Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
Resource
win7-20240611-en
General
-
Target
2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe
-
Size
1.8MB
-
MD5
c88b3aac29e5f4c67d7243514b8c7a8d
-
SHA1
1c02c8e9addf277cc31df2bd251be9611eed873b
-
SHA256
125d223a8470490917c05344bb26eef3571c3cbf4ff648b008309468257bba63
-
SHA512
7261ec4d3a406f49d0cde6c8eba01f192a7c14c18c9c83a9dfa74c62100ca1ff02b20e0edc2b188d27657b4d9f6ca5c0e1a6965381bd22717e246c3c6f6d9d15
-
SSDEEP
49152:nE19+ApwXk1QE1RzsEQPaxHNamgiTd8DsMcDKGfWbYCGE:493wXmoKCBiTLMiKGu8CP
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5976 alg.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 2648 fxssvc.exe 3124 elevation_service.exe 5788 elevation_service.exe 5712 maintenanceservice.exe 488 msdtc.exe 5376 OSE.EXE 3632 PerceptionSimulationService.exe 3592 perfhost.exe 5032 locator.exe 5764 SensorDataService.exe 5420 snmptrap.exe 2324 spectrum.exe 5704 ssh-agent.exe 396 TieringEngineService.exe 700 AgentService.exe 448 vds.exe 3084 vssvc.exe 2236 wbengine.exe 6132 WmiApSrv.exe 5888 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\41678c58293b476c.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a376f34bfc8da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b65135bfc8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e870436bfc8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026fefa35bfc8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009fe5434bfc8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5c7dd33bfc8da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b65135bfc8da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f78ee33bfc8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeAuditPrivilege 2648 fxssvc.exe Token: SeRestorePrivilege 396 TieringEngineService.exe Token: SeManageVolumePrivilege 396 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 700 AgentService.exe Token: SeBackupPrivilege 3084 vssvc.exe Token: SeRestorePrivilege 3084 vssvc.exe Token: SeAuditPrivilege 3084 vssvc.exe Token: SeBackupPrivilege 2236 wbengine.exe Token: SeRestorePrivilege 2236 wbengine.exe Token: SeSecurityPrivilege 2236 wbengine.exe Token: 33 5888 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5888 SearchIndexer.exe Token: SeDebugPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeDebugPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeDebugPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeDebugPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeDebugPrivilege 2156 2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe Token: SeDebugPrivilege 3168 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5888 wrote to memory of 2264 5888 SearchIndexer.exe 109 PID 5888 wrote to memory of 2264 5888 SearchIndexer.exe 109 PID 5888 wrote to memory of 2440 5888 SearchIndexer.exe 110 PID 5888 wrote to memory of 2440 5888 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c88b3aac29e5f4c67d7243514b8c7a8d_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:5976
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1804
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3124
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5788
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5712
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:488
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5376
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3632
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3592
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5764
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5420
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3248
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:396
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:448
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:6132
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5888 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2264
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58f967904f04236e883152805f47e2993
SHA1427f8eae39d8e3b1eb865ccbeba5cf5d6313deed
SHA2562c1a4e1738592da64b0462fa3fc6ead1ee8c0c7f28999c784df5c6f3b53a259d
SHA512edd069c603b8044f5728e740d1478830680538375a733d0b21f732837c4b27f44847391db18048f81c6adecd87387400ecbfda3f23e6d29f5ed6317bfb853eb8
-
Filesize
797KB
MD57132ddc1d94196b4cfa50f7768b070be
SHA17d01a375ee9a9c8d25babbb07355e3553fcad582
SHA25627177c63e0622a4664f1a911837542d697e72038887d5931c47d952f0373d479
SHA51277db987371e3e449387e5fbdfa785126578fca4790b21818fe0a17694b974930b35e1a21505761905174b2c3f31b95f82482d3d272a751b417cec6821aeb91f0
-
Filesize
1.1MB
MD5ad2e1085791c3c1c6d6491d2d003537b
SHA1e3bc3bf140b2417bbfad519a9f36258feed410bb
SHA256ffcdb7e31580efa623ed16fe26d8f0574015019eb46c0c865d2582f9c82c3618
SHA5126c15cf24753dba15e9eb75a3694de363b9459cedfb5d42fec3eaaf86f8d5b568316da2aa22aee7ad3210b960144e152801619df70d4098642fe9aae8f4241c54
-
Filesize
1.5MB
MD5b28dc3b9142e0c67bffc9ff04d47b5a4
SHA19a7fe4cb1f57643b43daf3bade3323881b30fc1d
SHA256a08fee6f52fbb8e325424f7f1eb9300b4bd9f70622bb318919fa07efcd890609
SHA512667cd8c813535d92d17c3eb2f0306e0e6f8852f6f8723eddb5a242aa18995e5952a2fca72cccf67f4366076163cfcd030c3b2c559037a25018154f4d2d8c45b8
-
Filesize
1.2MB
MD54edca3fdb869a294f1acbcedf0b3afda
SHA1bd826d7c8198ced2bc6eb807d43d46a77a2dff08
SHA256e670c7755363c23f179aa460ce6877bb0ce6b328d3eac5271f456c8bb5cbf9f6
SHA512ee7b09acfdcb52ed81975074d75ff80599e7d3a00955954f405ee6f7e8deb9fbf983a71d644b7d491331e93f9d7c3a14a2b43b6a6dbcdf28bd792e8f30d7cfb2
-
Filesize
582KB
MD5535e64b6299ea6f613e02a8d03e910e1
SHA104ad8dd2d0c2e0653ac1013c5d2d1bed444a59e9
SHA2568058599508d6899ebb1f3a83d6fb6c45dd7401115f4be3022d3c9039c8cca763
SHA512686044d6975ad959e7fabfcef3ca2f453858639b2a7c4560e38722f47454ab50a1463d15c9f365c1a0da7861d75ab11c58014c1ce23434c279c8ac531a57fc3b
-
Filesize
840KB
MD5fc516518d56cf24b153e9060e9e6fa2d
SHA10c1e912e7edc781008ff7081e8ec336997fdd33b
SHA256e2c0e3fa3786a7652fd23cfed1ca27e46d3f35a72b55a2c487f954fac5298a11
SHA512234fe6de8d315515fc1b5d40247b51e72b96dc2d064f17047c4a2b49ee51ae3c31eecb0ba808ed258cf202def0de0c95fd62343cbc7733f027d26dd3be530449
-
Filesize
4.6MB
MD58ee59b8535bf275df872c678ec3bda85
SHA1d3c9e5b069ec9a6d4d6ea0072715faa368a26e00
SHA2563ee249c60abfc422ae30c882d93e9ca1b8c939381625bcb7fb147813f25aa1fd
SHA512f0141604af353d643b108827d16d73dcf2c823b05be91f6b8b5710573a9d173efdb20a62938ec517ff88b0a44998cc981f1ac93696304e1d1beb6485d968282e
-
Filesize
910KB
MD56d62c220b65bb4a95c4e6a50ce944284
SHA119e1f6110a35416ad26ddc6e03ccf8e5c489db44
SHA256b1a6cad21d508b688e28a4003ebebd689ef6f6e02b3f83e588f7cce78a159e51
SHA5128da21e43cfee3e65fb690a6a74b73ee0c4e417e15b74732b852c709df6e71a2f5d2fb8b72ab78ebd9ad88b7ce4eac68444218f546dbe8e6d5ef5a254e5792bb6
-
Filesize
24.0MB
MD5552404bf13a00f6a9ad977a19feb7937
SHA14b0a9bf58e1a550c3d3795827bd09251860a2eb4
SHA2564ce4419323a8576a303e6c359be2500064abe691629adce78f0cdd07566aca7d
SHA5121883d4f0270f600430572553a4df62f5fc49bc422617f17f2bc51968ceceef31e8666223bd03ada3f99a868b36ef7bc4507e69af08b99db536fe0d86732abe17
-
Filesize
2.7MB
MD50f0d97b75887e392c5743469563bd8b7
SHA157fa2057e764fa0a392238e6c9e8d0f87aa5d369
SHA256f702e7bdcb0169318e20adf6de5744844cad248a675f46b37618fd6d40fd51c8
SHA5122c64e60e10064d4d6ea26326e5f1a5e304ac01bfcd624a42aac06017589f210f5c9231080cb05576a6ccda66480431161451ff3e1e3dbc33286340c679421d36
-
Filesize
1.1MB
MD5152aa78acf2e9d0f7c9d3b69071d18ad
SHA1066368e463cc17d38ffca77880678ad41d5edee6
SHA256fc476b42d0a5c4a4bc33367bb733008b84d65145fa4724337003875cb0288424
SHA512df3a962700e64edecf873a76cac818c7949712e1293a1e54a546ea42b8e5200a7f8fe7aa9cf8b35793abc8017377927fe606995e13407f7c2eb3764a78ba0aa7
-
Filesize
805KB
MD51a15ed05caecaa0ee8e9db3756870a3c
SHA15ad372b86f34769ee113bbd3c94622b09f61cebc
SHA256300ed3c3157e87375a2962dcee8bf9d33e2c8fa849ebb6bea5278e09bc1c6de7
SHA51239fcc7bfab5378bd456e19f96b442646af2ccc5fc1582a1ea8e7d5887645eb9e0ead9560c76834dc36f7979de1630421956f9528f60df416034c420e46a62fc3
-
Filesize
656KB
MD599e3e60561399e5491b26093c1db3812
SHA1b9702ab0b1ad550de2e653eac7fb7be8a95795c8
SHA256ac8d7fbf516c69f8c61ebd94c07e5e21459d36741b26a3155b94d7289825d5a2
SHA5120a4a17e31fc8221232b280ff2cecbaa699cbd221824d180754911462cde7b207443e6d9a543cadd6d9d81f5ce5654e81e21364cd445c9101e4929e3e707e87fe
-
Filesize
5.4MB
MD5dee4e44751810b31cdd00f933b6c328c
SHA1633daf29d1cad32e8edceb901a15838e8d0c28bb
SHA25663458a151e5bed92f1ac289e88a366adf5c9e4924a39556f9b1987dc60629130
SHA512c6ea881624cef3be6754c280610f1176af0dd579f2cc35101b7e8d624769000cce959745a8cd5d272c6e6f0f2efc4a4353dfd3daafe8b05ae4f10d52f084045a
-
Filesize
5.4MB
MD5222c8feba6c92b5741a64464f9a62487
SHA1e58aec2b3d6b87afc5705e90b90c885055c9c9d9
SHA256492cc0eb58cdd4444b32943863541b77d70268997e07dd9c3083eb820cbf2a66
SHA512f138f0c51cd8926048bfa8597b96ba7fa6edd4d516aaaa4872c5545d877672439260897a5f5eae29bae5eff438054ab7dc258930139226063775571b86e6ffdf
-
Filesize
2.0MB
MD576bebe5b6f7386d15458836563d8e908
SHA1d3523c0d25c201b3c1d92a22fc237dbe955ae3a4
SHA256d92d21410283bfef721f0cffe7a6603c67d934e96c9bfba44d7fd5d7cb281d4f
SHA5128cfc59e34ddc7445f43308ffedf37018f35f20c35ac92fe679232692f5a11b238a5487146d054e6ed570f0d1b50bfb36695af055a21ec77b509cfb939dc99ce8
-
Filesize
2.2MB
MD5195418bc6e553a61f66a2071c59705fc
SHA1d566043370b128f321f8e02a26fb78e10960eee6
SHA256d435b95fe2040483b789b20536dd418e929a9091582209baa5e027402a4ef1c0
SHA512087268227bafb4067e3de9b036dfe60ea257fb06e236480bd5717ac70adf72470401b40edfecc3ef3452e652838d316d3ec579fe83a7b3681b716d15b947931b
-
Filesize
1.8MB
MD57956ec24b86a43630a676907af76a627
SHA1936deddf2bdcbd09174e71c1640009703b949e8b
SHA2567a3a031173175498ba4ec153b119fa1e94f190ea19b85757b1a1ed79e8bc1353
SHA51212f389895c3b93e665de027aaa95f0d0ed2973beac99362bf07004a927904b6bae6afa36f6658c0ec75682bdaf0a69be160ae175ba479fc7c82a510c9aae0e60
-
Filesize
1.7MB
MD56ffec0df05b9a3f16ad5e649e26c39e0
SHA1c37fa40a10187044a03332b56eda37f485e6ed19
SHA2562c927eeb15f41cb0c7e87b4189950f4a9a37b03fc6c1e401e83139a02963ea7a
SHA5120d6d7ce9eb041c7c5ba2f9dd88c0628ab337b2108a184613d12b509827b18139c59bd3a4bbf844825037d4da56f79ac391b391073b97ecc8637e433e0b579c74
-
Filesize
581KB
MD584abcda13d1c3216523e2deaca328900
SHA13944248c4e66a39a49dd38845efbae2743fa8335
SHA256a20cba75bab16d1280ab3ceddf9f8dbe0ccc8acfd267d7bf03e4a4ce6a5029a4
SHA51225d49eb7157bef5970eddc68ad3f89944809ed2eb362e847e17f8ab409f4a385501a3d3aa5a513bda7468c65afddf8f1360581ee5b848bd40c9b7f1ac8034231
-
Filesize
581KB
MD5c32e4afcbeec242bf4126a2786b6e675
SHA1b35b6e4b41403cbadf71bdd15f9605cb163fc577
SHA25695fe9efcf1aa6c03ae98d68bbae9b27da05e3e4679f8afbf1fc26c1ffa07ce56
SHA512f8037783a50f086a6e760414a8e6f9a04928955544287c511ad5f8097fe7d6d803b5c46361913af96db0d3b91ad31412ba559eeb316bb7722115471fc594e63a
-
Filesize
581KB
MD5ab635a183e2ca48cef66ad1b46c834a0
SHA15d093b47485cf214baa18014141fff9d2b2cc1f1
SHA256204d7a4b3effbe3e5110647bac79e88ebbb03c43004bc8c70ac02948dcb7593d
SHA512ffa68b6d659f5e468129186ae95411a04ae280adbd1c14ff04e58c12752015fbdfaf86d06ec8dd26f4709366e410d867a754cef9fd656d79986e18778f47034a
-
Filesize
601KB
MD5294bd51c97a76112edef65e5c2c471ab
SHA193797f752d92597231a049d0b6387bf47f31e74d
SHA2569fd18909a1c6b49479cafd33889955698a76562cb88a44b1ea80b6c479dcc4fc
SHA512a7479291ca25e519cb50e6948c924fb3ae7fedefa789df48640eff300ad6e84df3a9d78bc293e2b77bcf6c427b3db06b8e26a084aa949564f4bdab258c680cbb
-
Filesize
581KB
MD578c2a86889035120e15402a52929acb8
SHA192960872b52390d0d1e24db6192ebc04b07efb93
SHA2568c5fed366929c9b3f053084d437d0c3a9615e281da1029fe39c3acf5e46130b1
SHA512685b1f55f64bbd114cf5bedb7326223077068fcc9e51bc12afff7647875bda4f0a685fdad60e568ff3dfb53aaa9e02956ead5dc926407ae996cad4d769fbb5fc
-
Filesize
581KB
MD563da7862044bda0c560ee931791687e5
SHA16ece3349848ee93b22745418fa8a3e97c4f182d6
SHA256da7d3f52aca624615e9b115801fa7d18d04892b7e21a1da010ea5157526ab985
SHA51263ff8507dd96e2a08ae0db603af14c2f047edba9754aa271e58774f632f691bc60414f27a5421ffe99666a970e6bb753601d1e17e88408fd98f983faf6f77d28
-
Filesize
581KB
MD5f84ccd945180631fddf75b8f58b61130
SHA1744a7286a29e1ee1346d44e3afde8039a180d308
SHA2568ae31911002b6ed8bfe2c7e28ec4ea5dccdbb2f92699264bdd36569b5937a909
SHA51272dbae7f56cadafd813e11ad0367c2e5490443a8bfb89ab00f42f453a79a9469e7147c9c8b6d8b98964ad068a011ad8bd405b13b1552333ac0086b9b056e490d
-
Filesize
841KB
MD56f4a150f8315b0a2ebdab84b216f06e3
SHA15625351ef694241652892b9837d8683c25394d18
SHA256c630e80b5020c16ab3cc71562aa992a1a12286583954aa78fe57773fbfb5edf3
SHA5129a54652c702e3dffefde9678327f098bd4b244b352929017e2c2c6607f5f9d370d9e96fdf1e32f06eb38a14d2d45d88715f5f08e65fc81f90c75b7b59958b0b1
-
Filesize
581KB
MD5c30b42da847808ec51246ec58a34a32a
SHA10a7a123df9c415d792cbcabd749ef965ecac8a4c
SHA256bc62bcc66eca1d7edf510a4adb71f164faad351d3e7707146dd2730b11b5daa4
SHA512e340bfda660e9a13a8d905eafc8d86303607b67919f8579c6c02adcb779452cf54e8be1b31fd82ff9c89bd5e94d3426e581f4aa681ac1714a99ef68c68cb810f
-
Filesize
581KB
MD53b7224049dbcf5b2d8f79737c031e13d
SHA11bed3eb6abf5f35683168f49ad2f7f122a0105bd
SHA256df3c2ca9cbd35e8680e9bc91f33262d89a4d302d97971a3ee5b0090ad7874396
SHA5126c36c56d5b4ef3184dd8c32b42d6f6bf293cf844cf87022d24897d3d25cdf6e0188cada02ad17a7a63e7469ffa7f5882648eb17084a82b56cef55ec6434b17c3
-
Filesize
717KB
MD5415390b6546e930783f444098eef1981
SHA1c7bcb6d993c6688616ea1fe75075f00318974ef7
SHA256ca2326e09fb4f478a5ac5f6339ecef1efefa67a1fb09f98327a7f375ea48fc59
SHA512ab2f18527e6e50038089dbdb9b055cda3131b073f527ff7c2656f5c40d19cf09e84c909cbe5cf9f66fbc37361f402560b2cb57a5002fe86253af604c1b7c2761
-
Filesize
581KB
MD5cc926dd07b10b9d115100a785b88d841
SHA1dedb4ad931142bad8e624e737e57c90f8e3708ff
SHA256f97a71e03ceebfd92d5a4807126359d797084f10686d4a471ab25bd3632af839
SHA5125cdb4fe479e0fa75f6ef543dd9010c44575b38072668b58eae715d1e90b664e93f577e509dbd2f6578564bc7d1289185d7dc3ff4ef702ad06793c88e508bad29
-
Filesize
581KB
MD5609aee358faa39f1f12f064369c89103
SHA14032ef7b30e4d523b62200633f73547b66072ffe
SHA256fefa39b6a1f657d2d00c80630799ed6c35e1b08a8e6395e6f004973db85b61f8
SHA512180356cf702f8bb2eba3719e4bd2454156496b31a3a8769ad72085634f4fc48ba548c102184816c877d8ee32f3de7b4242016219af3a5bcf0cd80f6f2fd12f9f
-
Filesize
717KB
MD5bbed3d7071ef0e89e76864f132713a77
SHA1e69ded338ebe2b1ec306e1b25013fcfbf1d60eca
SHA25659d8fa42b6683b40c4be78469df0ca0c8b54abbc7e017d14cc2d4602ad607521
SHA512406aa423601912798b9e442253da0ee209890686b8b00544052ea500a09353b03d8c3d89ce31e911f307bc8e0929563d10983978d3f6eb560e242ca1c2e59ae6
-
Filesize
841KB
MD555d94c335291065ec4377cd292add649
SHA18ff1b5b0841c69641689dff318bb099533033f1b
SHA256a8a49543151e64b5952c6ed7e0a0cd7a3a2e765c60dcc7fe23fac6d2236495b2
SHA512a89be218af2a5f670a25dbc23dbc262b933ef400d82e305cb50b34dabbe3c4e702d4c2d6e969fc16bc8ef031dbb73bb391c50cfc7e0be66f43f50e4827385ced
-
Filesize
1020KB
MD5b4b422cea66f1822809266aec81be1e1
SHA1777a4b27d4cfaf32f1adef0d5721016012b286c3
SHA256b0bec31f47cb919c0cc5da9675b2530a634514291815e409542a34634e3727c4
SHA5128002af3aca8753d8aa8f864f2c98594e3e3e7c14978f46d9031531fc7b3bbf9e727df9b7d1587930abe2030500d7a8ca2af7c238d8ea1ac8a454a35b851c87fe
-
Filesize
1.5MB
MD5db762ba425a53fa7570aff828a1ff01b
SHA1aa2cf16c101656db70a57669488674544b675917
SHA25621aea6be1c18f8ee0f6faf426f5b00884fd83a33afd62fbc8d25ccb741504f9f
SHA512a9132ec3f637a84a3778ee783bc248af9091954b40a7eaabe7bd9c8c4178f4c35960ce47084b9d9fd2936d8d286a1cac9cbf1edf98620d6aadff644fddea6471
-
Filesize
701KB
MD5c6f14254f358fc0d5bc0917ce4122494
SHA1bee89b553b57c453777b74c8e2bc50b51e1b44db
SHA256cfd4d0d82ad2218e9ac553cca35e97e70c1c1cba2ee335347491265d559a0f0b
SHA512abc3c8e64b797cd98812929483ddac69fe86e4f0fd01c7af8ea510f43eeb111067024260e01554766ee96d809c51a02147ac7cc65ec5d588cd141c436d558c9a
-
Filesize
588KB
MD5d105bb909b201a67b293bc765e6e4b62
SHA112ca8fd5f556e39ff98c5a37c471ab1b4e90785f
SHA256476167b12f5e14e2589f315a6af121ded8d8a632bba1bd8452dfe412763dc525
SHA512e36af7e3da9b345e49747532c102cf0fdcdb2229f09e8560eb2f2e325acf2cd442cbea51f9376c122707e0bed7bf319bb81718a3b0cc995c10532d71133fa9c1
-
Filesize
1.7MB
MD5a7bc72ce8777a055e040e01cfbbd6757
SHA162221a065a7d6cb75c0be1e5461e0d4d8e8329f9
SHA256a4d2a8d161b5267abe84b86fd43915e6030ecbba908ddacebe332d1f5c933f1a
SHA5127e3aa27303458c5fc5d3d436211b6dd61ad5ec41947a9cc10ebd6204281f5334422bfb081ed80785a4859db05d5ba6cd2c0af1119edb692c0860fe2f2896ec84
-
Filesize
659KB
MD5fc6f880d31192d9e3c607ea1975f3797
SHA120a5508ad8945194804e94a02733c113f34c6cf6
SHA256d1b1cb40cde5c6897802e3690d751df8bde4233a4bb592b3fabfa6aa7e8182f0
SHA5123376191c9340de1537c5bfd48dff40d5b666ab3335cb581d9fc208baa40981b4cb7d9178d24910f7d7b0d7030c776154ab23f8a2fed7669596a92e674aa0de57
-
Filesize
1.2MB
MD502ea7d2af8f99dc25da67131045c2366
SHA11b8d1ea18b15a1e9c1c851a2b4afe8209e66a072
SHA256ae123b66fd57fd32676014cdfccba063b31f8edba1c72c275db2857223397def
SHA512d88da2d10f71295b9853cc6042c2e5e232745075a31a7bc51139b36e32c4399e1803e744a948ee94204a81c71654669116e731a45cfc49e029843e116183946a
-
Filesize
578KB
MD5d2364061dcef5c71bf8d5b50ef2ef34d
SHA110e5f57347eb3e8e7778ea22bb6bb652d19679fe
SHA2560f339cc1dc5558389068c18d4981f8d97910830a203deb5c43b3205b6ade2bf7
SHA5124d2b559488e454336f5fde69dc3957830a5c1c1288e4c665a339c43667ee566267c306976f23d3bd3b9ac2cd6dded1964723c373e2e0c4423426462034f3123c
-
Filesize
940KB
MD5b19f7596781eb5cffc98b96f057ffec1
SHA11be0185d4ae8b9ac1eac24ef3d636137b986cc79
SHA256ca4356d5e6930d2f75777febaf950cbe39b9a4469445d1c3f077f7731d402eda
SHA512b043d2e1e1fadedbe627397a86ebcd9391f625b13fea24c050dbc0351e53abf8da30e7842181ad2161640f39c7509d5d25e490c26ea720e6b55aea5d7ab31f6b
-
Filesize
671KB
MD513c9c718e2d2f14a9b912c4976e41d47
SHA1f25f84eb4d4bac63934735d79e1ae56dd6e89c4e
SHA256c473f4eb89588de8b00f2c891d0738c3157b86b3569d8e3051a8db142ffe5779
SHA512585ef8b03f12abe13930d640f29628eb7d97fe4ee5b6ad1bfd8a4b33493898a957f2bdbfc295684e6c8966d44ed638569c87ad30c4359052802440de4766d9b9
-
Filesize
1.4MB
MD57ca37ac9bbeac3b8e6a3272210116133
SHA1ad4036bdadb61d36d06af59ec91d2903d43348dc
SHA2568a827da2d48be31402118477bd9822a0c1831b5bf1c8cb446a68e240a5b88c31
SHA512b3e7edf1a0201db50e5a5ef687c79729801cf6bd36853f49a89d48ede032a9e96b86015618bc287613798890e3b58eeb8b9eb3b76bf8dc1a2a74c9bf229d57d7
-
Filesize
1.8MB
MD501dd7535ef2fba46d91a0ee576b9e574
SHA10a9190fadb6cf15f17c0cb18fe4181ee09024f9a
SHA256193e8dd6c0ad9f1c8534bde24c6d8e238e814815972f90be3b69b77df50ddbc4
SHA512051afc4f2d63494ab62843ab5c4a0251b7955e19809af95a28e3930eddd5d2b24a1ede78543502196e1c1a61d893268d5ee198825cdcb7cd086ca487710b84bc
-
Filesize
1.4MB
MD5a2b8e5367264b2af896b75e79376785b
SHA1a120722a8f8b6cb140892ff098f5e0d922d8eaa7
SHA256627e9d70e119a2dd9a05d2f0729c77210bc223b9d213eeed7b7d95ffe59fc4ef
SHA512e0fa1bd1117f1a8645f71ef07793add8616df55859ef6ab3ef220c00523cdd2e5dd130f2b9c959ea75ada267b4d9d093409623f685e6a11e8745dbadc14dfc43
-
Filesize
885KB
MD52f7dddd44818f64778ece3b028eb4ceb
SHA14b9fd2f273fb5ee0fe06ae68525865024999e3be
SHA256e3252f532891ba7d6bc4deaf458a58e7eeb14ed4fd9c3b6d6133d54ab64c9503
SHA51272640d14ff0c284157317a821da92a8468e30fc58db7f5fed174e0ab509f7ac8068afc98e177ac82ba1c3f3d6c2988e578143916459bbdcd75435d59b9aa8aaa
-
Filesize
2.0MB
MD585490faede964e2cf46603f2c4e1ac40
SHA197724fd5abf433282423bc77d31de014b6ca39ff
SHA256e97cfeeeb0726e4179a7819bcecebc95905855d5924d63c82b3d6cf6904ab15f
SHA5123d16c7ebe5a6d667506e1df7ec1b63f7d3b24063a5187cfc64bb4473cfd03f3065a7b76ad3652d23fdd0c97b8a9c6b07e3f12e78a1340223c6b7908491f415fd
-
Filesize
661KB
MD5c81dcdd873495c9855a726987bc3dd92
SHA1dabbde11402de136c4f6ba178639db99f7f37a83
SHA25660486d4d74053796cdf0659285b4d1bbe764921cafd8e2067ee14fae32d542ca
SHA51264ddff37447ee5598831a6574ca5aa548a73dcc20c6fc3ba94dcffc23d578c41f2ce706a2a2d5da3475821e650c8e6179f5fc3dc52dddca3441f2ae734fe3d8c
-
Filesize
712KB
MD5130430b07e79507cb60c5df23338df2b
SHA176b1584987e5e1a1c2fe2b4a391f1b05973bc1fb
SHA256e5efbcf6db14c0fd8a8deea4df4827e04692a79487e974402faec2cb2a99e7e6
SHA512aaf30eaa0d320ae57c6fae843fa4e34a039a242c7979235adf0d720b50e00e6638aec3d788aae7958b34114d5f92d49823c95f4e93ce2036a51fc675886a2444
-
Filesize
584KB
MD59f763392a5136b28990fd6362e52eda4
SHA12e71836c8ed889c7823fc786bc9f7be4d4c4610e
SHA256b2397a02cb2954d151f60786255ebba8f76a64593faf78e9671dfda5d898ef6c
SHA5127589ce5aaed64a14f8a5add81b98f6505d31f8dfd7df393e8d6f755478ae534e3484134277b0b93706f5f6cddf959d42621a5948dc856b2ffbba9ec10376151d
-
Filesize
1.3MB
MD57667f74342434a92b39b148027cad3da
SHA178ec2e6660920c21799c8137615c9b9d6a5222cc
SHA2567f9918022e8b32015ddbb29b90ef55f83aa464bedb46b4e282924d0ab7c0276a
SHA5124d3ef68c836a107ecc6bdc8fb8187a55f06d34b47d5ffa2a8cb1d9bab67e796cb512ebeb7fc9edc0f02c92011b5e06d9b48cdc5d99f430b8eb5a121857e5054f
-
Filesize
772KB
MD5595731d9cf819213e00f8a8df8879bb4
SHA102dd3db697754c4d5183f5975cb3daa0b045eb5c
SHA256bbcd87cfc060cd0e3bcb2b794646d143517fcc3eb2d1ca5eecb60e62ee73b1d9
SHA512f85a31bac605635828733d4c50c4515cf4a62a68133aff2176d6b049cd22587777cebaa7b97d941a53c614dc22d11972e1c68abaef952c61059fe18e325c93f8
-
Filesize
2.1MB
MD5e304a4a876c4f5d23f23dd7584f3de69
SHA18dfc65b19e2eb48ecc0c47f254c6be7a2aa26328
SHA2569fc2ebcdc569393c96eb8da4543da02786c263e69c3ee4d79b72479ce3538522
SHA5124dacb72f087983bb67b36901b56878f185782384b1bba54a4be43165b2c58e1b90bf82619994dc13b629d8fb02914549a940a8100624ee09298e5bf2df9630d7
-
Filesize
1.3MB
MD5308a9b8e02f9bcae2374ec1f39bf5237
SHA1ce706dd21aeeee753821c642095ec51793f2de75
SHA2567a6f503eeb1c61490d5d7c2b9716a832d0f6b5101c0f7787d5047b77b6787373
SHA512f0dedb60ee4197c5aca5e69af25b00d1ba3ce60eb2e5dd2341945226ac0b827435fc9d25e0caf3b773edff29074d53a390913b7802556cf65b46370e976fb125
-
Filesize
877KB
MD526105a062b88a06e3ce63ccece8ddd10
SHA1deaff22dc76646400d5e00a80232537368304fa4
SHA2562e15927d0215df25264d058be3df487342650c73334b8d5764745319c3144f31
SHA512cf1f81ca9428b9c4f1031ad2dd37abee4ecec1fd89e44d1d5663cacc9f320a33f2ec12f83d617e286960964570e88cfda74a893cae5000cbb0c7d7a3f0dd8f33
-
Filesize
635KB
MD5dc02a2eed47fede353a154e501b12890
SHA1f606b827384970978620accc221cd77b7d449024
SHA256edf62d5fa62985c0f410cefa708a6fad5f419d37546c5cdd3df22fcf2e2ede72
SHA512101b4526605757901343ba0813fd25db6491972be3c9348fa584b3f9739ac8fe07c52e9f0adec85b8c8718b095d1e3bdc7acea54cdae6c2c5223fa91072beaf2