Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
-
Size
1.8MB
-
MD5
2702a61323056d4bdddaf30f896bf0f0
-
SHA1
7b97f28792bb58c8cc9ff3b49c57000c4dd98413
-
SHA256
4c5001ad86f4ea46e53ac119f7ad60ad5509ff728cebd09cbf971a99355d11bc
-
SHA512
5813285de89e46402d0b8419cdf22db1ab78272fcd1e184df8678bdd4eeee8d3de8573cb107337e29848d4d52d6615b0dfde35b69140bddce8dac60c6d73d2d6
-
SSDEEP
49152:JE19+ApwXk1QE1RzsEQPaxHNL+YktHRFcbtUKA:693wXmoKj+YwHRkeK
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3508 alg.exe 3932 DiagnosticsHub.StandardCollector.Service.exe 3456 fxssvc.exe 1840 elevation_service.exe 3812 elevation_service.exe 1328 maintenanceservice.exe 4876 msdtc.exe 1472 OSE.EXE 4000 PerceptionSimulationService.exe 1612 perfhost.exe 2724 locator.exe 3280 SensorDataService.exe 2368 snmptrap.exe 3204 spectrum.exe 4616 ssh-agent.exe 552 TieringEngineService.exe 508 AgentService.exe 1008 vds.exe 3936 vssvc.exe 1304 wbengine.exe 1756 WmiApSrv.exe 4972 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7f41b4bca46faa3.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaws.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000030074e84bceda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006557e7e74bceda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e8318e94bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018944ae94bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ba65de94bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d3b6fe84bceda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2ff92e84bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea794be84bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c2c1ee84bceda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbcebee74bceda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000226295e84bceda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeAuditPrivilege 3456 fxssvc.exe Token: SeRestorePrivilege 552 TieringEngineService.exe Token: SeManageVolumePrivilege 552 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 508 AgentService.exe Token: SeBackupPrivilege 3936 vssvc.exe Token: SeRestorePrivilege 3936 vssvc.exe Token: SeAuditPrivilege 3936 vssvc.exe Token: SeBackupPrivilege 1304 wbengine.exe Token: SeRestorePrivilege 1304 wbengine.exe Token: SeSecurityPrivilege 1304 wbengine.exe Token: 33 4972 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4972 SearchIndexer.exe Token: SeDebugPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeDebugPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeDebugPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeDebugPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeDebugPrivilege 4892 2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe Token: SeDebugPrivilege 3508 alg.exe Token: SeDebugPrivilege 3508 alg.exe Token: SeDebugPrivilege 3508 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4516 4972 SearchIndexer.exe 109 PID 4972 wrote to memory of 4516 4972 SearchIndexer.exe 109 PID 4972 wrote to memory of 4476 4972 SearchIndexer.exe 110 PID 4972 wrote to memory of 4476 4972 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:856
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3812
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4876
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1472
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4000
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1612
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2724
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3280
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5116
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:552
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:508
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4516
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51b0803e2b3ae36e9d0435b8e9a26f772
SHA10f42433c3212f69211fff9f1d92edb67120b8405
SHA256514fcfffc3c4a2329b8922219d6ead8c4d84d05878bae449c2707619f363f205
SHA512add1f12a9f659b156557142e4d3a92dc174647de056a55f36afd9df9095d0f80de4c50d4b19e8c1a80d891ddc2a73731a44c45e9b4f851d564726f97c8e1e472
-
Filesize
1.4MB
MD5877ce9e1c8740ff7a3ea40159f349881
SHA16e07fa1c3209000deb7cf9a5d3e03dfae36e3bda
SHA2566dcacb9f4bdaaf8a495eb9d9bec00006982af2c92be15541ca8d3d17f3644b47
SHA512d51f8d796b5e8bc9b52725d2806d8b4139729e6839d58fce7480425520485af79c3bc922564034eb2758adc348b5ec385c3b240d5ebdec0e652b5dfdd634d4a7
-
Filesize
1.7MB
MD52cfb9f16e49fd100ee70e2df2ffa079e
SHA149cffe309dca6a0682f3cdf81d53bd7c2b09806b
SHA256e899601a67b52b56aa273b0d29c33cc54e54e84693167d7c4d0ccbf51a6fd218
SHA512b1d68300956804f9bd30541fc41fefb622a16e45ade21a15233c372f280497126fae9d6ef83d015b963dfe66703ff59f6ff538d9766f4bbd40d9dd6a38b2b02d
-
Filesize
1.5MB
MD56f8440c05c6eb08ebb2b08cf6b5494e5
SHA14fdbcd74f6fe8cd7b71f7563e0e9d8de25bc84ff
SHA2566ad202c0159587b6cbed35448a428384f063e6f2c00bc5a8f8f2633910068619
SHA512ddfb296aa42cf649b5d88118a3ebd6ad535c2a5eb84db0c3382e8677a23d06f46b33b62fad3b89e3e4ab867e211ee4a630b97955479081aa4c3791e599067770
-
Filesize
1.2MB
MD517fff5a49882d722598ab7f6e17c1ce7
SHA1c92b3b2bc57c64b2b207631034bb60d1eb0fe97b
SHA2562cac14ae960c10b461daea5c4c441a6752bbea97fe117a90075a9665e1247ce4
SHA512dc43eea5f8f23d367b3904953c1e1a752d9edd50ca3efb300fe86f508077b5a17a902ac1d8e7a66e1f1a3ea597b8b4b2cb4fa7b11a30b108a858beb09bcc08df
-
Filesize
1.2MB
MD588b58dfe41182fcf438a6d45c0dfd24e
SHA10c239b5396640c16eb86cf0af52fd40d4ed4b2ce
SHA2567f026a8697c00417b380c53e2f725bd52a4239ac5cb9b5b24c5e226c5b9fdb1c
SHA512333ed87048cb07d8becfd073e2da21703905d5e22e5c4cce9959ef71c29f044986e1d5a6f430744d35fb83f95d2c14366c70194748b8cea45ea8b920ac2e127f
-
Filesize
1.4MB
MD59581ef73433695fb663d4e6802737dd2
SHA10cac2ab017deae37bb0ac3ba4e6d43eaf8bbb071
SHA2564288c9953dd5b239574e5eda153b69d34d020fbad78a2fcb4dc20f1d1aca00cf
SHA5128360d5acc79903c884002c5e34b86de02e4f9bfc060b9d34d12c1fec71869f59a996eb1297da8ebd44344928f37aee2622ab3c727fcf7fed89c1eb4378d3c032
-
Filesize
4.6MB
MD5247dbd5da682ea441d1ed87d6d321e47
SHA1a750a47700cf288aadc22fb75910304a7c0d7193
SHA25660e247f4615f21524f3656d7e0e3dbeec5f0344cb8ecf4c57d30e383509088ef
SHA512a47da0d3e77d51a8b7e116069906fa18ec05ba6a259ef4c9d60e9d94727d2e574b40126e2404b830b4413a8567f39e7dad867ce96cf169561d488344e977de4e
-
Filesize
1.5MB
MD5d5c07108230ad1bb18b1654fb1970c7b
SHA13b6974c603637cd59744dd620a7d6193e3f0ebbb
SHA256d6f8e1774ad9798baf60ac401ee0a63d4e7922958d79d19dcedb460b7f823b3f
SHA512dd57b8a4d7d961e0b24d9edda0557fed01a37a4e0651bba72ab222eb7cf5949f4e550d9bd48415aed88d4c419f8c390a238fbf4bb0b8f218a4f520399ee25de4
-
Filesize
24.0MB
MD514780e5a50a012a08a83b0c15d364c55
SHA184760ae80b33acafc8372772b517aa77c1c6fe05
SHA2564329b37e33a2be99fab3faf1c7054f7065e117c5992f1c7ff4e77be52fa5e046
SHA5126bed56dc5c8fab0c09c7701a4230efc7548175335eed274ff84000b85a3a43d8b1370b6e408e1bafffcd76d80b3962c35a79a3acbe2473767aa5368b0c3348e5
-
Filesize
2.7MB
MD509c12ac0056272cee8ba90969606617b
SHA1acf55a3d48c23969c5f2ce1fc7797c5c16244db6
SHA256e702a86e57d4db369b55ce535df382df1ea02ed357c69f63f50c9a3e6a8ff6e6
SHA5124dd8bf2ee3a82d6a2f07bc7b4b8fec56eb8d626643852a040ace2e3d4a7fcbdcc127231d9a7c40fd1255bea4723129cfbe87dc00580128d26b6f730d595b167d
-
Filesize
1.1MB
MD546633f284d0f5d5d0908d20ed76b2e35
SHA15bd79c496b0b678ffd434958d87381cc860329a3
SHA2567a4ddef36074ce7dfdae4dbd691ae45e1c1d761ce4532b79cef11b16ec7f1f14
SHA512c96efcec57c6d48da5d5a87b5ed384a58213f015c8bdcfdc11033ee61ad7533a74157703f54b4fed791ccd0093d08a6be1250f199b297f13f9601c8e7ce6cd1b
-
Filesize
1.4MB
MD5403e65fecce5b9b668a230241b489427
SHA11f69848f040959017a85080e8bfe18640b36869f
SHA2563ace982ea4ebcf52d18994b6a155db5394b702c5cd06f5807f4b2e14cc57f436
SHA512ec0cdd1328bc1f9dd2212da01f1ee9ce0dcd8147218b089772c6c5745d1de6d537b509a0e453cfa1879097112f9cf9029a724a9de2e3315d944d0deed5d49fb9
-
Filesize
1.3MB
MD5bc0ffbf400c5ebce2176ea56c090a123
SHA177822d0b57c8f6997975070e7cbc5a040f75ffc7
SHA256787e025129e736cef87870df2a877043858ace8d4a2a96d944a6d8b234991486
SHA51292dffc3772703c3a2e60bd722dcac2e0b271157e221f315950a595fde7a91780ea509b21c9a67542f07613a9ac4cc54ccb21dc91e672802a8d17b11de806f02b
-
Filesize
5.4MB
MD5aac93e1be68033dda473a13ef1e70424
SHA1be21d7dbe803c3a674696a877d1c2b7d92b80840
SHA256c2161939ecec2dbb46de194d83a37eac2e1c543749b8a0e5612e8fc3d75c2b7d
SHA5125a570be610aa48718e723a420ccbb7249110f91fae02af4fe9f62d3e3fb3240e54b952802c1fb69882cfc6869dc82c80493d5f70608ab965cf3cd86f07360752
-
Filesize
5.4MB
MD5aabf52bcf763394417f947893639ec51
SHA1779ae6a3444b80698bf2db448ecd0e1ec6e9c395
SHA256e00ed516aeb5046237f825741f7155e8c01cf198cb5b3de62c8c8893a3a33fc8
SHA51275ecf6cc7a96c86f2afe3c4a1b168e7976a5c227d8c43b8788ee0b42f7b1c0efb25e4ee96202ef2c5b44dae19bcf87268d8c3c148d465d4dce4eb7b9279e3edc
-
Filesize
2.0MB
MD509fff6bda8647fe6e0ddbc59bbf3701c
SHA1061d2b18194590bec1877924aa7b28d740eafa61
SHA2560f1a4ca68bfd269d36b2295c6d4a0a2eda020eff8f33f55cbc89652c397fa131
SHA51257402350f44572b53d120ded7199e8b5b8abbabc97a23f781f999e0bc4ec3ad712c99e836b3823b790e2b079ea9c3d27daa6fb2a62a533ca55d20e6d47b11350
-
Filesize
2.2MB
MD58f966455d8a2586cff3331e224523486
SHA13b96570ff0aaec58e08d13f1386223087fb5bc5b
SHA256bb6154ecf30357edb09959bc5d29ad23846e0184bd60db0521eebf1251a3fb4b
SHA51248468066d3e9e95a3015233ef727df6af454965713469ccb22096ab0a1e4c74f1675389f343b05be0d2b1c7b9392cc133584167afb68b48282f8585236ee2050
-
Filesize
1.8MB
MD53e944c9c7b28f392b0285161186eb729
SHA1222acba33c77c1efec5f9455e38526da29bd0df2
SHA256212306e5ee944cb460e7d8b4e7cae1232dd65ae613ede79cd51aaaebb4efc4d0
SHA512614a1d0af1026a87b806394f45f090e69004bfe62b4724196b7f02b2129a3f3ee9e96c699859b8c2dcb6fd702d1879ecc118257224dd85ca846ede3462949f23
-
Filesize
1.7MB
MD589bd8b854010a7885a400ef2f9447ea2
SHA1b5fcc7a17b4d68d97d48de6597fa6dbf41b1e70d
SHA25622e3092f5aefa736906f09d9236c800b4a309f1aab41a3bee6c2f11f4d1cec8c
SHA512805587737c9f4411abea443e971a33b3963b978ec79d107ea89d0ff81f058e3543199c0cac232b1045db159a53b70cf63a1c8b6827148f5b8cdcfc7c3596ae4b
-
Filesize
1.2MB
MD5fb34c0d6eca0228ce92f58fe01a3e20f
SHA1bb7676d36e1d32ae745cfdad08cf88b288703a7e
SHA2563a918aa1f9c19053a603eb611e03a5a1a982819df65e0fbf3bc4add6ac942111
SHA512522c5794490cadc6642391c396b36032d27beddc0eade90d7dcdda5be9a5bbe35e6afbd5ec4b2a41ee4eb92769ca5de42cafd8f2f3865527eeedad377bdca149
-
Filesize
1.2MB
MD5157e340c01564bef44d8c56db98d578f
SHA10402101d66d1308c2460fc726899999454a4dedc
SHA2566cc8faab2a7e77cba6f8f132e44593eb1a673f69bc0aee71218774839bdcd702
SHA512ca1e32683ab59fe7c5b951068d3320206dc83b4157033f1d2fe3dc7f8877fd80845787049ebb50acdd236110456cc6c77e12bfff1d08a380b25993c89fca34e7
-
Filesize
1.2MB
MD57244c50f6c089fe1bbea1d5abf6ac06c
SHA1db9642e8dacd9cd41e08d5c7cbe360a3ffc48415
SHA2568d2a7167c4004476188d4122ec22e34034377ca695cf688e2b4dd532234cd91a
SHA5122973cdf44c4c89ff380974fa94d57e0c4cca6bb90c03183feed53747e53623f600c4ad347cbf0b4e23d2c8c136126f88427ebb441a204143b8e71e341a24573d
-
Filesize
1.2MB
MD5d7b835af2cf39745e6548dadb668e1d5
SHA1871fc9d948e34bbe539403e00de4323f9d9c463a
SHA256bd0d13c3687a0dca9642e6c7865fa39f88ce01e71ee329985603932d81d59d1f
SHA512b29641ea8ad529d18c00e15920a6b72b7ef6131d2dd3c52f224afad962d71d28480e46112a82bc59c318afbf4942e4afc241ded0c4b0ff48a474d124303083e3
-
Filesize
1.2MB
MD5d99919cffad28ccae5411b78bc640573
SHA1694db3d8c4cd5d84eb7b3de7f792f46ab06b592f
SHA256d915c63d6fb342f34e8e423f514db1e13198fb874e11f31e4af7eea38ab2507d
SHA512c6c751f527baade53a32844912237ea366a6e77775c80108a7a38f5b93ebccdda5c15ff08a5890b1a4362d0806ceb4e4315f0875190782b508f0502d8f3c89f1
-
Filesize
1.2MB
MD59b4c288094544a6cec930e74e04f5761
SHA1312af2b073124231af5188d66d93ffbf12b3a3a2
SHA2562031b426c07b2fc74aece15ea37a3e2e0c38b7ab68f531f05b3d290cadb3e268
SHA51228c1cb55a8eab648c9cb7100ad246123c879c78f5ff2c5892ffcb3ee6a80d3c92c36f814b4093c4ca8ed839775dc8f6eac93c0891cc7773913b8a77f84ace5bc
-
Filesize
1.2MB
MD578344aebcf564a79fcccfa3b53c3e6da
SHA1cb2eadfc331fc4eec26cbd40888d7b83593c852d
SHA256b9e840ee1f5014c17e42415a4244ad69d5aab8217aeed8f8abac44acebe464f5
SHA5126638490177201191ee82005e080041fc899c7e945f0cc866bd60528cb456e111777ddf85d97921fae567f47f011436378458f7b03d03ebd37613b272e5aa85cb
-
Filesize
1.4MB
MD5856f4f85b55da0bd7c48be28659162aa
SHA1d2345044dace73865ce61d72d43fc84617a93f4e
SHA256760e665ecba234b10c1c97f943ad74504594db15aa676513954680c302be8b3d
SHA51234325b5c96b5902220bb8c9be40cbf69141c5f326a4a6603c1c6009992c4f9647ed4f6edb3ef5a1ee2f5e26cdb75727b4854e5444cfb683c32d95d03d971a6e5
-
Filesize
1.2MB
MD583a5e041920ee9cbdc702f06a404c8eb
SHA12c05521c955296c2e101153f51f6621cfdfeb722
SHA25603ac5a1a9d6fc7c03abe5ff9163850c2922a8dbe0ceae6a67fc87a674df9b540
SHA5125e8a0b5ebd1f355d74a604c3806ed83746b270a0f097edc17b4e3f6343cd1aa079ae8453f4b4942f3ea225b148ba424a18a5b35cafcdd6736c0e0fdec3eae9c3
-
Filesize
1.2MB
MD57fec86ca70f51d6ba019d258fd208ed0
SHA1a96c555de4af24fb55421723f9d9d2cc53a8713e
SHA256637447e101e440e009a28f06589c3bed6d2f6e62d3b74db074a0bb40920e8b75
SHA5129de88daafd335954e6431db208f6b13c468b2241a67365a63afb769a0fac578ee881f319f951afbfecd50fe6c227384053ce6902d971dcf6496425fec05aed6c
-
Filesize
1.3MB
MD5d1fff1df94944fb4b016fd549b4b88b6
SHA15f808525bf125b7a5ef03e5ec83bcc5a4004f503
SHA2568330d436ca6a2bf368a3f3121eb874858cf300db36909945e6a2c1c7b1cc28b6
SHA512ed8d456c76c20382c17e8446adfa800c10536af2f84dad7cd6519b8bcda375b8eeb56b0357fe2e633337148e422648cc9a790ae250bc56b3018693a77cf28c21
-
Filesize
1.2MB
MD5a4a1fae7a5cb4acc635fa6cd89865172
SHA1d36f8ab1a303f52b66d18e48839cc29c952cf8b8
SHA2562b20877206b4f4df5a4ca39d51a603a15f850d6650e5bf13d4390b8ca15a24b4
SHA512c3e8918aa1c94099d30800ad6c693ddbcb6427a648085aa7bb50969ec4584a45d77481e54d64a476cb0d76a0c564ca42e925d2fc7d7f9f0804dfc81d0f60699c
-
Filesize
1.2MB
MD5305798640d47ee72f0d0271199f75515
SHA1bf6671c919f2359a7f2f5953d80f955514dd83c6
SHA256763f263fd806fd1aef2bd800d374b25f8e777e205d2f64e252e8fc2209c2cf20
SHA5123af49b793771e5598a95b00f77d2b8da6f39da57aa28529ff133364c32e313996d3e71c9d0b3e029a67f26bbc6b183eb0d68379e1cc424169dd4e32a1e587311
-
Filesize
1.3MB
MD54ebb949e0853bba593fe68aeb0076132
SHA174d85f0223e2ab0cf65bc9fda2074cd16acd82ab
SHA256ffb5b503d00cf73448297543a60c3d1a8e770e6b6479f89314bc10a7d14d3fdd
SHA5124aed2a9cd93df4a5134bebddbe67ac2201ec28af6fb54461e93d9d47e0d5fac7e05f74c10a15ba2174d82587883c68b12d73f23efd81ad04d68b1b4668f1ea4d
-
Filesize
1.4MB
MD5dd4346473df19bebf83f03769ccf7e67
SHA1e10959a911d5dc5cac6e1950e212d803b049186a
SHA256d507fe0ea2405bf33198d57f36e86369b1855249628a2159242a0988df8849e0
SHA5122ec297656f05fa3bf82fe11b27d5cb526a56e0f316a0d57472862d45edef74d741fbb2d79df25fd2d33766385f5940a8d76e35d41fa8a393c2aa9d3796f2a5b0
-
Filesize
1.6MB
MD57d270a60c80efb7add2b950ea33c5142
SHA165b2db689fef97816bc58af31b48d880c9e7b178
SHA25609d425e8410765fa62191e623d9ae545fded5172b687874e7bf5225fe6401564
SHA512937d3f3c3bdafd1f4c1644f3c62edff5f06e1915d58ac7b127d8e4e1eeeb391275013fe9396e79c8e87abc312a17e974e20a14ecd68feb4d962142a8da2cef9d
-
Filesize
1.5MB
MD57da872e0e64706445c5ea20bb3dae516
SHA168b34faf1d1b6fa6dec6cfaef8c8247cfe24ce17
SHA25654f7d8ba2916769838b4c46415a31a1c39a2b6e4fba00aaee63db3a2235abbaf
SHA5121ac20589e67458f28911e0363d8645525b3a7e35df65b75c7c4e6beceb6ff16b57d730916efbd6d2588b099c6ddfaf350c6f4d625b857b148c05f48a127b2279
-
Filesize
1.3MB
MD57b8a0eb7562a6ca21d7a12d5f0be7406
SHA112bdc24bff4cf948adcf6fa468235557ea3de0ce
SHA2563c8befe6fcec1d3b6863a877d800e08ad21234a15a80305bf4453d06bcbae440
SHA512ff7dd94374106f8c58d55116144da618e3de59435ac5f3919b04e662ff9b079a123776ca3ab5400d7bf0b198261d26888e4e84af7ea91825d68f5eddc56e06ae
-
Filesize
1.2MB
MD5cbdc6dbddf2d3cbacdbf6712a65008e3
SHA1b8d5e663b3b03578ac61ab24ff46d7f102e0d8ce
SHA25673aad5cc2a18fb4428b75cdea522d074f27486b48277b82e8cd404b7ab30ba19
SHA51298f7fe72b824f6063076f51d32b40768c608b00a63a81edcf72024579d5d7e50926eba379e3b6422470b5f3ad922a34447de7eaced3a9d04c182ec9b0cdc180a
-
Filesize
1.7MB
MD5145e90f2d8a0564d2afb1f73e15879c3
SHA178bc27956cc64f8e1821720ef14ce16895429303
SHA256ab4cc70109a97d26bd59ee70e83bc83dc2e9de9a9d8868ac5e86e5579f45adc5
SHA512d85d3603d37307cd5083a236808e61f6157344f629e544130fb10fb1461d98e6fc9deb7ea580615e0187e9a9572e06797feb16ee6194ad04149c0bfbff6c1bb2
-
Filesize
1.3MB
MD5eacf339a9346e32629f89528a8889c3a
SHA1cec0abecede31d8c571da498ef174ad9f397dc46
SHA25675da22db05a7cce53816b2aec336aaa78435ae19e929853ed207e66193c44aa9
SHA51274ced0433c0589b1ec12e34f0ad50f1e330306f84429f4e62af22940b21b33b6320a20e3c8b74926f4ef193111698d4c61d7824f7d66122cac54e799b734f577
-
Filesize
1.2MB
MD5bd7b4dd6ca8964c36bc9cb68fe1cdaab
SHA163a669724de90c1e4526068a89f9b344b1d41f99
SHA2565a8ca46cb45599c6aac0afcd86497e5c58c8358e2bff5cfc6fb1cb2d836158ed
SHA512bf7f8ebb6a6e7786d8ba83c00922a6365ed19855d5597eb2c3c8394955a9d87115bacd7080c51270103d65c54495704d2a435644f016d08bae5d48399be567b9
-
Filesize
1.2MB
MD5e7f736a4bb2738f2d53bb401c93335e8
SHA17533fdb3dbdcbdb0c0101d2e72fba505d487eea7
SHA256039ff45dde99ecb2f12ed910a836e200f0e641c6af6d4c345150bc02cfd8feac
SHA512a1385de563ec82f0b9c56c6359f6abc97f4d6da3be3a36062730eb2d3ce4058a55ddcf500c0415e49b3878a97f62687a9584f5e1e0579742bc58a191ca1ed9fb
-
Filesize
1.5MB
MD5ad6784877296465e23f97e01e60699fc
SHA142f2594c6c233904262e638d35aaf0583ab97887
SHA256035ebfef53e2e3bb4b18d696a7b260de6b35db7daf59439913bdd5aa60dc73e1
SHA512ebbd1a36addcccb5be27dc3cdff2c00060d10af2844b56fe2ffce1e3d5bd137ccd8421bb11ebc7c31e9896b9282020b8e0bbd98015d3b85a43828a293bc56668
-
Filesize
1.3MB
MD531f6d96389a57c437119665ae8199367
SHA1a2f20d15e2f420b65f5e6ca2422635a1b2d5a778
SHA256a1bb4c45632750db725725aa9b177db066fe664f80b0257f4ce2aed26c36f60d
SHA51258762f9f1bfaa8d5c8459910204d019a91778adeaf3346ffe7d2303426fc7655f450d3475492ff3e7f46f4e9848da491c979093faf005afc9800d2f73687dce6
-
Filesize
1.4MB
MD5bab7b5a83faa458a85698063a054bc97
SHA19318f2e92e7deece0282045286dce7f73f775fcb
SHA25649bcb960c1611e36b34ea1ba2f32d6211be43067ff3900a5d207f8e7535b7f1d
SHA5124b0e1ca8d881eb8acc1a7bc643db43edae465fef48a0226ccb2e1c218e0641b5d2d5c6d4d05d8fec682a2f3b99ba03f311af76ab70161834410ffa260363c7fc
-
Filesize
1.8MB
MD52a5994fd4b5ceb593787f002704ba34f
SHA116696f2ea876f14caaa9779c9697a74f3cd4085c
SHA2566df00fc0fbbe99f9c9441a9e42fb69e9739058891b00ade1eb66896d57cf44ee
SHA512bfc277a16fffc5029adc003c96bb286a89eb545c815102627ab03c1ce6cccc47b8fc6c7ad699163c8b229b62d32550417c84daec0bfc409c774afb98d9ee0e89
-
Filesize
1.4MB
MD5ee655e2e1f931560a3ec3619e635544b
SHA131f139857c0b5ec107408a66c8dcd6c811d7a39c
SHA2562ef4df199394738c934dcf7851ccd7cda2195186d39fc1ccdca9a83dc2114da1
SHA512f9e4f17b88aae52893276962a85c30bb2864b06799c47f0014f62d5aebe2243fb689449321d80badccf7f4925b8cbbe8b00d7a29de40fcb706bb1973e490dd44
-
Filesize
1.5MB
MD55b4e9717dc41274d9c203575b295c970
SHA156525dd6aad07d5aed24d0ce684579a9db6e8922
SHA256f94ef5a19fd92ec01844f29f8825d064cca7d88e9e722b2a6cbe31e7bed05d16
SHA5125a1f7543f80846f8e71f1616beba8ff0c5c5d84baaed976e43523c4e3a75c07bacc12eab90a30d6fc03feaba93f91bac3f2d258888c014d991dfc7c4d7b2edd2
-
Filesize
2.0MB
MD59ddd979a09ebf5b5ea17d55ea0ea647e
SHA17763945f712e1f1aaaadcc0411d0762bd0a35b1c
SHA2565822037b6aad65b61a6f40a360eef17b49bd430328fb398bd84492654fa9773d
SHA51280349d8993b43340befeec44766cc412db7abfffb5417e09ca52d9bab5d4f6a10a483ac70bfc70cac2d1775c601b99ca7e56efc582c6258cf9249e63f30f0c77
-
Filesize
1.3MB
MD5730c7d25eb26dda0a7d6b3cb53c7e700
SHA186069bfc199c9d66f66ba5ee9a21ee31335c8bc2
SHA256729598c2b08abb046254187c1b38775a348d5a987e6af6feeee052407999169a
SHA512e8f9ede328551c655feeb234e55943f256806783a7dc29c040a93620daea0089e06919dd93a5689cbc70fee5da8a4083d7ff23a581eaae0df7dc83f87a1e52ea
-
Filesize
1.3MB
MD526212a1499528696a6b201494fc9630a
SHA1c3f2419eb15b0e3b3a411b76630a76beb6ec4f80
SHA25640f9d6e614e69aacd2fe76bd27130f75be00cd766edefba3a85443c92b32bc84
SHA512cb27ff0d89f5948510a259e6a028dfadf342d81fa03795a34413a061bf25a8486d6a93677f96f5736823362626c38cd285e53a6922e4cb269619a7e4c7537273
-
Filesize
1.2MB
MD5fd95300c1acfe06c5a8d380bc5570099
SHA1b972e6e7f74a1e6d00191206f5ea239dbd21f1c8
SHA256620267f760f7849abe59b26608cb41d9a6e8937c2538cd5e8101a762e5ce592f
SHA5121af85dd112efe64b32b786a91775d9a543fa620cf04c1ccb95dd62380e780f0db63595a2bce115400586de4045a702bfc32617415ea1206cd0b1a4eb620c61ce
-
Filesize
1.3MB
MD56def0d8f95d3ac5cbfa60670ee848d0b
SHA10369bbb7217990a16b9652d4e17640390f5c0f53
SHA256a0491ad8d0112fee27f3c1fcd9a89cf576dcbf3f1ce1f561963faad44e1b452c
SHA512bb6fd3df74a4ae157e50a958b359d5ff1dcb7ab451a8b99d0434ac3f89e4fa10f10345e6aa7b1939abb7bf5113542521e8002a91ba454f7f2c95bb3456bfc229
-
Filesize
1.4MB
MD5b3f27c95edb9a7509ef226b3a760a3bd
SHA1f6979f015da71249af23d43712ecff79d85f12be
SHA25608d3c85d01252a4d6832413205661f099106df89af4eb5ea3dffa807993ec3aa
SHA51298eab135619289d127973ed770572ed316f09115cdf71e8b92cea772f69c9eaca1f7295379fe44486d0fc4ebf728a2ea36485ff928611ac3c2600a0132ddfc85
-
Filesize
2.1MB
MD5a7ac7bdfa4836377497f488f8b26f92e
SHA19b8220750980727cab49cce35451a4504f9c7cf4
SHA256b43a3e543dcc0eeda0c2403f2ba496b4467cbf66575f97645b9c86c7d698f7e2
SHA512167f5922539a6a882f91cc1ee81b262716cfae27daee74c420e0215272460a569dc167f80a89c67e4202fcb141552fda5bc03a04a6980ef1b808d9206264fc5d
-
Filesize
1.3MB
MD50cf1eb45ec5fcc65ab2ef1dfe3eec1bf
SHA1d83a14e046983058ae85d45fc35e96a0d46990a0
SHA25690829fcfdca0347af45ac68b755c8480c776ed90ba074c2cd439b75931f3c551
SHA512c0220643fcfbee75fb0de405c1341f8ed6686a0e84a0e57b33dfb2ebf1a1073299f3e39028f2da1e4161304f1eaa710b5d7a402cdbfe5263b1bd827f1627bb82
-
Filesize
1.5MB
MD58680acecd5a42c0013f34a128b259c19
SHA17b209c4a90e0ab8b47b84916411f1cebcbfc3295
SHA256f068c74363fed3339d9ea2c6112f7395ea6ca26b927e5921c7810e236050c295
SHA512989b59622860795ffa890f5398002d5e66f5e001789317b4dda3aa41ffe905336df1559b8621acb5824ebd1c9723912f418e8f51af500762f7b0b4b983b87528
-
Filesize
1.2MB
MD5abffb1a2914f389d638fdb7c7b143fc2
SHA164426a128728238fba838bf3db01965010e975c1
SHA2562eff08261b024362b632969cd31c7777e355d54ce846884e252f7df3394d85ab
SHA5123caf3d430fb653c82e48a4efcc9c80a9ababa43e23a8b572c197fdb21bc0565eb9ebc5722b1f74b63711c7ea2ef1f9cf4a8c08c0e15563dc2db6a8c705e7fe26