Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
-
Size
712KB
-
MD5
89b2a6ed7ea30f6dbfa52066014909c9
-
SHA1
1540534bba35b0cf525111f9d8a08c75f5f32e86
-
SHA256
2b63c78e925e71959fbfa7bba6f495230c9f6115439dc7a372ec5f88955db432
-
SHA512
397d2cee890f1113657f237acc325cafe5d59b4419be6e1ebdd45e01bd433cdfa838472f9d6638bcaff9f1c458ced7da74caf885a6f079c0a6ea7fb2489c4433
-
SSDEEP
12288:ftOw6BaXFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+Z:V6BBSRQ5UOOU62FBnO+E222YJbNEUQKl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4888 alg.exe 1724 DiagnosticsHub.StandardCollector.Service.exe 4488 fxssvc.exe 4496 elevation_service.exe 1028 elevation_service.exe 2512 maintenanceservice.exe 960 msdtc.exe 988 OSE.EXE 4860 PerceptionSimulationService.exe 2684 perfhost.exe 2868 locator.exe 4868 SensorDataService.exe 2676 snmptrap.exe 3688 spectrum.exe 1248 ssh-agent.exe 1296 TieringEngineService.exe 448 AgentService.exe 1840 vds.exe 2920 vssvc.exe 3668 wbengine.exe 3652 WmiApSrv.exe 4792 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\vssvc.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f38fb5e61ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018c762297ac0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c265a307ac0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b871a6307ac0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcf4e2a7ac0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d19bb8297ac0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000814b80307ac0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4a31d297ac0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005682402a7ac0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f4b9f307ac0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeAuditPrivilege 4488 fxssvc.exe Token: SeRestorePrivilege 1296 TieringEngineService.exe Token: SeManageVolumePrivilege 1296 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 448 AgentService.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeBackupPrivilege 3668 wbengine.exe Token: SeRestorePrivilege 3668 wbengine.exe Token: SeSecurityPrivilege 3668 wbengine.exe Token: 33 4792 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4792 SearchIndexer.exe Token: SeDebugPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeDebugPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeDebugPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeDebugPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeDebugPrivilege 3448 2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe Token: SeDebugPrivilege 4888 alg.exe Token: SeDebugPrivilege 4888 alg.exe Token: SeDebugPrivilege 4888 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3968 4792 SearchIndexer.exe 110 PID 4792 wrote to memory of 3968 4792 SearchIndexer.exe 110 PID 4792 wrote to memory of 4004 4792 SearchIndexer.exe 111 PID 4792 wrote to memory of 4004 4792 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2252
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1028
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2512
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:960
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4860
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2684
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2868
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2676
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:676
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1840
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3968
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d758429e82a3f7d26218ba44748dff8a
SHA14847ba76282e1a7ad66fd4236a6da21a593d63ff
SHA2567fc5f350822e632359c22cb6cbd82167ab749d7af20503eff7520b8615f340c1
SHA5123ec1281bca521ed06977bd24ea1f9ae3ac9920eb4d9b8eee9de1505d7e5d9314c93ffa52e9f95a6861ac9a0d7067ca9d9013ddab375b644b7717e49108da3609
-
Filesize
797KB
MD556907f1bb366d06154df9c150a553583
SHA1c5ecb9eddaf2cc6ccc43d7532f104c09b23a1acd
SHA256e2271767a8dd052d19d5333a7c5c3ccbd79081e883a167aedc1c0f29383220fc
SHA5129d011fb754d00c932f4d620df29d34a51b1012b26ad950636dfb13c43c8dc9e26a8ac5702d1923f56434d6c389fe3e4c29f30188bb5243f0b927b2a77351ab0f
-
Filesize
1.1MB
MD511f7f176c2cb6983c45b4984c64ce703
SHA194db97ad5f3cf3de4629689c0885186f4e1fe7ff
SHA256de3ac7ae249a591d9d094eda3328bd089097309687d61b951d539425aa210330
SHA512ec5055f0769dbfce3aa42945e7580e6e60b0f29fcf51c648c33d2ecf47f782cc774ef51e7340271bd78cbd9d8550963ae8c10ff06330c7483162d657b3b92f2a
-
Filesize
1.5MB
MD533348af65cc12541ff2053bf717a6b85
SHA1b8104d6234465afcf2f61a02a75da146f0a5fb3b
SHA2560cd6e5fce2c400be9391a362b9ece1808090bc7d4650cf85e5aa3eb39aff3bd2
SHA5120dc3f8b1fcac3fe9e1ede57b2fc08453999c9faf758244e4655773001861072f23277842417d5733cf39135cccd0e9643973d54d4308398b80b987220bd3f3f9
-
Filesize
1.2MB
MD5b1de5366e459a292ae84068dd7a98d35
SHA177eb29bbf43ed8d0224f3ecabd12991124a97e96
SHA2569e4c5950b255750d3ba2ded7612751c8da829461f4d371eecbba6496ef9e4cf2
SHA5120bdec1a9b05829db36f2af2936b103590dc8cc4d6523fe7d74fbdd40e281c50a9342b538f1ea053924002f682590dd082bd68682b4a57946ed83181b8832b9b9
-
Filesize
582KB
MD58f588d2868820e6bc588341ba74594e5
SHA12d228b4d2228f43c85d1d0eb26d51d7692e4aef5
SHA256b83c2c2cc48f7a155df506c29c7077a8ec59fdee350502c6271e84f7e2a9b746
SHA51208d4f428c158f9ef3ff3e839ea5c1afcccb5db1b4f57ce8ffe72dd62b308cea508cd3614481a5a0fe6391784dc048946c248ab71cd7b0675e532b6179a0f49e6
-
Filesize
840KB
MD54819859e0c5d20c8f5b1451f430400f1
SHA1123dda335feb343bf3f6cd9e884e9f4b4810bac8
SHA256908a7cb51201e73913bad248593cd740ee51de1aaec425426dc2da998daffca1
SHA5123e3f8f6f2d3b619fe51259704ec9f7a3a7f9f1ad3e423b89264927025aed7fb19dd6778d3070ef360573b129e5c5c25f041a6385ba6ed03e982250cd1c220001
-
Filesize
4.6MB
MD5df17783a88245fb0dadd13b7f7556221
SHA18afc5c0593ed7bd239ea2e1fd792d4922ae16e41
SHA256c6eca52e8205b2b93994c0a4b9cf06915c758fd637e6d846b01cec47894c61e9
SHA512ae543d4978afbc462294129772960b7b688a34aed7ab46ef8d010354677afa7f73008c8b7035d22a9e96ebb4923015e54b13b8f91e6bb09288c31c76737708e5
-
Filesize
910KB
MD5e7eaec405b899eea5fbac53cc25909e5
SHA1fad8ddd20dcaa9f9a8adc756bf4d1c890d33e8cc
SHA256c1233320c0cc0772008278cd93546ff4cb8423a7c43f865fbff1f5d44cf7f053
SHA51267034aa8d7edbeeb05f8359741839b12c487a0e343ee48bfeda08c6ddf6cb9cadcd9f6d671cb6560fb368f582553057e972c737d59466b92e33471d95fc3acdb
-
Filesize
24.0MB
MD508e4e1140774ba9fd0f3c0ae7d9828ad
SHA1f1e19ddf8271850acbead374cb1740c08935b87b
SHA256be3cfd93d03e218577d4aebd2f2c0ef8c4f4275fe8db50b19c59ef244b3fa1ee
SHA51291219003b1217370f8a087355b7520677beeb26dbf3bdb400ddafe93df291b900708e124cc2a741347f671b984b170a15ccc23c79a8e1cbebb64905a24ac80c8
-
Filesize
2.7MB
MD5de5a6bdc82459d0d97a78047c12c0b97
SHA1b94a16f5bb9cddd066ec0f5b9d57c8781a271a92
SHA256a76d06763a1463c0312dc1dfe7d0c079b989e347edbad1d8e1768ce8d97712b6
SHA512d9930d49f7033167112a03f92ab640f7fa36afcb6f12c0640459f99fd50a5170d3b5b6f5ceb8d228c1b47f8b53d4e1ee8c587a502f51630797d345565f188e45
-
Filesize
1.1MB
MD501c0998ad40314463615711ee0a221a6
SHA1a4306f319f98b71e8e48aa5a8de707c8cb3d87f6
SHA256e196c9f6d562bf9b306973382f3f6f66ae47763373fef0d108d1f8a63b818757
SHA5126f3f955a52c7be72f05e3895662c9074f434186b778edfaa7d5f4fb216179a7c1e0f7d2cd356afc2d248090f49e4d13388d7334a7f9c1bef46e5deb34997faa4
-
Filesize
805KB
MD5cbf5478dc1a6986ce5a45ca5b00c4789
SHA12ddf6179ee5e4a6d5dbbcb3f9de49158a9225968
SHA256dc71c9f76eecdc8c58a6f851866be47cbb9650d1dd11dc7af483e46c8f70d38e
SHA512ac9c4651141ca0fec46b91c569f4bdcb2c7193928b1ea4a29e9cf9261d725701e78dd1b61303b02dd4e4d36501c30e9646ea4739cf0c9ab34afe1b499c43c5e3
-
Filesize
656KB
MD517818ca574ad8b0b9eb476d442918de2
SHA19e5a08ef7c7d664446b6a61fa45608df7568bf49
SHA256a75e1baf9237ebf6fc0dfe35234f587c56dcdb141c9c2e54b0e1491b9460cd9e
SHA51263a7573910c7b683ef826f3e73ba136190ca91b0bb272db75b81e838a450fd27b4ca0121ea7b51fdd7f53d1ba291a1fc399463c268a6de0df96c88989f40ce43
-
Filesize
5.4MB
MD52f6678cdab0b6317b8fd9ff1a8faf2b1
SHA1a4d2419153adf62c001f404e961b3b3a8e8c0f2e
SHA256d722870388c94e12677f76ffd8811e36307748ffee34a7cf1ca32b4a37017c73
SHA51276fa307c9fb07ee4b1c1ced99f17c4a994a7768b287a748836160ceac3b06bdb0b59382376517146a9c76df92884bf4953cf976899ff4413211c24963ef0d161
-
Filesize
5.4MB
MD5aa7cbecd3261a3023b934172a8e7bb4b
SHA1f970ba11f3b9d40f369b119457cb860471b48b0f
SHA256883151097973616d2d4ca4a59e0e2e4278ebd255cd32baca0e8dda48dc5671d3
SHA5120436f91928925818811447cef448343483f5a985bb3df67e061daa18c938c3ee01a6fdeb0449a8638fe41b104ac12dd7d09eca1d9d99bc80649f63ff82b0fc88
-
Filesize
2.0MB
MD507c26faddf1adf5f5a37622198f02c8d
SHA1bf33ea41a9ce3a4bfcd46ff26ff8dc9ed396bd1f
SHA256bee163a1fda41a5dc719c2e823007f87d8fc7a7e54aac7157c636ed307b52159
SHA512f0c06e1e34c4692a8828f315b1ac0403fbe625e9802c242f33c38b55a5255eee4e1940481b286c0c95f69d16a9a3e9d6cc11ec4779e57c6ee072a7f44c83c2fc
-
Filesize
2.2MB
MD5ed7deaf1a8f1838d3e466039fe60eec1
SHA1d2827b1bbed257dde0dce9168f42d84b87e8a073
SHA256f76cf5637233bc4aa0c3db3b9be81126b946f3ea22f3131e3d3f77ec9dda2de0
SHA5129f316f50d8181a94dd7a60f5f432d72661a29cfb2855434e3c898118a35ed394c8cae89155ab72a3d80ce2b08d4dfd6cf02dd68fdaf3a33fba2d10c6480964de
-
Filesize
1.8MB
MD587f577c4c223ba20d1cc16927b0fdf69
SHA1cf15375b758db7ad13e615b6de33cb53044c7bae
SHA2569b54cd329e7ffa4e14664479002cefb37a3712560598cda4b2dabe6a18f9e673
SHA512533bf110cdb93e5df59fa6d962f4181e4cf7284710b18ca7ccb55f5f6b34c91539dd8e715987e188651c0064291204534802c633a4d0a76305e74c8f018c721d
-
Filesize
1.7MB
MD569508776c08401c6cff3b4c6a47ac0fd
SHA1f8bcb0bf6686f5329da69f92b2e30047aa42108f
SHA256e1f1cc8ade1f7373efec9cdd1ce7ba85d023e482c91640ee98514be4ff07d4f7
SHA512dd7b2e8f5f0d0ae25512535a9b96df5c201d52d1ff4aecd289b23572e13baa7a8fac51293f0008b4f906f99b92ded7dc230609dc431955c57dba500559163e85
-
Filesize
581KB
MD5bf2e41b9fe8b148d92027644b1247d27
SHA18e7509f469f555065ca46cb172f8ff8baa296a8e
SHA25687d1046678505969565aa525ad7ede3a5d638dd5e806de6f08eec83b16670cb3
SHA512b3a2959ad7a2bb72aa4c0a8e3f5863aff61c16c6c5cabca68d9a2291927125b4432d9a2037a7ecdbd5bf6e0891893ab22990f3045a282a785851749bb4d53296
-
Filesize
581KB
MD513dc3b256a85f201e83ddb9e285fec1f
SHA160043e7c7d9f06d382c5efef064905f95474a494
SHA256dca8c291c49c353955bbc9ba3bdffb8a484098c739ee113d9985d49dbe6fbaa9
SHA512febdfeeb1df6f091bfe1489e07addc029d188e53610b5870adf3011b8f0f16342deb08a27432a84076c70af353eb4c0c565ac3c0615ec64af72199e39c164558
-
Filesize
581KB
MD5f66b59680ed78a0aea17d34e4310854b
SHA16f3a4e856f0ca72d0da7a4fbf79983eb6ccf3bc7
SHA256fc390fa972f4cde67ef9f0f357699cd389844c715faaf3d051e7217188e44508
SHA5123fb119b32cee3375f70cfb961495bd4a7d59b74665194eefbf0ae637dfa3a9b1d81551e286323ce5374474e1ecf66fa934eb877a0c96d0a24bc360e02ff1efec
-
Filesize
601KB
MD5552671448a2aca546b99c769e85ba7f8
SHA10734e49dc1ae48e9a306b936e1a4f767fcc9dda1
SHA2567bb2725cbbe72599edbe859bfdf4f36b537aaa477ce73f3a339c53cce632dc6c
SHA5120c63c61d972eb964ea8a9fbeb1f2404ae3c5cffbd9f8b64633ba60719a5c9ae33407038de8942c47bd76acfa5a7a8db55bec19b8764467b2b0651afa3fdbe584
-
Filesize
581KB
MD54fe84b4a33cfc14139abc8546a0b254b
SHA1c58b306c3c3faeddd2cd49705732a76a993205af
SHA2569481e7da5ad482cf813887c1ef06413f0a82fe3d6aa5fef65bf84ed169e336aa
SHA5129c1dfb5f4cf3763d81cae546e64c5b553480c592037372afa0a61c3bde65c04f4f37f81ebb4737d5660b9d1ba7118587d4abcc235704dc782337cce1be00409f
-
Filesize
581KB
MD5be7527e47a0a187a2dfef334a465322e
SHA11294e54d0510959f24b1afa54e0f85b46e5a6a55
SHA256ab19076211fb475d204f966de1a3be7296511acd95d2ac76823f197ef79307b0
SHA512fcd0cde7d0a42039a484aa76005052c25f63542c95962d040ec9783beaf8e31288329d0dd6ae89e5e25f5aa531c4a125d8c4e32d06eedebbdab5ba264ca3302a
-
Filesize
581KB
MD5cec49a96cd586f1a4af7d438810a7428
SHA16aeca5acaf958eefc775c4ec070db20b8122764e
SHA25663dc178faab91d88a3920c36b9ce23bd82d67e6bfa073329af0f9e39f2d75053
SHA512b38831f4011d8f8fdf2d71f923ce4273f1227772ac411b21c9c9c997e754fe4f4bcd8374b8bf6e0f2b75b8d21c83626c8c643ab2918ce75213785eaf0c5a6725
-
Filesize
841KB
MD5bb6e6b2e6c26a5f904d41c25db9c3beb
SHA18bf2b8f245440c8281876984de7065bf98185b2b
SHA256b42c3b7083f36dd2ddeb5dd678ac203656a489091e85cf2360baac8d9b2652c1
SHA5123a11de8a2b2136da8c62d156043e548c780387e1c9fe9a9aa72da36742dcd7a2092e2fd3e10990ba311591c91541bae32e50be1b298791abea9a492a65d1787a
-
Filesize
581KB
MD575b91634ee0f0c911ba1ba7b6f5b78dc
SHA138d646ae9b876e1f92a2204a1dffcad4445cb6c5
SHA2569d2457b2c2b8b4df3aa2cc22aaa210eedef48a976b6e274cd0247ce566118ec3
SHA5124bd2660683a3a09aa1496e2237c2bf872b0169be3adb4bbc93cbf613f84ea512f82b8b5050ca7907aa9152e5bc0e2aca535987fde52bd76a0cb5fe1c3c943a50
-
Filesize
581KB
MD50d5dd7788fe9ceeedf947d2244ef9454
SHA1d6cb32249b96343de7a36a3711fae360f308bedb
SHA256bdca34c01b68ff90a0193001f226c556822c743062b57e63743e0bc9c244753f
SHA5127882a710d640a500f4560e6370319821b9bfc780ef4e161dba4d4eae7da9cb67bf68e3aee933af614192d05475ad267625a0a91651dc821b3885bd2277de97c9
-
Filesize
717KB
MD51a8243262c3eb63e149b042d1cb40cac
SHA18d53f1ed923daea2f8b1e2b6e12cbd8c1aa0bd08
SHA256945cf5fe41fab5091d8c1e1cae346af9f31ef10d34ae64a63958cd9dee949a21
SHA5126d2de45ec19abbe854517bd54cd68ba202a084bd3125489167144dcd434d45fbb2de06c6d1c680c4fafd4db3d437de41f026369c2800d02ed23c0931972f8663
-
Filesize
581KB
MD528c6e8da847fd151eabb734c57217a36
SHA19af44e22595d8cfe9e8927e7146764da34b8ec0d
SHA256492b067e18c8929811fe6928b6df6b1c3d633f57d9cdf37b5da3f7e80fd71790
SHA512bd61a4d47c42b0b269ce0bb096e91a21ba8f34437833a10f413d8fa9af118d112d542c3dc109c81d04032090e97daf0071af8729c18d01fb6b7a3139bb106073
-
Filesize
581KB
MD55c765ef1afa7478cbf4bc7bae8f95781
SHA1f57e689b71f430d6471609ff0d7e6b638808e3ee
SHA2563527df3dcac27ca17a041723eb7fff16dcdeed7a8e3961fdb7b1dbc364f03130
SHA512492821b62f40d019d4b017a344d5f031aadaf7efe6dc717e4a8a7d95d307b3503200b288d9256873b9442d2e2a24faddae0527babc454982fca962958fea1f4f
-
Filesize
717KB
MD5a01ff4fca3bde63055b04c559666f0f8
SHA1001d0537818af9fb3efe68d86b6aa80afcf9b580
SHA256ec66918417c57fff1fb1016fb4907123395ab7dae8bf162c374f9c7570a0e109
SHA512cced2ee08151fae3b99f9ebef7545f1cdb2b0352281262f83a10acd74cc53252efd22300dca86aade725d6808fe13c04473762788bd74f50f4e4216ef2eb41e9
-
Filesize
841KB
MD5cefa5644c068a4b09cfeacb85adea254
SHA170dcfea5fa89b8540ceff525045388a85513da1f
SHA25611885993f31e28de1da754b687c2e8f02d6ac40e0cdd8e5462a0c8c8b8ea5c7f
SHA512e9f0d76a6e103896fe306d752e48495391e8a633708837cbd0ed4d294062e24acec6f71da339b61a018dca6ae7d5cbb09b9ce2e963a3c1729e6b327cd3a0d5e5
-
Filesize
1020KB
MD57a5a39cad94ec7006d6ff4fa3e9bd44f
SHA1fbbb6272b620cc9f3196fc4a2fc8b7391cb8cee7
SHA256acec5a3a704520afa7aa0d4fffce256883518659c4d0b1db927ee42cff1ae9a1
SHA512beaa1fb440b9a38f3cfcfb172e2a959908751be2c429ded3e5cf9eee71a2f4202e6bb28e483c95b96ca1eb1f3fbe19d001c900bd72c02230ec86bedb8dac472f
-
Filesize
1.5MB
MD5e1513d036baa75eb7082e5f442bb654b
SHA1d74e36d601de728ca56a49b8d6b60dc3a025bf8e
SHA25631404005c2299b43d97d1e25625d3f488e92f9a892e2365bfe34c006f6fc4d9f
SHA51215ff36a4cccc309ef38a3fd2b98ad945b28c1380a632bef8f54df5177a1f9ea494f3e53d191ab58af43ee09a1fe1707c98c88d584f28180b28dd2cb354d658e5
-
Filesize
701KB
MD50200447b582004e54d9d1d84a2ca4348
SHA1cc6513840d716799c6434c382bcace24b2544e7b
SHA256e290ddd010cf60c8211d5ae2165f5d131181413c144aeb4f75ee5c52f097e713
SHA5128aa4184a63f345de6d1f81cf718b8e626503530f5c40b9ab67a71d2637dc03793b71d4ac982a3ea42adfcee150ebd8db34fef67f2eeb9ac603b33a3da63933dd
-
Filesize
588KB
MD588e0ccd73b02de021bc47a9f531731af
SHA124480f63ff1b535c51cc34864e68483de92a3bbc
SHA256933ab431482cc6ba3a493ebc1f1cfa62c2aa3d8bd14bdeb8143e47a75bfc0b07
SHA512fb1959139ec472f2777ebcec211d113f24fc192e3f2cb4aa6118f03bff8b9178ee8e2230c4aa1a76a4d267ebaf69d6f25d17af2307f35247d02bb5b0bb930edb
-
Filesize
1.7MB
MD5410622089503e8f06c76d0a17287532f
SHA1cdd566b3ada142f42eccdf79ced8f9a771a3eced
SHA256dd49d2d6d5bb06b4dc33e05a42c8de8b081105af1a39721ec3e0e0301cac3d41
SHA512c92a202c8aa6db5015e60248811636d7f0af2146a8a1af43853545c44f7e6e2a905c311b7a67854f11e3ededfb3d55a6bf779d08a01b9bf32ef4deb88e8bdcf3
-
Filesize
659KB
MD5329c06afebd7768141dcb1f0d6380727
SHA1a4a87804364f117f32b218623f18f35480af1c68
SHA2569abb9ce85be1d2a4698f3c47412ccf5d1455e7b187eb2cc2f0eb3c4fad7671b9
SHA512c9fee13ef561e9c9c160037e35d2d39a82ad5b54c5dd3d569142ea2d04659e81ecaeb023f45a2f8323dc063cf02a5758ff83210687afce8c645f734711f1159d
-
Filesize
1.2MB
MD5bf8823cce948333cdfb10f06bf8e996f
SHA101f443b0d7ec387d201dba8632b59c5b38a7e6ce
SHA25659b6e55e08488e68d95ce391e4c97d51990e523132f2c3c6af83ccba531f3b01
SHA512bdc38ea76408305dd566249bae40370638329cf6f0edd7b22bc80eef35ee9d0eb284d952a7c3fb563ebcfb59026fb59aeaa6d67296fc30d6280ac7464329ec65
-
Filesize
578KB
MD5964111aef7405ea11c0576aab2647cd5
SHA1cabc285cf677041a7d0e7e6cbe9c6980772b8d9e
SHA256b9c2b9ccddfd39caeb25c072a7eadc852f9111fd1a6ecce1d24b2103a84599bd
SHA51295712a30ee3741bb303da06c360489de2050190291df2db419df0b652fb57888681972153d8b0edca5f05ebf223796c0f30ac6053f604020e3c3773cb9898e58
-
Filesize
940KB
MD5004de50b9f46ee7b5ec935c7e6f19eb1
SHA1ccdccaf97e6926eee1a996d8296d313f71c4f0d0
SHA256019ce467045cd427a92afb89ff94efbcda91a7b7da6d4c2f8fc482f4e9386080
SHA5126b5ba79573b8e4825aad9e125811cf95ff85bd17a34d914fe01771741da514f40cb6ccddd8da7b8f3c02236e986af49a75a3a0dc6791cef2c9ac6d1bcc42a70d
-
Filesize
671KB
MD55d5d7a25e3ddf74058c66272d01a6bd9
SHA14be484f7966c8ff5114bdf2050e9e886b9ed2c90
SHA256b666eb17a5147cf6a04b004946f54bac768a06c6f041318da1944130648e8e7e
SHA51221b90fd586d39cd2774b9361423c63bb175ab696cc7989df9da80a15dac149bbe778026a8ad0295d79596c8a68c325a85c9c2cbe623d6c3e2f90d957e9861f29
-
Filesize
1.4MB
MD5c327c2769ea9aadc11838a9a84e1b300
SHA132035ad4d35d0c35f2c062ca981aa089736240f1
SHA2562e434e4c7cdb14cb28a289ee594d97995c89058805ed0d2bfdcdff2d855bd312
SHA512400d7b2acd3278627e7c377fd5e452257ac791c217cc418709ed82ffe11d00f7f6c4e87202817963a93050d5ea14ac803868778bd057c5f95c437d52bf4796ef
-
Filesize
1.8MB
MD503769ec00d4b0f8aceb259d5f8ac1a9e
SHA15059c30229e6621ad58c0458dea7e62b847b67c7
SHA256114e4de514ccf639413598e183f96825eec68e30e406c4cf47204e3f4aced95f
SHA51238ca7adc2b2719bedf7cb1597dd88c0d694fbd7464d8ce42229425d4bd091c1010e41f22f27be3969689b78f3e7225c4ac45b549fb3c3630bf26ff9d8382fecf
-
Filesize
1.4MB
MD5c941287248f9c67c33f38773dac82dd3
SHA1c947cddcfc677cf377e4597a52541546bd8f950c
SHA256848bec264decf044aeae9662048fdff59c74e99e7c1f97827851e147ecc8a9e8
SHA5122a2608d676d68aeba5c354f4b0ed269066c6ab5b4deee0eab58b82263285717632f62a842390c9c5d08a5df8fb57aa13cabc494f0eedc12a0c697f131e5e6d08
-
Filesize
885KB
MD5101674e2f270715e4d53ff554a3ddc6d
SHA19f02220ce25ba7c3a913dd803ce7faf241e193c3
SHA2564c813bc74e825448a32c2a0fa854d32b08078d503ae7428c0a5ce7ca48bed581
SHA5127df3437732e58300c8d80413a941f58e39476c1b0b29d15320d4a985b23a30ef75b0b3073b7403af9e8ecdd93811781e9251fab8a4be727e1bb8c3cd2c368466
-
Filesize
2.0MB
MD503937af77f52c51ced07b50cf4aadaad
SHA1e2e30d26bb868f44e9129617f1a7e3b30fa6e92f
SHA2569632c3f36cb116a3900ef4356abdabdefa0da49b97e3eaa5562fed3a23fe5c1b
SHA51267373a3d385ba8e98d5c05139fa89e2cdd67636ce59c24b9e87e819814eebc5d35b0b308f3c8fb525204135324d1a8a8ac174b8f9e44cca7d9b2a1ee845d0091
-
Filesize
661KB
MD5ea0f1fed38a5bb78e632606b931d04b3
SHA1ee870a7cf6d121826e6a64f9a0385eac3f909641
SHA2560425fd6a4bf725fa2cac14c3053e1f57ffc459c2ae8278c966cbaa0f75508bd3
SHA512aa2946c57482e93155a188a17b1faa695266ae0ba6b3c9507dee21df828b2d5ebf8144dc5ca838efeddded2a91c899b9ae97f336b00ae616d4e3534197624006
-
Filesize
712KB
MD541ff538c5d5a6a630c466c9b859549e5
SHA17b76e0fc4c2aa17a5ca216e3deb20d52b0ed27c7
SHA256382db65f2a1c714f43bf07637f21e848f71c13f51f80ff50e0706067b25fa1ba
SHA5123263c5b97aa60de3649cc3593b5d96c2e5d28b2f54f2b625cdee0cd72cc023312888522f3e65312e760970a908c7fbea71883cef477654e0924ddc0a42714def
-
Filesize
584KB
MD571d13d8f52dcf23fd8e26c634e5acc8c
SHA1f2a59d819083453fa6675e8f0cf512f3687556ce
SHA256d717c423805ad4d2766dc10ece6665002a127aaad62b8918f4840c48b61d966b
SHA51256943793f03475d0fead6993459d768d6719dfa3915a114d921243cf01b13905efcf4e706f8c2d82fb2a6f7d665886446e248aa95588babc5aa9900b062529fc
-
Filesize
1.3MB
MD5a451b0f495be4dc41c117475f5632fd3
SHA17423129d585ef55537e20b0f01bff6e701aef67d
SHA256905b4f3f06c086b82f2f6d8ab46bcfa73a9e8ad34594ca257e7b9c0582275a7e
SHA512a3ee8ce90b270dbc470c9d2c0c8ab29c4e7e9ccfc013c3aac68ca21bdfa447cd479f1175c92df625621943d36fc73f8fd58e5903a04a02c50b67adc4f8509dc8
-
Filesize
772KB
MD5e705399ba0efb48e64826d382f41b9fe
SHA1c436aa15b980fb66a6af7143c2e131cdc26f63c7
SHA2569cbc489fa1bad1f6591656654860b6a055e68684ebdc2b1bbc84daccd0d952fa
SHA5125a43287b33b4ce9502c341ba8a3ec32d617c59ca7e0c8cc142e2fc489deb9811932a38b8f5e486b60c8aacadecc9291be0b2714e932d95693a87f18ba7939561
-
Filesize
2.1MB
MD53b35fca16bfca5e0dd3d695cdd4da722
SHA16b1f059fbf2cbe03f3ffa247a27d974e6a7e8c50
SHA25696838a588be349ce816f44e3b410e29632a9063ec689b0e7a4b0a08d52e78342
SHA512d45dc19ef52a9536d938ac7bb3709a8817e2d59ab6c45c643b62fde1c74a19b904707931217a725854b19c77c63949ac4cfb41d175b4eceec36c85922029f6be
-
Filesize
1.3MB
MD57819748f2ed2c635645adc60544bba5d
SHA1ba5f8db3aba6ebe4a687b75b18333c8563c20c05
SHA256c47345e27dec815b6ea290c361b76022099ab3996acd84a87815f68ecc2b3815
SHA51209ca8774f81e3f154e552c387870b7db7fe7734aee9e1ec5ab4cfda0820e10e7a6f043710b3b7d2eda54a5bb0c5c08c69d0526d39773fd7c10bbdce42ae20866
-
Filesize
877KB
MD570c60b591753c4b7345e2a759b6beae5
SHA1c8e61511bd2a092a30ec80f376fddb8c076a85ce
SHA256e1b52c59761e63d96b53519756a2007d42c8c23251d8427310c951702db6e40f
SHA51238e2ed18006c27cf52b770481afba77e12a57dbf918e834302f926b70834b57cbeac087bf47e2cb7845b932167c854841245790f8729a7877cc9b193bfda70aa
-
Filesize
635KB
MD52a7b4db4e8c04ed49b429f4e1b624f45
SHA1e207493affc9f187c2824973c35c199e2473b010
SHA2564eabc5a72cdee9273a2ecf3dff2433aacbd4b06bccadcc5696b5070dccbbc1c6
SHA512d7fcd16975ced449f1ea8e53d7ab76529f5218b83e73b23bb0048669966b38a06567fa48b71fb2d73fe9d091284e10247f3b03730e271873ea8a273328473c84