Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
Resource
win7-20240611-en
General
-
Target
2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
-
Size
1.9MB
-
MD5
dd764c529d2c276b6b0dfc6703c93fe1
-
SHA1
811fd5ff62b8f99b59f7884a8d0087e77b96d369
-
SHA256
f2efe14cfaae0ca084d9226b80e9db293a02fd44c3e89580aaeeda069b8e39e2
-
SHA512
cf54c861a59f0256d6f96a3ac1215888330386e52d7cdca6fb9501e01e8616d119562c9b865b21eb6a8796c8c23a4e3ddba44206d5727f3c52e2ffebc482c414
-
SSDEEP
24576:x2lmz4RPgXe4i7ojhsP5Lgrk1TWb4AN5:x2Mz4RGe30jaNf1TWbdz
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
pid Process 4728 alg.exe 212 elevation_service.exe 2036 elevation_service.exe 4584 maintenanceservice.exe 3240 OSE.EXE 1496 DiagnosticsHub.StandardCollector.Service.exe 4872 fxssvc.exe 4548 msdtc.exe 2712 PerceptionSimulationService.exe 1952 perfhost.exe 2032 locator.exe 1032 SensorDataService.exe 4840 snmptrap.exe 4696 spectrum.exe 2152 ssh-agent.exe 2804 TieringEngineService.exe 4352 AgentService.exe 1052 vds.exe 1044 vssvc.exe 4280 wbengine.exe 1364 WmiApSrv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6b1e28f84ba38143.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085456b600fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ec44d610fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019c62e610fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000493439600fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f742a9600fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae5b40600fc3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095a308610fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ebd61600fc3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3088f600fc3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d571bb610fc3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 212 elevation_service.exe 212 elevation_service.exe 212 elevation_service.exe 212 elevation_service.exe 212 elevation_service.exe 212 elevation_service.exe 212 elevation_service.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2192 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe Token: SeDebugPrivilege 4728 alg.exe Token: SeDebugPrivilege 4728 alg.exe Token: SeDebugPrivilege 4728 alg.exe Token: SeTakeOwnershipPrivilege 212 elevation_service.exe Token: SeAuditPrivilege 4872 fxssvc.exe Token: SeRestorePrivilege 2804 TieringEngineService.exe Token: SeManageVolumePrivilege 2804 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4352 AgentService.exe Token: SeBackupPrivilege 1044 vssvc.exe Token: SeRestorePrivilege 1044 vssvc.exe Token: SeAuditPrivilege 1044 vssvc.exe Token: SeBackupPrivilege 4280 wbengine.exe Token: SeRestorePrivilege 4280 wbengine.exe Token: SeSecurityPrivilege 4280 wbengine.exe Token: 33 2352 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2352 SearchIndexer.exe Token: SeDebugPrivilege 212 elevation_service.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2192 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe 2192 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe 2192 2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2352 wrote to memory of 892 2352 SearchIndexer.exe 123 PID 2352 wrote to memory of 892 2352 SearchIndexer.exe 123 PID 2352 wrote to memory of 4608 2352 SearchIndexer.exe 124 PID 2352 wrote to memory of 4608 2352 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2192
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2036
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4584
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3240
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3024
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4548
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2712
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2032
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1032
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3660
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1052
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1364
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:892
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50b808778ccd2e2022333ce2ad1d66d5f
SHA1039111db1abc9c7f16e0f88311fe192002c80e39
SHA25669cedf2b3746beaccb4ee5f688943b013e42bd6486f67df54be1c267bdbadcf3
SHA5128677909a4ab170f261c888e7b04ed3f35637ed47a2402c6ec5e734b35f37d37027d485cfef6db850e9f3554015084841b03195827ed76d41ea187ffebf341eb5
-
Filesize
1.7MB
MD50f928b228f901fc9f9f6ec69e9bd1fef
SHA1d01fdf73422b896e6a19f84d47075e3c89cb3cd0
SHA25695dc83ca8efd6e97add87b65fc89de89cd2b68cf336e92cddfca3d95b278adfc
SHA512b6b6401e669e7e67a91c43c7891b04ecc5b6f1a7397e5ebef7d15a88c6103f0ab701244b2a55128e91d4559136ef09532811866614e8912a6dcf1cb0207b4ef8
-
Filesize
2.0MB
MD5390ea7b941217a429793943d91aa1e64
SHA158ef26cba26121b4e45255f6e9ef14e40365266f
SHA256f8e33971a20488cee606003a7e2a1022fd8062311ce284641bf827a66a61c15c
SHA5129f584093afb044c7c74af642b92a4027aefe2f4b13687ce786a79a781e8e647d6fee2e3565351cff4a54749b57272345ac194a267a0e80e5d14a513a58a2b7b8
-
Filesize
1.5MB
MD5aae6d98755817d1fa821a2e1267e70a5
SHA11b7e836f59a39ba26124f519a9a40fbaa78c2644
SHA2563e52b5a6d1234a45d83b88766edec37a3c00182cbe6b6c69e2046c7016e47cef
SHA512f9877fd94665b720929b5b33cc437b23a0859054c35c0b319124854f0dd9eefa10cc5f0083a39c9d05651f83c66de3e6fe67bf8389442707ec398ec5101fcce3
-
Filesize
1.2MB
MD52196756172357d8d7afd4285b57f5f4f
SHA1c5d62eff676d93debee99512c2afe007c4c1bbb0
SHA2561e4db7bcbfc4422e2f269308a48f099defb873f61a1b9cb57fcba43824517301
SHA512f8540589d75c60e954377c5ede8d540dbe77b6308db184ec293656ee476584378794540c30faeb81ecc0fa5ead91ca4cb3996c6cb4d6d3a396b6ab8d968a1bab
-
Filesize
1.4MB
MD576ed28563af3860ba18ade79d8fdddfd
SHA1271fa1ef5a04948ebbcb55fe5bfdb7e0d99c90fd
SHA25671f8aaed56b1e6243877ecf96b4b1183c6653641702a4790ad9f953e3b320d0b
SHA512b833d49dd3555d0748724f09726189cc0aa9a8949aa36f98a46c79625dbd51a257dbc7caf45efcf3902aa64f60987f1d36a2b5686ed4a9578a6e05011d5fa5c6
-
Filesize
1.7MB
MD5161723908090390ec6dd1fd49d66aa48
SHA1bf703759b27069bfc21dcf2d4006f56c18b5f27d
SHA256a8eab1616f7fe6a60f5382bbcc0c119a017442673d782c113a22b8a0dad7da24
SHA5123550e98a274a55568281efccb9239c5e45b7128eb8264fe86261f0bec2c99089ac35cf0deebafd0a7b51d42a82c0ad9e4aad04c3de0dcaccc10007e260dddc2f
-
Filesize
4.6MB
MD51f78086ec62eb6f5bd42a7dd015bd4d7
SHA1c34f937d7baa9be84f0c6063eb8c5eacfc42637d
SHA2562b2c828f528c678e7d1cb30cd09d36a9c3dca6cc61cd4cce9647ef611920cb10
SHA51227265b70fce0831f972d51d129f90c2ecbb21253b81594236f1253a16138faac64ea5e074fee37ea18ffad751900b8fcc0aac18661d14319743c40f49de53c54
-
Filesize
1.8MB
MD55a1aea5cd3af4968ef8d25554b55e7b3
SHA1dec8b0d86252bd55b0629a03677b9912aa7460a2
SHA25632cb061e6c036ef88effe03fa4a8070931d74d1da403a84cfe726a769a4a25c6
SHA51225e8de53e602474bb9e3d354c48d906e96a2677d263eb3e50061c18cfe72214dacc561685280cea3822fbdd84d37b91cbf8ad311f7edbf947bcf5f9262f73f9e
-
Filesize
24.0MB
MD5539c061c5abc13c1fdebf0926bbf47a1
SHA14c6ff5417d24273ecaac8c1c0aac8248a9bbf6d8
SHA25634cb2a9a3929836425b3187fcdc0e4504af8422fbd87c9d0b3bc1b187f01bea5
SHA512f736a37c09a25ae752303b6615ebc9d686a0fd62071d1134dd67ee53139f3d15d74f127cef30dfbf7aa270d92f417797073cf763d6d25a1370f2f66ff1eefb66
-
Filesize
2.7MB
MD5427a8850782a61d5e2401275d307bbb3
SHA16ea565911dcb3e4128f76ea44eef5020c8972d4d
SHA2565b8aa87f0ed9cc2d4e869a525626214b7bb406c0efe0b62ed4c70679c8c6f7af
SHA5122613258a9e15b172f199d5c97f09fb32c5a81ff066178315e8a5f0910ee71aed7cfcaa436d5f43fc77576766ffd276fcdde41c5c87605a232171156ab3a6d7c1
-
Filesize
1.1MB
MD568186080bf9c074597c7f66186d89a43
SHA1db84392abe2589d0ca21afd9d29263eb7eb4eb4c
SHA256f5d30b21ea35ddc9e434093d1fe1d0ac4f7c56ce64388ddf078fcf4a4de057de
SHA51218ee3e1d24cce3d4551a305f976ddab8573dfa6c4c97f009c79894c61e3185c020f2be18aea83ad6972bd2c00f7a53433fc035f3d80a6c48ae04ae2626e32b78
-
Filesize
1.7MB
MD5dcaf1c0b14c6dcc1e728a19adb3c6fcc
SHA14e1ef88aebe6dc8496ec6b06e2b73e03082c7737
SHA256c281cba9205bb13c9fd121e452b886d682a33f4edeec02ec7394776ed24a0191
SHA512eb8e89ddfbd46bb2d33a74e266eb0b4e88613fee0e1988c724318630eab72959af94d92248ef75bba8b031239d288c5e1d84ff822f67ff472b6595d5fcacc649
-
Filesize
1.5MB
MD5c098b1ee08717b57a3f229114ae2d40e
SHA1235ff0a30095b818aa83442c180b1a8731188dcb
SHA2566ff9e18d1b4588b6628e594b1d71133b1915a49dab97b4f948d291d273e32c53
SHA51258e40d22f66164822ad5b2f93d7fda927effc28584480dd6691912d5950a346f95a6e1f951e4639688dd772d6ed72f58834f86c14d55e586428d9af074fbf87b
-
Filesize
5.4MB
MD5118a1deea8c30348a81211ef61a56d94
SHA18c7ed22e7c29719b8633d0d455a3b96817a2da6f
SHA256d5027d8df394ecdaa4a809a2c28e45bea82cd3fffa5245d3c53b1f990b3d49d4
SHA512e2a5edb35a116b2ebb52f09b7c7fb2adb869a9c503b6b891c773212374c85ad510553bae3cc09cebc463677fbcf019da414e75c03a5624b0af0017598c6e6e35
-
Filesize
5.4MB
MD54d43bdd326fb9411e7103ab3482ce401
SHA149d6c8cca40a715ee0664defcf9f8f7cef49298b
SHA256a899564b70770514e1034a683b09d95dba4073f526d00ca0636596d30dc5c17d
SHA512b948495a6784199ad1de38a664083a76f89f88a4449db7bc587c1e61165543fa857e17c489ed397463c48f9631aeb07caf377d2fe91e884bce0943339dbdd1a8
-
Filesize
2.0MB
MD5caae91d01163fb04776d8c5c57ae7064
SHA1093ce118b73744b26ed2851ef8c9435a21e1024e
SHA25695b8d3283abb20c46dd1d8c6e2b8b60746321937f5229569c36cc2d44692669b
SHA512dbfc2d09472e1049151101c64508f0429dee40e6f11420a4188a2bbc4c3c86656d5f0c08c4963fb83f73e0d112eb4f02d68e3d23ab2c4b12daabda2ba58c233d
-
Filesize
2.2MB
MD53fa07fdc4801af6cb5a155920f279453
SHA1f64f1e0c7c4f4dfc76c277f9464d129159ccffe1
SHA25622777f6b435db7cf7fd5ecc1fc3597fc653251dae6037d10bd0c5274c004d8dd
SHA512a137580b2510c1d24729710d258812211df9bade0c3b5eb591a2d07312de2edba53092f8e1c339f57f4ec2a65f12ecbe75b47f02d38fdd5d6c28a4fcf11e8d93
-
Filesize
1.8MB
MD5e82c0ecdd0739a7e01f28747b4393d1e
SHA13b1496663bc7b67d05c0c57b3808782b401eff83
SHA25675c0846944ddebe912b16ea8a6abf2570cc6c9e1777668172193322f1a958d01
SHA5127136185e13f2329e4c8261fa1b7af5a7d2c5f2c5f05373fcadb0c8f04e825f9becbefb155172086667e3a40fd814a5e9170d6386485e9c9c1ad82f6a02aa17d6
-
Filesize
1.7MB
MD5cf0b057cc22a3e3c7e082de731959185
SHA16973dada8d1f2399e32d0a3df1b28e4ad3fcfc25
SHA256d33683657222b977a489d6404f5243bdd75a983a6259ecfaea4bd3adae98eec8
SHA5126823a39894f4a33a9f02cac8ac3f0aef68f2d3704115329d57af6999252152bf852761be6ce26a90b1082e7fb9a57086bda45427ae9d2cdb5e882fff1969722a
-
Filesize
1.4MB
MD59d1aad343bdeaa1cbc037bcb3020901a
SHA10d8f333533193c3262ff7a7c31bc2a022a53008e
SHA256ea700bbe697fdc51c7de884584d8dfc4874bf7f088ea3bec90c065668aee7d66
SHA5125a841d11da164649d45933279b6393ca1d04d86c39d565dd94d4dadbbfb89c881604d54e48c0a89d986200f626ee31b65f8cdee3ea0584de02fc5927577548b3
-
Filesize
1.4MB
MD5b8fca4e609eea28200634a0c72eae386
SHA14964ac7a77bc1f8083421cc3e899e2ff40bbddc8
SHA2560407ef7da0b437a4fb38481087ba6dfd16dac8d91ae34fdfdecc1eeddf83d8c9
SHA512a30eb8df5acd2bf5e5fcae8bf83d3f2c75bb38104d3d1ffbc34f3fe5450e11a6c1b6a63566e40e47d3509a9133502fef92359063682cbb1c1c8e613a67db5e46
-
Filesize
1.4MB
MD556df49116107e7c5b71ffed219d5d4ed
SHA1ccb98ff61d54ed89a3e02bc06aef6f53674253dc
SHA256744cc9b932bd73b8baa6b7c7c1061a7512296be46f5ef88f91a4e4dbc2a51e45
SHA512549b338c68e5d6ebbd20d56f650415a11c7ff4cf25b8141f4866da6231d1a54392d793952a0a21a6a0396c82093f2242fc6b2c39fff628a3cbde360e45093f71
-
Filesize
1.5MB
MD51b48ea076598024cfc5fd3756ec8463f
SHA1e9f6d5cfdac58ed5c27f5b251f85038532959882
SHA256547fd2043393b55094cb4f123a2441f3464ea27334acf39604905a4d7a1ffabd
SHA5123dcd89a646914831b1f7cafc339d8d4b49b0127e1f7bbf89ffd80afd363d202acf351238f205c3e82c4636af4e60cefa67188f91b723e87834709110946ac0d4
-
Filesize
1.4MB
MD5144de9167ffce39d748cc52d264bf1dd
SHA196b66e65c5b33944015e1a45ded47d9bc01da05d
SHA256ee4b5b8c78fcacae4c1bb342ec27ed91901fbe3253fe795d52d636d2290002ad
SHA512a0c153eed44be4ffe7d00fc527ac8814686a702ee90479b3c410680387d3d065db6f809cbc0cb5a5ecd7feaa97cfaaa1187114665068b043dddf9152bb6c0c62
-
Filesize
1.4MB
MD550450b1ac105717c5d9c9337ffceaaa3
SHA19e3d90393a191f1aade8dec8dfe3fee803b238a4
SHA2564ded4680860826c23b94c073c32552b219b9acd7d129ed9237f5bae017372813
SHA5129b28b28b73361605f859c213c14ebcd6fd6c035991b3f5a7b0ec98da19ffcb8de1e4b1821a51137eae309c5abcb57339117526fb6c797deab7928fd3220c0e68
-
Filesize
1.4MB
MD5262345468f986a5873fa6a02dea52131
SHA11835bf614b3df01e4ce457d3153fdaaf941060b7
SHA2561025441eb1695812dfbe4c4dd2864974b9acacef846d31629e97f5e9d0c0ca30
SHA5125e212b694029c4525e1f1cc33cfc8b61ca7c6a3911a0dc70114177f8a4c2221ef0d31913f17b96d2986824aabaa34d94be37868c9e320680202a54e5d5fbb750
-
Filesize
1.7MB
MD5fc06685bd30f46365168d8d4ef24a61d
SHA13018f5b6408103c799b90f69ca0e497cf63c25aa
SHA25668c552c6ccf14f02aed6d520602eb0dd49bb71f1ceeb584f29e22ff0b0acc79e
SHA5120e6516ffc5f5c8455e41887ca84289e882a4970eb59db0c405eca5518d3754053cb16ee1a1bf8376e7ac928a90664c088232872d4725f2902122d00b7a388e19
-
Filesize
1.4MB
MD5605ee9d48709f7783e20667c79b7a272
SHA11edd3c4bcd3694b365ae28ab1d81137a22ab9249
SHA2566b4d500cb81e5ad434dde159d4a8a33bf148e45ca5147402013df103a11b5cb7
SHA51291a9a64a3800871b428a201fb6a6bf949bd83002c944ea4c5aedce257b1e37c19f4f0f1249a51d916d14326e6b14ea58ffd875ca11d77eded36ce8cdafcc0b4f
-
Filesize
1.4MB
MD5de74f7bdce08895f6eccece7c0b1bfe5
SHA14ba54d7a59176cb8d92048d44dbc5219fa56df7f
SHA256d1cfc7621b38525ffccf25f1fac276d435a97a88d2f3e1dec9eb5eb8449a35af
SHA5124f8e344a511683cbec14045c6e5563607245753c1491f8c63842a8af74e147ab7717daed47f73cddae07fddf1e252cd1c7c1c6315c48f36baa7032d289e77fb6
-
Filesize
1.6MB
MD5c79952af07111a1880f9d61e50dcc199
SHA1bd379f142b9d6470047c3bd094aa5c78dd4c9b1b
SHA256e19c65fdd882f7a12c8f7d324cf66c8c9aca888ab0afd2be6044b78fdb348ad1
SHA51224399966cd091a8f81f25bc727cdcd4194bfe771937d629637d85ac1e5c6d9117c4325f73d0e24137b5e89df7cd9163c361703bf6d733b6fde39bb0d48f81217
-
Filesize
1.4MB
MD5f5a0acc42f228a896462539ee4c9dd0a
SHA11bf57affa58f764f5c37dbf1d0a0ad8b66e247f6
SHA2561ecbfad0a4f65aa7a2537cab39faf6fbef89011327d01e944ba9e44e41671df1
SHA5120e0b26dc8387b6bb4cf6732dd2eae8c34e09d02a3f645c7244ad9ba03a8e457ae6134d26127297d642721c6803e541a46b7f0f25990f347577f737bf91b730bc
-
Filesize
1.4MB
MD51fb9f2f2c404653b0993cedb37fbdb85
SHA1a85e7260094e37eea9ab9973bdaf55f005565dca
SHA256c3aeb0032007db499bc8d334adcf8960b7149dae6e47a12ed487716a43c6983f
SHA512e05575f90e2a6013c6a10aa28fe2edcf098606a87623b3d35346ff2ad183f8866a9257157393834af5f2b08b19ab638644226138ccce2afa3e0ef150ea65e13a
-
Filesize
1.6MB
MD564772dcb47cedadb3f5f96081d7d8485
SHA117fb2ac3d9768d8deb0722416096082580870c48
SHA2564e8eceef00fcae0b3f5a40f3a5eea9e42fadb204f0e9b145b939c961e2a194bb
SHA512a66efba378b1b0bfbca9d74c0e986fdc2c06210473f93aa2c5b46a2d18745a49f6cac0bf67d579c3a2ff077357a622bfa031fc519f13b959ee0a18a69d760701
-
Filesize
1.7MB
MD596ad7f787d383cc558344ffc0de76d98
SHA10ad390febc2a7c2d889063a17795dfebb0f035cd
SHA25690b03bfb98e5d5fa91ac3a8371a32638e2260252d9b711a598ce146f0112f074
SHA512166bf26f313872e075cd3dfef76a93d0d974bffafb920e551085cc2c37ab2da4868a9054a3e6832d4de181206a90d4e301907d72dc04a4891f331f6ad772336e
-
Filesize
1.9MB
MD57695c5933bd17720811c1e35dd00786d
SHA165d26da2259907f231667d0359f21734479d78f3
SHA2563b375ca0866fb432e8274059de1730bbe8d5530381c80c1b2b65838ea04ff243
SHA512f24a2ed42901ba7548ebf217a4d4741cdb45441c4fc86315ce4053779bec85b307afcb45dbbf754d37961a718e67620300346029abe912e25be96968db899b54
-
Filesize
1.4MB
MD5644ebcb3b99c7156a3cde2c8b90afc82
SHA1004af80c6f72df8bfb4842f26a2d2341afc6e17a
SHA25610a8173f1e64c6b5d476db263704c899e3ef01ce97a7e97d375ea84ebbf8ae7c
SHA512f2a123d7520e71249eee3cd8d4962ee63a73d8f7493712dcbe9d60576a10d39247f409d56da0308cf09e2a25ecf9cb993ac09466fc498eedd46758182e120dd9
-
Filesize
1.4MB
MD5d341d24b11ad118fad045bb351208efa
SHA12073e7a56ef1cacf7ceaaea61cbc63529445e4be
SHA256507a70006cc1a2ebfd11fb146b961e14126fcb8e98bf437941a148a4633a898d
SHA51271be8e85ee323163ccb32bb078446230a89e2b435b612ebdd4f213382e5a443d179d14dcea196613f90deba110e3d78cb9eec64de13a0d4f8c45a5fb5b174ffc
-
Filesize
1.4MB
MD564fa4e57b73bf3dc8653ff88fc59c210
SHA130efcfe1a9eb6a2e2ad5e9066284aaff6c09f4e8
SHA256667b6c0d3cfbb9ce49b33d1319d9786d707f23d69dc357cea7e7ae631c335192
SHA512638ae47897165e745273c99376041f60f310c0a59df45b3cce8c152743c983bc76053e4ce228b476b4df740def60f7b6621f59e462fdd768e051123afe4ec18c
-
Filesize
1.4MB
MD5a8d6c31b9923f4a99c191e6358072433
SHA1d8d8d9517377b91487a49426057ed9f85fd6eaf6
SHA256af3debcd02e9dd832f40194446beaaa4a811d655af313c1056a5e9af7016cc72
SHA512689c66264a16a2401900469b7df032e6bb559a7086637a37e2b4dd0e4ab55672fa29a635ccf3d22af30203999296d5effcea81b499bd7ca4524685250bd3994e
-
Filesize
1.4MB
MD55dbeac46753b4160b80ebfebea349d99
SHA1b69f0c93957aee947bd42d26fdbbe86765288ff7
SHA25670bb4a4b7f659dcd2542cde594f8e064a31565a86caa5eb99f8cb15c44d7d5ff
SHA51220113059cab0e1ebc5d851f9742ff87781dace7b4e0087a04f38ecbc75134b1763b7499681a071c38f0f6597bed0b973a830296b9bc9a4a6ce2a74c558e832f6
-
Filesize
1.4MB
MD5a6ca2bc87c769b6d8c539f8cf4ca351c
SHA183ed5d548fbd6781b72b55ad175978fbb48bc835
SHA256ac0046c42e2327025457f7cf8e7aa5fafa62dd35b5e6f033b3ae8dd6e7decbc9
SHA5122ac9c93fbb0ed44955dde2cd05324e91a1d709182bfd640000b8f2ae6cb63c50caed6080eb8e0482e6e07187d5d2e2bb25f1a44a96903568b98c8f26dafacddb
-
Filesize
1.4MB
MD5f675580b1792a687a6b729e7ba8612e1
SHA1514746339bffa9bb0bb7088c967821c7a453cdf8
SHA2560419ffa9ba99ba049917cbbf40f36197192afd476dd74a36745b68fd6779eb4e
SHA5124e1b9c34105958f11265ec9b4bdfebf4a87c5bb56e5d978e162a40ebdd14b7ab4fe327fe606f9fdbf51f6a86be7eb69d60f3db41cb728e1c27a8ebc7ae84fd26
-
Filesize
1.6MB
MD5ff7f27d8861e94747aedfdb95e9f8ea7
SHA1025f73e0c455f5d5e8b4fea88981885e8cefba7e
SHA256a8676d002832927b94ce4a7fc22dc0d4ff699bb105d6c52ce6779add8ea86579
SHA512cd2c3c51f5e9fe7adf23cc5a439e8a13baf60f8a6ce0b1c8d239b7540d0fa69a2971b3d7c5074eff3c029e6a68cf37e5f89b3330cefe058b897fa1979993de00
-
Filesize
1.4MB
MD5652192ae58b95cad89174098c2e2f980
SHA1a1b3e1ef85b7adddb865a4b6fc5a155b7413d97e
SHA256426e93385a072c6f593fb6e79ad7672a7edaed282312b11aab99f57f2667166a
SHA5126961a680a335f1353c9215c76eacdbdd4b0757792962acfac071deb406ec7b413b5b2202e87de06fba948d2456e072cbccf3af1bb2da06b914e1fe1571517cd7
-
Filesize
1.7MB
MD5502ad31169c97fcc3a4709b67da361b5
SHA103d39a324369a3eccd44f5e0f34e93fc217defd2
SHA25601bdb3dd4ca993fd27fca20bd458f64df7ab00e73e9909fe1ba7bf38ed648aed
SHA512b85f38f4a4875162ea2573f716d7201bd562fb07eed2f26735db7f9f6203b26a976ed3c7778ce945a67710e56412fe07afd70dba2e17b0026427e301d3d4246e
-
Filesize
1.5MB
MD53d6b11cf0ab014e602a589cc86304ec9
SHA190336777e762a5b173f2dd91a9eaf117cb3a5851
SHA2566805d533017dba1777b80b0c50bc594367f2ccd0ebc9a8515b7168678540a41d
SHA5128885f5c9d61e23d4db5f1f2167064679dd3542ddf9819a00780e37c578d3956d8e4dc654da93aa3085eb5610c30e0a70601a5afd8c447dd1fce927e9aa8c8dc1
-
Filesize
1.2MB
MD57ce09117d2e8928736743d9b8c5fbf4b
SHA101d4e774153a1c007dbeb6afb9120cbe4677ebe3
SHA25673e234a78c1cc18ad27f75d5aa47221312692dd3045bc61dc925f2e8c5f90e39
SHA51299f160508b52b4728a93e65fc5aeb1483b1de1eafdb93e54195255908246f3f099d05b97e2abd9036eae4c249b6490177d26ce2323e7e4767aaa2757c95de5d5
-
Filesize
1.4MB
MD5eab38961a71e7b6d49f9a4207c478bb3
SHA13da12eebb24e1e95bca39da031f4cd5d94ed49e3
SHA25626d2a9f187e7c30133de2a884359865304b3cc780379f888822eb7f2069f92dc
SHA512011570a372523952e3ba145d83a8191d8b1dc6ad32b172b3df516f425d9074d0869b9d47bd9a82a4e6f9e4ba3af636791c259a9b636a41815bc79dcf2623325e
-
Filesize
1.8MB
MD59fedcbec812bd313758112d4c7d508ce
SHA19bf66ac18db06ef6e0d326fdf554782c9a32bad0
SHA25677a3d50bc303b0a1f3be2acad84e69928f0566cb19b1dd5ec4371ea75d41daa1
SHA512de34955d93ea8bf207b66134730806700ce300c849dc54e365de912cbcfde8fce7aa6f1eb7d12715cd9f8ab8853707bc32bf79c1cf9ccbaedcf8a1977a4bda75
-
Filesize
1.5MB
MD528f2afadc83c1bb3d102863435ac55b1
SHA199b841f91aad41f67660999a961bb49514f68fe0
SHA256e13ef652a8cb8ef8b077f7a091073e1ace53ddf4b13dafe5a655f7636adef75e
SHA512f02a84af0494b2ed32cd143296bbc8713a2240b43b0b683429196c86252976563d88f5cfb28a3c376eff73ca1985ed19c16dedb6ef07fbbb2ad2f9a74b0a0887
-
Filesize
1.8MB
MD5459a26f6d1bbc2084ebb2e3a7b58825f
SHA1c7090adecb96c27688dcfdad64c67051b3c7002c
SHA25665acd339ffb77dedea593c998d6d1f31e8e5a36d46be9f070c8448fda23f2de8
SHA512218e797222d8a3d08ec3e3e580123cad48facc1293eae0dfc93d1f3634d8a9404c7b5ba2f877ae634d3fcbdc2798c92a10cf6b15172f9eafda94d41591d61d20
-
Filesize
1.4MB
MD5c0e960069f8de8dc2aeaf479ca62d9ee
SHA16d3a549488410ce3ef68bb737138e233120cf92f
SHA256842a7475adfd9d746a76407168b3b92bea89b64c04890a78f398aff4c9983b97
SHA512194bf8646f612d9c3e67e855b7b00ff801c2be66d894c932d53e2425faaa30b6492ef7cfc26d62ddbf2d034e28752a72d0d3da2cf30b3cb1c71065010280a696
-
Filesize
1.7MB
MD540404fcf4fd29f9dcb860f03846ba2fe
SHA1befc42b9f6eece30b1f771ef741cbb2b16b26693
SHA256dd7d5dc82a8400671c86665c80b52a95783ecfb61d8b033c60bdf7ec36dcd965
SHA512850f7ee595c8e28d70780e2a59bcb3453e85ebb95e6e39d42016b832a0a9344bd3d115e01d3ad928578c1a96c43750043aa3f849ade7a7db8f21434a347775f3
-
Filesize
2.0MB
MD558840dc0aea0bb2d39e7ec6ad06ac612
SHA17247cf845ca87c8ec66c7322cd81238650a6dda4
SHA2565c77ec44b2180e39dbc71381e36d43fe639b4bdf39f3212b9fffa4ef5fefbe42
SHA512ef052ff9ee15186ee1929b580d2ff861e15fd139e34572967f04c820aad25c3b702f93642ba972f98588c56cc8f331cca27f54898d5176c2309002f4f4b8c86e
-
Filesize
1.5MB
MD5d097920c05fe2fd386ab43445a583a0d
SHA1baa6b72cae1821a851ef3d24244083b44373b571
SHA256c357afc37dc7b6d22e4a3bc07ad000376bc1ea4de3037238eb9a22c3c89f9c13
SHA5121311a3a4be8badf5bb198bb31feef56a05cb266d6da20251a5380139feeb2b36248cb30fed983b93db731f479eeb8aded6da2acd3f794f519ddca1de6bf75346
-
Filesize
1.6MB
MD5947f9421e1231a5e59abd325d8e152c3
SHA1ae27f3c3e04562ef646dc9ba3bb46846a3f43f56
SHA2569070592a3b0920bbb54a3f67b131280eaba4279a145aa536cfc4fd46cc7a7599
SHA51201cae79d192b225dc33c9a7b72f425cec6ca02dde2aabafa7ca2b57a8c3cc12b9d46d63374d7b1965470955ee07116033f870d27d5121cd48184557322b07e29
-
Filesize
1.4MB
MD50359a33540a341b301fc549e45383e93
SHA1323868d4074c85e4496b973b95c2df3503a81565
SHA2566fa1616ea8e94c7627988802d640e73e8109a2872917a4e30bb3e16330a7a690
SHA512ef1eae38123dc2452235f0d7d338f628589c5ef562028f50720ee0d5340ed354a89f37929d69511bd970ad9f7c7011f63d31b6ccc9f11f5e16c589dd543259a8
-
Filesize
1.3MB
MD53de112b494394026f079a07090ad3736
SHA1cfbeb1439dd129a8606fc6598a5e2cb9476ad5b4
SHA256e3780721fab68ff7b05fc6f63d33c32b8502b6b428a0ffc15b15f9239ecff2ff
SHA51290cb315b4990fdc697150a21de9626ebbf9119738f6fc9ab243324230832d6f9ceb02bb17a651146201920eb19ffbea0b980881ed714ec70940f8ba6c60d4b45
-
Filesize
1.6MB
MD528fb02152395eb4fd7d160bbd85669f4
SHA1eadea05c8f8e3e81c3e41691a4100032c110a37e
SHA25693616cecde5a56cfa58b5308d4aa21bc073fa4a43481f0d99fb5dd2b7f0a0ed2
SHA512a0248604962bc0b289ec817bcfc23963fbc6a28deb6772202d250268ee25d48ebc708fd6ec81625a6bd6ca31d1db3b7233cbe516b9c29a409ea248cc56e27cdc
-
Filesize
2.1MB
MD5de52b4bb637dbf70a22fda8f7c06b646
SHA1cfe249fafa87ab3d2b4bae7e0cabdc29a4a48a6c
SHA2565bbac0f4370d543a3bb68e9992b6381fcfb64a994e67f1fb8347c902076a9ac8
SHA512ece32727dbe6b8b566edc207c8deea50c2d71b36aaa3e49529bd4102907aaa22322ef2ff1d5b21655f48403e144ed450c8e2fa0a66f9ff6af6106c68bd722260
-
Filesize
1.3MB
MD5ea06ba5ee4dd61b5d5765376b67982f1
SHA11575e197322fa51240ca311ad3f7872ddbbdea39
SHA25607993cfe4ab599b4ad4ab2ccb13151eda8ad71564eaad397bc76dfead1ea33b5
SHA512c23d5c25ca383c939ae34375b1c46e4a38aa109992b3b6798598d1e0dc55c147ac4330e2ae340c6b09bec9a1c97927c985b68004d44420340bd5e558ca46a210