473b32aa7865b39c7087e1d4569c64c930260027d0ee1bfb7c11
-
Filesize
2.0MB
MD5f1d9353cc7382422ad2d6d63050efaa2
SHA182e0fc956bb192537220a280c83c1032dd4974b6
SHA256e2d1b5959040a07d22f9bd0c1c32a76d9cdb21f455a94dbc6a0fc579f1e3389d
SHA5122acb8860de04772586cc364776fa519ae0b903c459fbf11330aac24adc5ca9dcc2a3e19878ee3a2c309739e2f01717586dfb9eaa2e0a697f2c5ee0488059c47d
-
Filesize
661KB
MD51109d4dc203d2f41305c497713d6afca
SHA1a94bf1f70d43d1f2e80f77a0de530b38519967d7
SHA2562e1a776c464bb5048bc10f3fea54def1fdefe7079ec761c60d2e85898c31b06a
SHA512cdac17f20385b0f2cedfbd1846acb645e92bbaf0916a716e1cdfb26c6229766745a02b0a8890c73be65239e653a2ab3f7a7d8e1fe76191361f2ecf60cc50bbd9
-
Filesize
712KB
MD5336652cc1a113e4081fe836fb8eb2972
SHA1d2d388380fd2602d9f945d1491cd4b01184c2eac
SHA256a74d361e10048bb25829293edde1ded60fa5d5a94144930997d2d11f7445b7a0
SHA512393bd6701b055a44fd1c91ae3334a464808beb3846f335834fb1ba3901157322cc2fa6ddd66ed74e391cc2f13eb618eac4bd00ad888937de502e9c54a8a04f71
-
Filesize
584KB
MD564ebb9c7f07c07c43f287a41c2159c8d
SHA12c9508a7804b8d9a118c8243053360a43f0302b9
SHA25633f133a28e35cd174585978257a101632589e3821f81453f70c889617582eb71
SHA5129a06f814ff5427e3b8f84959c32d4fc3ee72fe3abdb296d110ada80fc05086fbc7201234bdb443bad07f49b2df06ce7b883bb172819d9678d64af6b5ee223c5b
-
Filesize
1.3MB
MD59a64e928ad4bcffb91c0ce8a23370bd6
SHA14b8d12908be4159a50988720f18827ca332bd677
SHA25616624c6adf3dd3caa76c843d4b3f0e35de2ce48bde8fba28bc6e9e5f12499465
SHA5128c05437495a5c3dc42966a46b6cfa36cdff1855edcf71d0cabf8fc850e09c0fa87d5bcd925b13b95508da8885c0bcc6e502dbe22866bd2f6a08481897c3d5436
-
Filesize
772KB
MD5226b9501383f5d1419707a90d89cd3e8
SHA1bc532824718f48b6ea58b57056a95738ada98fe1
SHA256b0efa2951e759731c901e115451e69f5910f14d192ba7e1689e2eaa86b5d77ac
SHA51256bffa24f4342a74d98784b12385577961f88528e495e98ef0d09566645d89f8fd389f2eb20ea2d610ec343b99087264cc8802ee0fd9f19ae5e662eba1151585
-
Filesize
2.1MB
MD596bf146bec4a2622b680ab2e8c1f54b1
SHA179bf4a70ac0600373527dc1cfb91843249ec1349
SHA256cfb5bde1505b2194bbcd4a2949f6a482107a888618ffa416c31c2761f2a76be3
SHA51244a127dbed9d087f81210ef2cc8a6caa6d3dc00b13b0843ccf819cc125d701753615dcfca43652cc766b011283dc52a2f8956781aedfb2b87510ee03731c293b
-
Filesize
1.3MB
MD519d35bc19de5db4460c0cc964274867e
SHA1b1bc36ab77d28d2c48c89fa83e204e191f295654
SHA256a46dd02966942ee40dcbaa96214ac6b0318afd29a02cc292c9d2fb4422b75da8
SHA51221656ca2eb6ce318b33e6e01a8c0edb74b522f255c348bfb51aa75ead68e260058e2f22543c11591d9d01c726baeccb954abbc1c7caa8e5971047061c191a3f8
-
Filesize
1.2MB
MD5196a2978362189ecbe4225d9eaba6903
SHA12a7b87d74a6100e8af732ab5e1c886be080b5c94
SHA25661492e482eee50a839550a4bfbdc6f165e86055fd456448ade346e727cab1f60
SHA5122eedcf0601960ea0ce44d31b867dbe984b015376ee71a2cf75cd90bfba9c72c9ac6946e213215d7aa716418d30b8eab2220cf21fde53b2cda0f7f6c532e8fb8f