Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Resource
win7-20240215-en
General
-
Target
2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
-
Size
1.6MB
-
MD5
210b1865ec1f2da90fa2e5354528e4f3
-
SHA1
543bf158ef18842b2eb675ebca0c06101e7524d1
-
SHA256
bbd4dad204cda09ea66bf979cd13fe74bfb67f78e33608935cf7e41e8478b941
-
SHA512
b883c7490fd4e8831cff4710209b429a1c6e5d5e76e4100ec9d2937e72aa255c00334987de562bb7f313c0c39984b66dd3bc2d901e9c0c0df3d01a6b97bb3e06
-
SSDEEP
24576:86BoTNjx+mZCkt76f/24pN+XNqNG6hditW:BBAf9Ckt7c20+9qNxUW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3932 alg.exe 3016 DiagnosticsHub.StandardCollector.Service.exe 1436 fxssvc.exe 4936 elevation_service.exe 5028 elevation_service.exe 4252 maintenanceservice.exe 4920 msdtc.exe 3864 OSE.EXE 2108 PerceptionSimulationService.exe 1048 perfhost.exe 4380 locator.exe 1856 SensorDataService.exe 2132 snmptrap.exe 2012 spectrum.exe 5036 ssh-agent.exe 4852 TieringEngineService.exe 3144 AgentService.exe 3176 vds.exe 2760 vssvc.exe 4372 wbengine.exe 1924 WmiApSrv.exe 1252 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\13e7172d1ed82f9f.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008793029aaabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9bb092aabada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c821993aabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebb9289aaabada01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd6b4493aabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e2d3e9aaabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c57079aaabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f036cd92aabada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeAuditPrivilege 1436 fxssvc.exe Token: SeRestorePrivilege 4852 TieringEngineService.exe Token: SeManageVolumePrivilege 4852 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3144 AgentService.exe Token: SeBackupPrivilege 2760 vssvc.exe Token: SeRestorePrivilege 2760 vssvc.exe Token: SeAuditPrivilege 2760 vssvc.exe Token: SeBackupPrivilege 4372 wbengine.exe Token: SeRestorePrivilege 4372 wbengine.exe Token: SeSecurityPrivilege 4372 wbengine.exe Token: 33 1252 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1252 SearchIndexer.exe Token: SeDebugPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeDebugPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeDebugPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeDebugPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeDebugPrivilege 4616 2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe Token: SeDebugPrivilege 3932 alg.exe Token: SeDebugPrivilege 3932 alg.exe Token: SeDebugPrivilege 3932 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2336 1252 SearchIndexer.exe 110 PID 1252 wrote to memory of 2336 1252 SearchIndexer.exe 110 PID 1252 wrote to memory of 1240 1252 SearchIndexer.exe 113 PID 1252 wrote to memory of 1240 1252 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2680
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4936
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5028
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4252
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3864
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2108
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1048
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4380
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1856
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2132
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2012
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1828
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3176
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1924
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2336
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d5d9260234c37b2da6b910c8fdbb1ba9
SHA12a125f8ac5ba16a93db55da89d81a418c183747c
SHA256ca562856daef666d4692f4ff27b4b2e43d4ffeef91d27c5e2fbb20374ba03a4c
SHA512555d9fd3a379c4be5a623ca1c21b9428e5588389fb1cdcea414d535b97c18f91155f6a6e11d0fcceef25d600825ec7fce5d4dddf94a4ea0a27fd0a95856b1feb
-
Filesize
1.7MB
MD590c5de5f26dcb44f8e6ff421053d645e
SHA1fb28be7bd0bea8cbf0997951dae8f1d1ab38b15a
SHA256e5439b50484b0dbdcd2a71797b1aaef1c28f9bfcf1e96517fa24688c4a64d8f0
SHA5122fb90f6d47781a326e5f8d4c84708cedea95e0670629518e3f2666675145c04c49a466d80cfeeaa42a4e75f2baa1f80a187ae00e1a9eb45e2f27c2e4ce1824dd
-
Filesize
2.0MB
MD54875a22d9f26c928329658863316e190
SHA1a514b4b79555dd455b035b20e3653e8667f2ad06
SHA2567edefd38117428317ee290846fbb34d9ae89afeb4ff1c6888677ca1835a7438a
SHA51264c7ea3b5ea1c4041a851d55f35cabae34a494a038bc48af6d429022ef4d44121246832b24f60cebf578da10b6744f096659adea7a5b3db3226dace2de846c3b
-
Filesize
1.5MB
MD5ab51036ffae2d5766798a608765829c5
SHA158d0ea65cac0dd8527e7a8197e39595da69c0d79
SHA256ac51befe3583ba21e3b1db2c5f97698fd91a1476cefe6900fca75eda75618922
SHA5120d400b9478dc2a9a7e4ddcfa45b5c502c7401e0af9e336c431c9a1b0c2f77683740bb29692b6e174a9c0008a6e7cc41499df3e30735f0b8f61ab455b39ea56df
-
Filesize
1.2MB
MD52449b78d6ef67cfc01a9172cf869bc9c
SHA19a1d0d74d39e862f9a4155b5a5efec9ecb716e90
SHA256b449a3660f007801b07b83c03edc24e24e85766be0f411dede709dddb279e206
SHA5120df13b737eee457d235e1b4c11b1d632717f6072a9ee292182e2bf27d3a222c4d79ecbcba0a213a3c0f33fbfd35eef495c61722cf713cadc037950eb5dca5929
-
Filesize
1.4MB
MD5fc8366b3ca4e66910b60b107c683b737
SHA1d4632b51a6d87330096bdd5282a7a9d5bbb7c287
SHA2562099a39ebb51cf43a45dd63472df8246d1738cc35c3d7470b523c36f8e3132ab
SHA512921bc2ca715ad67c06664d12af1a127e93318553f3cb3406d58cede1d3349674254e5d284204d66929f331bc5f7d6524dd01b0a7d13bc90918295cfbc34e623b
-
Filesize
1.7MB
MD5d28df7d080aa48202bc48baf4f51b744
SHA16d9001b9b09432a89f01d99b0149c483b0c21533
SHA2568e8d8573b1de95f9003492ced1c4c47538a2d2451b0baae78d1a626c7e09ebb0
SHA512fe4f6ced8aa720d71b29e46b9b9f1b5fd392e63817ec6283c4108d18b6f9b0b2957e8aa378bd90065d3300706c38a5c5188001cef10c12cbbab41a879fc88ee2
-
Filesize
4.6MB
MD5818e798c16779655ef915829a8f3d80c
SHA18e30a1b4a17dbd7195a44b2c26d1ced39a088896
SHA256199e78bf545d82ae9024bb2a2e9d5ae3aa7c3955ba79ad3361402a75115b0361
SHA512a7fef79777fca76a7dd968e5d0d02ba77c2fcb57bc48aae89cb369c8f440e1276813a66ee27462118f8a9d8337bc1c893be2c4fd535b338d6570adf7f6b58649
-
Filesize
1.8MB
MD501187891ea7485130309e596b1ac92ca
SHA16562f987071a7dd9ec37065142fada52eb0b2f32
SHA2564d299d6f389d1df893c676a8ba8893da9a941a55f29d8a4f270780b2b47d872e
SHA5125c163ec7f920bfc7c3cac7d4bfdbea87bcb22046ee46cb89dd2b4dd635e7e6f56babab0c4d55af9f815cc68aea5fd069360830796904795b37ffd0112ceb8621
-
Filesize
24.0MB
MD5a4d9b108792e30c8af3257d25aa9d70e
SHA103278c1f65163c258ebee1923b09811e9929746c
SHA256adf15078c06701248080dc4c143a06a366d257d99c574b1706a5ecc619c0d57c
SHA512e0d42768278b5e911fdbc0403396a2c1111613bf3847068c26b6b4bca55802d0a72919a6f41f466a509604bf7917d6bac1d1d8f5df0f5b3fa362355885dc4108
-
Filesize
2.7MB
MD541916de9431ad7b698373075b8fb6dac
SHA18d84f4d96586eb66d2e4e6b7a8ffe19bff3ed3b6
SHA2569f8460f5e9281e36092f63901a651f10d4d29305121443a6b1d5ed0e53bf034f
SHA5120198a72e2a95b1f545fd687d74daa2a590645d8907db24b6719588a1dc7db6cc2d0ad76803e306bb3ca8755bcc1800ed07e1adcac31270a8a8abd0c6c930892a
-
Filesize
1.1MB
MD5b71bf7d812c66564bfefe8b04d2f929c
SHA16c4f00b01ad6fe66bcdb6437acd0e5abc23d85de
SHA2566f6b95ec56f8e270d7c940b1fca0e9bca215b14cc49785d3b9cc0dc6c1f51119
SHA512d2720504003b38f33654692867287082479fefa35922cfb50d8146601d2872251d62e14eacc1d0fac12b974dd18a08dce797e2087e79ff0155e4f5a74b2d7242
-
Filesize
1.7MB
MD5584eee7fbbf97f6c452fd3f3b94fc870
SHA1ef3b6cd0acd0d99151dc1f950fda3c097b158fe4
SHA256187d5919730e1232b5ba86d2069472f4ca6780e25e390da2b45f29fcf406eccf
SHA512456391cbfe15e975f9806b09681b1e9c1191d1d76f8ba7f98ba1931fc206026ff143dca6fcec16fcdf2171e253c2ede0b57f87a527d4a3f22f2a0b4830c3b5e6
-
Filesize
1.5MB
MD539712aa3099193f1cb284f3dde9e30ae
SHA1511b10a2948e8bfd28c631484d81bd112264c125
SHA2565850a65f126d64ecdc6e45c863b490f0f1f036ef3a96309c3a4a67021d9f9cec
SHA512ebe03b667449d440811ca60fa6f62686446b2bb39fe3f267be4df8ef5847f9605c1cfd8117391ea9273a7a5b3a6dcf93a1ce7dce04a88c5ecd5925bc5c7225e9
-
Filesize
5.4MB
MD505be24d742d7827454117e0f0313f560
SHA1361bb0ab0822fb477d647366909b4b37f7b9270d
SHA2569ba36a550a5b16e0fec48f7f3de988d1633a58b3b3cbd7c6522eb0ed5ae0cddb
SHA512d3177b795aa009743124a3ff8093dbf459f2f00b275d4720588afc0fd2373a471135b62b48bad0d9cf0a0396f65feb2812a315f6ab8747e5486efe7a5d21b89f
-
Filesize
5.4MB
MD5dfd93da32bb72fc40cebb7b92fc73dea
SHA1e92e7fefd285935f31e20f72de34ecc4aeaa8f71
SHA256a5ec2c530eb634b77d57e0af2faab9c12eddce16f2cab66e9529f376a73d9076
SHA5120a107b10fc18746bc11c86d7d15de8c15004d9780da91e3df10f78d9fe9fa7e084b47ada9ec824530f2b6be344036a8414ce1d4a44a3f225e08989614523509d
-
Filesize
2.0MB
MD5d96829fc0bc6c4b1fba95d5ae2db64eb
SHA19f63720dd38ecd309bcdb7f5dde97996754a6eac
SHA2561a2bda3487908074748a55915c42ee5bbd2217ca4e627d5c97e1be9f8471907e
SHA512789e50059c95167c94b38d587fdc6d91f602eb93c1f6dfeb3d389bcb5f8e84f23812f423e8c460a6407880007b2bb5a6ec85f1b0937917ab2284c0a7f597f21b
-
Filesize
2.2MB
MD52f9b566527baa424aa9f0f384a398ae6
SHA1123cb1f0ed8935ce75e120a6235c85d752cb56f3
SHA25699f860cf14acf18dfbb1ad3f2f2e09bd5b34d9f3e5c288ce82b045249c811778
SHA51260c2213056d02aef33f350a7700dbdeb5c9eec4b87a18d0a78bb62744aa349ca5029fea43674e6a3dfe6155c69cb32a265b97901c1be0520058ce8fca72c562d
-
Filesize
1.8MB
MD5c51fe04862d72cae81966ade21f735e3
SHA128522b2f494320cccecadb5a979865cb6b7ded21
SHA25628666408657865d4ff420be7045ce5b15a979bca272d186ab2f99538a575088d
SHA512b70920c8beac7fc0d74a16a41b260be46ce537987aa6dc36cb44c9e7b48ad777a0aa100ec1ccba8fddb8b104ce8fa847924f280ab70763ede39623e83eee7e72
-
Filesize
1.7MB
MD54cadab908392d3dde737ce49da553208
SHA1a7f2386ff5bb9af4b14b3d4e333f9b2cdfca4ad9
SHA256d84aa285f88f6a8b7646f0aa5a3aac79cb7416225c38118281e83c9a57d3b438
SHA5123adbddd4e4e6f8ce04e65e459d7dc59d5b59e36851b67acc2952d7e4a921e0dd9042cc3f5c57d4db8c86447235c28a20039d3702bb7991004cacc70ba3bbc42d
-
Filesize
1.4MB
MD50f94600d16463a224373449d3e5ecbba
SHA1cf55067b9ad5e2a6ada42e0526a47e28f9b1b35e
SHA256648673277d6d326e83d10884f82c29fec65496f2f469cf80b68b43068f5aef36
SHA512493df24ad25287d0372fd3112fe648b385de9204b11303d0e7c28b45403b6008ccb7d0ae976c0543287772fae128f4336f7fba11e9e686e632662e5f19e17163
-
Filesize
1.4MB
MD57e2a14a490be067525779e3b19a5421c
SHA108401f99ca9a6ea06cf99b70b86f7d55353f6f80
SHA25610949405170f952426de69b4e54803fcd86c7692c43550f44cc907af48923b3a
SHA5127a0080a8520457759f9a2ea01695d53b382d3d02263ce197ccf5cc637be66032d2b9ea37d5b15d10d2677e4f44d48c975c5c5f014c909bd09036a3a57d0a6573
-
Filesize
1.4MB
MD56a73a36aee7721d8dfff76b336435946
SHA1fe85a0471f28bb88ae4dba09d4f135206115b5a5
SHA256860cafd82363693804fcb8f6c68d18019de89e2d033fdd39325fc50844de890d
SHA5122930fb580cb92236207da7e2e3de5da378e2484e2af7799d5ef513bb1335d2eb6f5fbaba4ad2924ca4fd8ca64826e92413c59e04fc155cabe284dd8f5e51f486
-
Filesize
1.5MB
MD5495f9111210e26c48fe3ab81dd648cf5
SHA14ad3baa3ca86bb97b37613e66babb553b6be98f2
SHA256472b4632737ac27dfe07df33e83ed20d0af06c2ce2a6a8e5c1f82df6d1524cac
SHA5121913e19d69deb0d35bfbfecd8e7c00d6fce0817e9c1c41e0a4ea3ab5636019a010de88303cba85f21b41047e216c3068044ae94a90ee8cc046fdff65bf24dd9e
-
Filesize
1.4MB
MD561546a6fa1165f2b4df4b0b2ee5d40c5
SHA176db6c497b3af155ad94b6e10aa32027715e3c68
SHA256e85cad67b8fa19a62c013b433f30d7b5f05d019c8edde98c9c547f53373d410f
SHA512e4c850d6d820fe6fd16d9701e00e8e7b2101a6d03ea071c2a29019720a6da60774418763730033d53a56ded6bfcc4086a79b1f8e5245ab3acd29029e345dfe56
-
Filesize
1.4MB
MD5bddaf59ec9f8fd90a4941f057a77675d
SHA15b4995a88598e4b5d8785cea60835c15ff5937bf
SHA25657672e5a85e00ef649b68e78141e18178719f9b5d36bc4b797a034ea14b950a8
SHA512c37971803418f16e05a18a0ea44e6d31742b5b0f0957b49c0db046e0ab4d6eb8430ee910c745c89e45cb0d544fd6a7cdab03147f5a6e59506562ad1d0d9ba7a2
-
Filesize
1.4MB
MD5a3c1aa1c2fd45da7f42e1387835cb7ab
SHA1e530c94692232aa84b7c2c5fbbc6a250fb0fce2d
SHA256d307f22f914a102e1274a8366968b099d212c5a29516d6bf44c0cbaf52fcf56f
SHA512371d28732b33c4b01574800b28de55e483c3e070bf1b88ed99fb301971706b89e750a06b394f68d6a43d470d3ca6ca117762d443abb554a05e6ce642888e8621
-
Filesize
1.7MB
MD565f971a27bc79abf1d423d83f680b5a1
SHA19295d13fae49e803c5b8ac6c173f47b02b0e0d46
SHA2568f6c4876691852688922cb6054bca88acfa88a6446b3dee4d23e7716bc1aaad8
SHA512a2d32267ed23f590125a84e7bb47a6883f5e7855e1b3aea37c37d0f31c8eac647ca6018c47eddb8ef63da86e8e5dcff91956c9df716d2d0646b072183811ea72
-
Filesize
1.4MB
MD5d61c47393afe350b01b8adbb3e2f6071
SHA1ff97c4e3e4f664016677d7a7050bf52048c46216
SHA256d336347e3e4c4bcf796c49cc3d94598780adecba4636a2c81eab012c1ce45773
SHA512ac854e42cfd87edcf5edb8c2e64d06a3e5b8f4b14e07c3d97b437bf9bee332c47e35060fee3012a37a24462e467f7740e30b297d21541a31eaae49ec17ec6ce8
-
Filesize
1.4MB
MD55e31608b37b05e026b3a1362b35a7747
SHA1eb4b9380ceeb0c0682ccf24d554b023073852cd3
SHA2560f31be4984cb1b8f91ebd9e420d0da55449f99247bad4a2395bdb78d73204710
SHA512d8557c82a8dbce298d1ee4b06f6e9fcb2e8a3ae7d255a05eacc1efe2f8e0b747aca70f97eceae61edbc594e0ec9e93cd1f9ec1228eccda7cbd18667973049151
-
Filesize
1.6MB
MD53e3c87b38d20677821ab83017a1ee2cd
SHA1b84820de53f183fd7fe43527ac8685df5773b754
SHA256a579a5096e36446c87b592d3f4a64ee4c5b7b6593658ffac5695b8e563e1c0db
SHA512fc0ce26165a30b7f6fd80d0eaa5a57f769c06b14fe2871be390f6891f59d1a3861c9d0db09cd1cf8b8140c91d942a7942bfef23c805d32da456bf85f0b84e51b
-
Filesize
1.4MB
MD582b438c2ea1f18aa5dea8be0445a6f97
SHA14195296e2727c9410ae7600749320edf19c100ee
SHA2568b2c09e0dfcd39829a114369c04500acde7b34c310b198b219a1e3e4b115eaf2
SHA5120703f726a0c639ea00b3c3f779e583c33099dba21e5fb3ea402173d83cce4f97e648967f08c8fbe8039e1e2f0e05e2e78a40e60ab9bccc1b1d196c251c848567
-
Filesize
1.4MB
MD55b037b8e84ef4fa731c1bbde9aa52ecc
SHA1cce7f9ad77a3aa38a4f868ed4065bd4509609181
SHA256f43251de67ada8081b4d818867071d1de00979c2f0e73c1d7fb15eca44dae6c9
SHA512a084e51e7b97f8da63f101cfb3b9d554ad46b5cb6a4abc072a9c51999d10c647c8562213f70fcef2f275f86c92af2b6252780ea11b81ef1c62376fa270445016
-
Filesize
1.6MB
MD5174f0b062f347028cb881d99af82221a
SHA1f61c6d48046af653f8fca62abfdd4b5c692d5d4f
SHA2568657771b1e7afb12b46272bc4b652ee619eceec8690e6e282b8efe9480ad51df
SHA512980f97db88561ea61dc5f67b8844b1094f2de298e1c20db8517584569784d791a9966a38b4d0ae8c534ac8a3494829b582a338e0fae617b2d93ab8016174c6aa
-
Filesize
1.7MB
MD511606feb17fa8c7ebed0dc1eddbd1bdd
SHA158dcec88879fec9f4f63f97be458e1525ca24553
SHA256b0e8db10c1fa5af9503b0930858ed3276c38b0c9aac13017b78fbab70dd9c7c4
SHA5124a3f570ead49e46c15969e7e0b940759a17bae7ae838d584c9938a0944b5f586010e92a14d9fa98164d98c8ef698bb50ba6ef314c603412adaff3d71a409551f
-
Filesize
1.9MB
MD5acf6f542c7080336caf64202ccd93d56
SHA10717d494c5e543a361578e8dce8d573eceb240d8
SHA25616682504288fd0b2080772d284ed9531233a73ef0c11262c46c314a159ed0724
SHA5120800b686fa7b4bf8ddb13d05915a113e50f77d6b910c1fb3ba7544cae7bbfb098ef6b646ef06b26fafb4695b56b3e4f1d0af12e370337251fa27c177691a8f6e
-
Filesize
1.5MB
MD5726f49620191d87352a5918e1bf0eca5
SHA1cf390c3040d85b1c40a94c1b7d5e95ec9cd6e026
SHA2569279d7a924b831e1ffeed08d6fbdc2e03fc809c6cdfd074e0bc1ababa9f3ccb8
SHA5129dd27231fea5338a684ebe49b284471d001aa63ef4a4f0e8bdb3b5b89bc364f28181075cb6115e8f274dbfc237e73988f6d1ef29b94b77fe11777530a3e87170
-
Filesize
1.6MB
MD5aba7835cb5506378ecd7457b468e7759
SHA153b61464bbe010c57e0269fa65a10385319030dd
SHA2566e589aa786c004da33a98d8c5637381c4ef3c086d0fd7e46a798b1c23dc09f65
SHA512e6526387dc32bb21b52f004692d8e6ae9d0da13aa1dde7e5ebbd9eb4959f4104483767472ee830374930e7e581d4fae93f27b97d55644f8e15286c1ee289f2c3
-
Filesize
1.4MB
MD51086a3be887ad086308f1be45fa32667
SHA10852b55f1cb6eb6d6a2e5520a6b595e9c95ff03e
SHA25656044fce6dabe3444d136032fac2794f428fbce26b16f346733010f88ebdf93f
SHA5125f4ebe4c22dee4cefe318986b44a3a997854ae60ea6194cf0cf2415035cd3eb5826ec8305f53a972a96d9a7befb55f031566540fd0dd446b46380559a682316d
-
Filesize
1.7MB
MD5b1612e0e0bc384267743448d90bce2f8
SHA18b654f6399d2823ac34a3f47fc00604eff489770
SHA256a53951af0d3855aa9bf031eeef28a141e8260938581d502191e20a3ed052ce2c
SHA512939632447c15505c981d0c2b15aca83c8d8c47ea883cb9c3aa2cd89d80e1dfd224018b484c438f70a8469b31413e8969b47f0f705019b48f1103f0fe676ddc96
-
Filesize
1.5MB
MD5b5af8c808f745dc36459bcf303adf08b
SHA1effd94f5d0b8fcd479dab76146e932c58f2cb11c
SHA256b1b738074aac5ac1a024f4a9eda85c0489b23d854aef236e2e4edf599c6d5d98
SHA5128c3a26ea7302e8f4f2059c36b2a140195344823a53d20129114a7dd7d4f7e8cada01414eeec89efcbcfd817472fb6fa01eeb96d87116c523707e0f94288f3b94
-
Filesize
1.2MB
MD54c0e760e2a18513452732c0c7924bf6c
SHA1a59153ed5161bf877ec68d4eef82803a1194cd0f
SHA2568e356caf11d680edb7812a6e3eec9592019c02fb7585ffba52b3162715cd904e
SHA51203cdb9796b87a849bc46417f780375f04e8f7b39520efe6e5e973165afce07af6216abfc510ef0062a82eb9cff5df02fb0c385752651c5dae1de41f9ed46c0ce
-
Filesize
1.4MB
MD5ec04cbd954353385fd0e0e8b5be0fb7e
SHA13b4f8fabeb6c03b87c8d587e6b4762f885424b40
SHA256635204a3a3363e3653818c89497a965aa7d201a2bc852ac5c282db41102024ab
SHA512e1c22963a9fa4f3cae48625afefde60bd2ffd1813f2ca221c9b847868662b3379897ce94c7e8079a045de7aefbdf0e331bc0f904ddac65dc16ab4fa70c854c21
-
Filesize
1.8MB
MD58198c60ab5c18d01b06e116449ffae9b
SHA13a6f2d312be85a5388ce197678370abca7370cbd
SHA256f3f181faaeae0b9bb8312849ae5396893320e52f61099ec32936721b02e7ba47
SHA5126630932852c963566eda74083a0f640b0e2b56b14b84e18b559ebb4e561814135f6771f4785f9c0ccc44a53016442b035e591598aca5a99df1122c7df0dd5a58
-
Filesize
1.5MB
MD54b13647d4d6b8d75376fad6c49fff261
SHA11315664e350fe3c02ba5885b753b7b72dab2b0ff
SHA256689256877602d86560995967b0481140e071c0a8fae661aedbd7dfd8e03c8ba2
SHA512d49127c0ec995b17acc956ab3d7cd549d9c3b23e5e7f56d88f1bcd737e7ca9effa4cf145a7101f5721133abc9abd0a521eac007222851a8ac5d392512d34fe50
-
Filesize
1.4MB
MD5fcafb8fa9c3492fbd0d4fb0dcb344798
SHA1859a1d8a0af4caa8687adc08dc6ed84f0c63811e
SHA256c3c9b810ce75034cb1afcfac5b79b8a751760cb560573f0ce804a9cc565bcf80
SHA51230f3de604b85a9b3a3c3221a532bb571e21ab5f59bbb28215dcb23902a5438779fe65e40f5b8eff7876c7ec3129eb871aebd57ddd4dd4a5d5bcf0aa7cabf9ef5
-
Filesize
1.8MB
MD59fc8d05350beb7731f46bb1e0b23be9d
SHA13466af66ee603d12e094d4c3770d46c186fdd927
SHA2567009f2bd426891645dfbd84c71906948205d34db87c7abc80b3539159a6d167b
SHA512b82bf11e7e20dcf2051731f5f7bb97181313da5792885dafc0f26614dfe39b3e69cf3d295f1080cf616a8e0f86c9427cd7977c88856a9f32b68b04c80146d847
-
Filesize
1.4MB
MD5bf724bec5f9a92f7dc6ceffa67afea4e
SHA1e47d5232cf3e3f2b5245f50c1abb2d974ede48b8
SHA256a06785227ad7f14e5253c44b7d6449bf2b9065e1927bd882a85da6ccbfcd4604
SHA512c7669dc729752d46c4e4e32d8e92f2fd502c3d35da38b5f95e5f9adb3d49ef18d5488ee8a706596438a41bafe0e16e72057ef141f46f0cc39d7223ed02915a55
-
Filesize
1.7MB
MD59ccb886602249a1ff4809df66043880c
SHA10fa248c116f300d5f954b6ce0ea3a2a28d347d51
SHA2562d5661aaedafffdae0729540443ce37f2f625f4f132cf0073038437fb81844e3
SHA5120927bcd3d9c4c2c68ed806efda56290cf61c1323573cf27c941b0e1c33f87a93e45ce476bbfaa93529bfe6971355b94e79a582b9e600d1c48b8f18c52e5eb224
-
Filesize
2.0MB
MD5b206cea0ae994a21474a7f2c055058af
SHA19aa27db2bb83f8a2008a1961d904936050a8fc11
SHA2562aaf609dde084c1323a4681081276c29e3c7b250479753f87e41ff90e9a9e117
SHA5127aef1e572172f0295b935ebf37181489cbd93961c6e77bfbf51c8d5a801a3dcfa928413a009d49983056c2843429bbba5cc8aaeb8a7efb23c0612ec6b63f7313
-
Filesize
1.5MB
MD5057b8db40da8f11e2f92745b8e1be41e
SHA1df30e8d3806d16dede7079fcc8280474eab10536
SHA2565b54d1612a54c0242140b01a75330d9d8a3a3681fc3fb2806559b653ff345cd0
SHA512ef4de57fcf1514e5661cc114eb73bc8b767162b5be584a029fa3e073ce429f572c1927a3c2aab10fe25266c0b2305cd8ded7908b937368a56976faede715963e
-
Filesize
1.6MB
MD5d7d5f9b86ebfb5a5d5442dc878cc3c7b
SHA11f17aa5df8a828ed3a311f61dfd538fe00d58068
SHA2560405b63bfed840557e7e2d2c29ebe38bd9fbe2424bf258aeec46ed211ced3f3a
SHA5121dbbdf4e8449ebeeb68ae5f20aa628ebb800a5f696749dc43fabd26a6cb9d7d0bbb453109ae5b9fbdaaf12e58d2d07d49abfa5209469cb1665d562cb9b6a008f
-
Filesize
1.4MB
MD5eeed8b5a153683b9f2037ed0816b167d
SHA17ae6e488121425164a8b7fa27b6a79c0ff104750
SHA2567f1de5ddc9b2f81abbcedeae7dc52f10b9a028c4f3109da518cdf64db9992379
SHA512a95fc8ea3b7d44da815e7ceb9890290eccefee5e2407a88c7965f2d7d18faac3dc19e7f9aea0bfb11be03be160f308c6722025e194fe01835474f13dff0446e2
-
Filesize
1.3MB
MD5cd6eb5967e29394991ded40be2488b5f
SHA13c26cd686c5af3e23470afab0ed382cf7db55189
SHA256ab223e1d492f235b4127bf0e99b70c7c0053a1505292e30b0875211a49bb9d9e
SHA512614f151c994d55bfbad5915fe0bcbe78848a95d2c7b1c122ca13ebad3748e003dc56a4bf52bb2c14701b0235f221d30801051609e9b1bbf12fce57b049ec0aa0
-
Filesize
1.6MB
MD55e003ecc737070448bd33365ad96f4c7
SHA1b39dc41b2fdf1d77c1c7e81e86e1bdd112dd3851
SHA25632cba854cf0502c8c84c0f824922a0f793d737993ea307733d25c1195ac04892
SHA512042b12f1fc0ba1c35b7acc61899cb19aeae9c321fdb3e363071d78d6567b41966671cfb024e1fd1a4b0f09385dcaa5c45fdea31f6f2b7963a3866b0ae1575321
-
Filesize
2.1MB
MD5dec444cad3231a91f8e2a9755330389a
SHA106e040d14243da50d361ec600662b77463dd9cb4
SHA256cdde5ff457b25ac397559a0df31f303f6204bd235c814cd4bdd970256a348690
SHA512f51e8376f5fa5c52bd56a8c3e2ad0018ef846dc820120b5c5fe33dabc2cef65766309e591592d0970122e6e92e2f0a91f2e8e74903a0f1ae3416348384c30129
-
Filesize
1.3MB
MD5d4b94f3aea85a37e38019829f48a9630
SHA1493a0f099e749201b174bda7dfc5f06bd4ed6ce7
SHA256520f740c3cb2c29e62b16afbbf34693d0778b29357cd65914d1b52593ec3d76b
SHA51252d4e8d00689c3ff2f4d5a7eab9e9f31ef6fb2087b92e3be1ce9c05c51e90b49ab427e7b6ef4b4c3471bc7589e2bd6c715f3089ceb860b4fc411a620137544c0
-
Filesize
1.7MB
MD5ce3606277b7c25c7f9b081eca223a756
SHA16d36882d287df95d26a781d5e9e89d6d972f0f74
SHA256080381ac533a299344af4ca6274609b03c90572bc569ba8f1ebadc7a607b4f9d
SHA512b8a4c8720893d849ea7241839e2c65df7c3b97784de3d33db62407623fb9d9391988d8883e2a1fa7328549d97ce2662f58b3f437fe4e9099860d626ad6418e9d
-
Filesize
1.5MB
MD53c22f7bff370338996c7bb5d930c1688
SHA13bfc6b4c7c0644f8c795dff4f1aa3ee3c9a24372
SHA2567943ef6cd1b28b4fd9c377082398ef6624412ff567295cee4fa6a9a4d3d09c26
SHA512acd0c69295716724e955ef9016985a74f4b61879f06798f5f68dd04940686b620e996c576f09bd24bbc8646c081e5f1e7234fca947a938512eb0afcb4b0821ee