Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2024, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
Resource
win7-20240705-en
General
-
Target
2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe
-
Size
1.8MB
-
MD5
e9f5a6c05d03d76e632d711f9760cab5
-
SHA1
3629ee459e87b1e08e443112c2cccd1865023091
-
SHA256
3bed5d0ff60aac5666b851b6972de07b666163761b20259de51149d4de148854
-
SHA512
1be6f20d141892776705c0b5df28ddd819214ea3d85e2e80f829ecbc81f78ec37a50265683c1dde9d95bcaaf8653b8bae3606c74d0fa5486f5f66de59f18daf7
-
SSDEEP
49152:hE19+ApwXk1QE1RzsEQPaxHN9k2c962L637u:y93wXmoKVk5f2q
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3396 alg.exe 4996 DiagnosticsHub.StandardCollector.Service.exe 4744 fxssvc.exe 676 elevation_service.exe 1952 elevation_service.exe 5084 maintenanceservice.exe 4400 msdtc.exe 4524 OSE.EXE 4484 PerceptionSimulationService.exe 2248 perfhost.exe 908 locator.exe 1528 SensorDataService.exe 4492 snmptrap.exe 3992 spectrum.exe 2056 ssh-agent.exe 212 TieringEngineService.exe 672 AgentService.exe 3128 vds.exe 5004 vssvc.exe 4968 wbengine.exe 1128 WmiApSrv.exe 4744 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\425deb77c8648821.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d2475cf02cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1abf7cd02cfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b86d1cd02cfda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000684814ce02cfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d4e98cd02cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068d6c0cd02cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e8edcce02cfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a71a2cf02cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeAuditPrivilege 4744 fxssvc.exe Token: SeRestorePrivilege 212 TieringEngineService.exe Token: SeManageVolumePrivilege 212 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 672 AgentService.exe Token: SeBackupPrivilege 5004 vssvc.exe Token: SeRestorePrivilege 5004 vssvc.exe Token: SeAuditPrivilege 5004 vssvc.exe Token: SeBackupPrivilege 4968 wbengine.exe Token: SeRestorePrivilege 4968 wbengine.exe Token: SeSecurityPrivilege 4968 wbengine.exe Token: 33 4744 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4744 SearchIndexer.exe Token: SeDebugPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeDebugPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeDebugPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeDebugPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeDebugPrivilege 5104 2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe Token: SeDebugPrivilege 3396 alg.exe Token: SeDebugPrivilege 3396 alg.exe Token: SeDebugPrivilege 3396 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4744 wrote to memory of 4868 4744 SearchIndexer.exe 106 PID 4744 wrote to memory of 4868 4744 SearchIndexer.exe 106 PID 4744 wrote to memory of 1940 4744 SearchIndexer.exe 107 PID 4744 wrote to memory of 1940 4744 SearchIndexer.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-05_e9f5a6c05d03d76e632d711f9760cab5_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3540
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:676
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1952
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4400
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4524
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4484
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:908
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4492
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3796
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3128
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1128
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4868
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD536c06d8ae407807df7cb9960a6d2167e
SHA18325f5cc91f6e542ad4072c6a4844dd4edd4e897
SHA256cb847e98653d857c51d01b09abac78d543068772715696f7cf779043559a4ee2
SHA512f15445e2e39471479044515da5e30300868dbe4c8aae7b1ccf313d458974465e03992778b4e54665545f33b2bfafc7490e72a32a26859577e8a9efeeecf4b228
-
Filesize
797KB
MD57fbc17438443fa829ab2fef5122376f0
SHA1999f5ff800e09db5cd37c8e7a31a596a6d2e5586
SHA256b581f38677b2e8dde77d8030a5a7216eb1a76d08f7a541c442e2d2d23d554bc6
SHA51263ffd5117a1c95f3cda64015e27fbfeeeea2262d29833811a8eb5d46e7c1d19d566c15e90ce0e1c8be1f0c069e35c1d36ac86641b371fc40f3f2da53009577c5
-
Filesize
1.1MB
MD5e21c8b81f5c3098adf866d1bee07311e
SHA1383d3280f6ae12c5803efb00507f1c6e15f62ab8
SHA2564f5cc499a55df6dd7677f73e95846882c01ce5152eb3c41ce8f53f18554b73c1
SHA512152262cf4aa8fa65c88e9b7d3c24285320f1fd3264f7229a0fc20caad417efd73d961f896d8642df4e7f24050cafbc061d747b6bec904f08ac121112b9f47244
-
Filesize
1.5MB
MD568af0a7737df9bad4d000eb38d62aadc
SHA1792a0ec26529ab15ca3cbc83cab3863e87aff671
SHA25641d21700e09960eb325a2533c54e3cd0896f41c6a512febb31318c9fade9cd86
SHA5127ec155b67e99bc8fb19ac0bb27525d71acde8c6c6d7647f6164acd7fb998cedb873fcd8cf53040fade0074e0a03116b0e4c70f3aa9112bf2cb20b83d42159d55
-
Filesize
1.2MB
MD50b415ed8d29d99ca253fccbaa5fc2530
SHA1e3a7cc922a1d0cc317b3051fb109b6369c08f743
SHA25677eb1395e3439afc0fb1803146e9e49484cd1cfff721fcc39e8deed79b33c44b
SHA512a5d27272f87e3afb1084898210fe3ab8446a5fbdd0efc7ecbb7300c185d26a1bcfae53539e136b47fc58908d84e4f843aa46bbd48bf90fac795336493b03a72f
-
Filesize
582KB
MD57e7804cc31042090ae2b677ab22770d5
SHA14044a42fceaaf08a3d9d0f48c0a102ee1efda6f5
SHA2567cf8732f30f8b1c4b21b1685497e04010b831d715fa7f48077bbce68c3122056
SHA512dce0acd4a8d1b4d9598e7cdb1b073c7f4c0cfb0bed638b54e6302f68e009cf28931cc1d5820400a5cd411e8cc10fd24b6d4dd523fb7287734c98c5d245caa0fd
-
Filesize
840KB
MD5b82afec18ab912765c2d8b40f9514f53
SHA18977e44dc0d0fd311ccbf46895476d47dc638017
SHA25631c4a600ca699fe50dd5f310eadeaabb4095baae0c456dfe553dc4db7ef18661
SHA5125796f010a8345cac7d1b10614cd9da29ace2b8c6239f27e25337a3e0c1f6bad75dcc84d5941b5b694670d45f3c685a493ae8c627b6e679a16267745a08087097
-
Filesize
4.6MB
MD5ccc69cd89425ec27a882549c51d82844
SHA11442dac7b6a2643118672797b8354a442f1408fe
SHA256a5810aba72ae73d8849992d2b1b04d030e71ea2c07e9f16f4ba36f9fe957396b
SHA512051e5903ff5a8fd036ad5e630d0e3b2c91c8730e083e199f0da5e5a402c2bc5a8ff270b506e44c8efe1bde4ea3dbed9eac78e2de1b9cdce6350e638f96903b26
-
Filesize
910KB
MD596910b28fa351fd7a6a36818f69ae1fc
SHA131efcc546b5c19225d07f434ecb7c1dac9cce3ab
SHA256ef8772f8b8ce48b6f624090ef42d9147a60d5346e11ca77848d21b63e3efdc28
SHA512ff5bbdd50eff85716bb928a8cdba42d33ac9e406e4ef2d02eaa6ce366e727aab75a2654666f1f05258c3e284f1deb57fbb5fbb5d0766c796101790b13cc09c78
-
Filesize
24.0MB
MD56ddaa05239740ab44d28abfc0fe67f29
SHA1a08b8f7eb6111825dece914958da36c4d640de79
SHA2567300766838069740460bdd7528487216dbcf44e45a0a1af935b72109998747f4
SHA51299dfcfe4f3ac905ec90ee3e953202a4603d1a0187285ed7e6627b2aae095476399f01dded0f10a0f2b599c67da108d819143db2b7da848a69d6f4f3d313d456a
-
Filesize
2.7MB
MD50c132bb3825a51e6a049c543958e1303
SHA15b557d864f05e7699f5595bb9d6b6635f06c07ec
SHA25601704a8fd3fe74c4f8169733ec1777af812fbb9b6ebc9044be3ac42b04ef5b36
SHA512f82def60b91e7785af1549637419c7015f431d933916bb6eef2ff0cf5e9bda40b6a7c1a8655c32ef7f0f8c8867fc7931f00826766a1a095859ec4f8541575aea
-
Filesize
1.1MB
MD5069b0a1cc97971088a9de99cc7ba5e11
SHA139afb40dc84e262c42ee037a1edb254ac8280270
SHA256d59a89fa7d085663c3d763d9727f7090da1e268685b7711cd19c6e73864d71c9
SHA512e80805d9268f335830475222783b28d8bf32605a652f61f9a4e02d761410f5b58190296b92833561a151203ef4d796310c1b301f9e0c102473a32c5e2879afa2
-
Filesize
805KB
MD5abd6281779946da32d89e1d498c3c917
SHA1f5ee62443be7eaf8c4a886c1d8aec67e3b1bd1da
SHA2565342ee7bd222f2c7d326b7e6f5472c22c611a4e6c82539869f6d2fdbe43cbf08
SHA512e4ece8e2c49f2c59efff178fcec6aefabfcb6fc3fe1c801b92577b15399f3f5fd7739fc31f55b6b62a51007dd7e08fc54506b7508f6628d44ebb6626c4f57e8b
-
Filesize
656KB
MD58a58fd5c5c0b36ed3d09b7098ad3acad
SHA1b8610093842d4a4b21f4b5182562081a043190ad
SHA256819ad4b063f57a3a3b3a566acc4c2e026fb54b3e5d5659a6006290b2fed981f9
SHA5121c970d7ad23944f8728a4d274ef458d338d32b7729979d6f48b903e3f0c56b1b26bff34046ff5eedec07713e8b0457616d4bd8de1d4ee587fb8f11e924e5d743
-
Filesize
5.4MB
MD54a5adebf6f36365817cb7e60125991c6
SHA1d9a11b5f2ba3717359e65c192000ed92e69ead19
SHA2562f197095562f52628680e5b85d66d8d8afceff344af6135bd99ef6fb8f917bc4
SHA512125ffa7dc82162e25c5199e80ed64786e56e429ce37b56d9fcc0383708e50bb2021e83e5296405c6d07412b9570f10aabcee034f118617e77493059a3eae4355
-
Filesize
5.4MB
MD5a8a0a0c092af310e9e0e1f404049f983
SHA14a392ff0df4422716d83b86e7beac6f1823a72cd
SHA256c17ef2028d3da177fe65c33d845802423783fe85a0a65ffe0ce70ef9b00368b7
SHA5127dba71091c1ecfeebe74f99151f1a013a5e5fd398c9cc929ce9776238cd8edaee37a95a8fbc292324b213334849872569618e5e66c14d45bca6e6fc63d9fd63e
-
Filesize
2.0MB
MD578ca619d90c0ea880c23e4e67a1a8915
SHA1f69cbdd7747e175474a60221d380c371b19d99ca
SHA2564d2b8e8d89540e3729ca94c5b880aafa8d2cc15ad48999be1250f3d15f4e987f
SHA512e4f1f246b60aa72ffdb2b4ed6b0a171598fd02b8a487eccca6104a96d8b24d3eaae241a2f71d6157e59734082cb3d0d229d938b60647c4c4f97f3214a3a0ceb0
-
Filesize
2.2MB
MD5adbb7a5643ad5399b99a7e0d8356e309
SHA16a6aef5e9f907e6372b61104831620d2383a44dd
SHA25697c384574cacda555eb9bfb33ab71ca5132fdab766f6502dbb684def1be6d6e8
SHA5128423f843411eedbb11a3db79019ad2b1187edf5984562476f73d6c7473ec5305f84d6c98aa0d34b5b80640b04435f1bdf98339040928fcf2d075c174f23c79b1
-
Filesize
1.8MB
MD51fe0bf18a5c34235e181353021d65df7
SHA1045e1093f61063297f3defd588c123a19157b8ee
SHA2562f352b649ee54c3172d5ec39f844f2f5acf2e375e8e55f99e5caabecd8fb226e
SHA51289aa44c420dd3348a99e67fca83359f15c6bddc93b28ed5b2e2ae7cc257b935bd696d13da9ebce5a8ead1222eac669f2ecb8eb53d2bedcd862cf6d6cbe3806e2
-
Filesize
1.7MB
MD5ea715e13013f410352de04b5772439e3
SHA1cef029d6fdf039c1ed533c179e5c11d8dae6d380
SHA25644e147e74373d3c8e0c35ce30076e24bbeb18a5737ff34bf15b3e23126c4bbae
SHA512666ff6e8952df4970b7202fabe69886f58db0a012594020975df03350479f30d09687bc730f11def88c014c043230a665dbea2e615f6c922ce4e3126af0b7aa5
-
Filesize
581KB
MD56d74a96f3556c0730108fb3e44f27762
SHA1372530bf91f99ec765a9dca35b686e1fe5890b53
SHA256ff70a2da3fba022362b911e433ab241e589cc56c12bd7c03c7977b3e604429f8
SHA512a7f93a1cdaef7ef2147371673ff661960bb23b36c7a354180587396f68bf1dc5a7afd975530350dac2670e3498734a3d460d4bc5e2958b95bb6f1ae525605221
-
Filesize
581KB
MD5ffe9618c697cdf2aeb3a32b5b7f0b65a
SHA17f7b19c30b844ac658ba348fd880d55d8d0bea5a
SHA2569b0059463fdaacf939d3578a39f676ce6b6b4ea8e56f294c867fd26296d8744a
SHA512fb647b127600740bdddd834c0fa9f78af8d05d1c4a16b4b1b4e35c2345d73ac83a44030bf9ea0627f0cb4e5b03903a0899b84105f365409fc2115df1d796fe4f
-
Filesize
581KB
MD50cfff4e099434e95802b8d9e03a5f1b9
SHA1dbed69689aaea56b17c796157e7c847dd6cd31f0
SHA256cc9f343e51694d47aec96f41eae2c2dd97da9018c46cef4cbb11a4c92f2a8696
SHA5124999de05f9d2cd1f705ef046662f11106d6fe98d49dd9e013121f6e16afb4ce7bc3a7169b13bc0dab3e79c91ce303fbf2d614f0e8627c5f16a487206e4fe75e3
-
Filesize
601KB
MD5e8165aef5064f3ee6cdace25e4e9d91b
SHA1b562285b97552f522ca2300b24f79d9c092bda91
SHA256ea1269c74aefe54f3ae62ba3a245f0d6c2450ea4ba93346b0fa3a783baaf864b
SHA512cef70b1f0e417d971f1c9cd09219b2b0fd16c9a0085bb257e31f98a358d552d48f5f6bc5759b47d2a85acbc1291e78cda4ea0854f31e668fb589b972535c1971
-
Filesize
581KB
MD569eb675501872d3a342675b176a4399f
SHA1b2730a308bc174b37beffd902b0dfc4bf719a5a0
SHA25641f33c3116905b26e3ae6909f13305013be873bc6423ee843ff724ca6388835f
SHA512a6488d2a8ab2f3640fc00330952f7beb32c4e57a1d5ebd2d100026c10bb44a6948d6c9967f79a2a51708d533d3ed796d4fed3aff71613255baea066bbf8aee94
-
Filesize
581KB
MD582e8d8dc0acd5c5227b114699977a7bb
SHA11e0e35c965e4bfec9684a418aa06e8d8b91e49bc
SHA2565f579dd3ecc3f621f5b4826a598939ffff0af23063e95664c055b17f19071329
SHA512fff373f0ebc97fc24ad77282528f5df0a3a72d89a93135b3a4622716803cada4fa684caebc929ba3c965fa3788c1fd2328354e620304a09531be34402520d879
-
Filesize
581KB
MD52f789790b9e6bf7e4ef343b69f4a9e51
SHA13aa2317972da5425ddb4a10afb23eb60c31a18db
SHA256b63578324513c49c853c266c610ea58dcf3e2fee0b9980ac5d9d097c6d0a8f84
SHA51298cc13a041b98fa2326742b31341509489691d6c69f884005b625127a913bc1a1bc3df3080b8cf191cb9f780b12b1090d0b8cbb8cd306394e73691134f4d4355
-
Filesize
841KB
MD53ac377b44d22a61120df64aca386b11a
SHA1d56c79d49011c6beec78d5d047ac892073441951
SHA2565b9e5d6e087e7407b90656cb13ac22ba1d7ea46195cd905c4b08720a5750106a
SHA5122c0406dfc89e80677dc373423fb4ca91177968a4eb06c49f87a0a7fae35d394c427c7ef5bcac2c13de090e273461ae2cd1fbab8013b35a5a71f22dd0d5a2bbf0
-
Filesize
581KB
MD53848f0c79b4b1842404d795f81dbc847
SHA1789890a32944e43b94b8d20bbc30523898cd4bf0
SHA256917dfb150178261e66f814806aad39a56e163b3119ce092bd1158719774175bb
SHA512210a3972c206ab43a26e2dfce5846a30f446610754e9ae1b61858f92e5edb273695808d81a3acf2d913027f934b6d9548bb174896baee02421d6d20214132a5c
-
Filesize
581KB
MD59620a79ba206e0d41444856d893c94b4
SHA1bc1eb8a8f066005c1eb47e1beee756a8cb07af2f
SHA25619e4e8aab0b1944ce7f498e5e1870c8383a5fc5e0fe74b83464f4a481372679c
SHA512c1b57213d92d40b9659235d03585f61ec8dd610a1cc5463d436aa3e01f86e712e3fd60a36b9428479835c3983ec6dc0ab33f8d268c0e6c06c31d0e7f1ad0e6e2
-
Filesize
717KB
MD506c01086828c31469702c424d25c9dd4
SHA1d9d0b1800435c8612af7745658624d796dff422a
SHA256bd198766bc87157eadf17919f8528a8266dc0a02d0bf914c1489870a76900bcd
SHA512271b7c4ff63da445b48eaf7d96aba377b1596866ef58b6e1260e5429cae664dee3ba25436b84bce5d00e98e45ca5f8048821676dc6314e5a4c4e7c7539fa08e2
-
Filesize
581KB
MD5116096688caa514626c998cf89988e24
SHA1b0bdc43cc80f26ac891f0b9fe662322660f00531
SHA2560b86d92497931460998f4f074a5cc8565cc1f9f945a117e56370b44a47a70fbf
SHA512a90ad8c9b97c5515661ce67f5e7021797b4efc4eaaea2148c50c45ea368abef7df1bdbd478fab13cea34010060b35062e56dd4a1f7a4ec7f32b611be520bae55
-
Filesize
581KB
MD5984059a725d020a52f75f2f8db89f840
SHA1abedc88876b8b54064d777d7351b91ae6e5b6c4a
SHA2567ee89bcb837eedaa1e27fbe0b0eb764caf60b0393ae6d075753f124cabc00eb7
SHA5127dff29870bc22536d843ab1d11298009c4ea3e29614cb5355274964b27b610ca23f8dbe9939a573980844508ce487932516e4008bb97892f3f70d04294f27851
-
Filesize
717KB
MD5539685dc7c8fdd76927c22390fb28b27
SHA1aff7aa0454cca52eb1caf579d251b61781aae0a1
SHA256200aff0eb1c2948106d3f7b2ee468a73f9e2363bad7d36db47211e1272c76d7a
SHA512c9b7da867fbb413230fcffad49a19b568362210dc995b567f8c36babc472908ddbb8d421e591d2cfaf2d602dfd0bdafe6eae727afb80ea512aaa680f91e3da66
-
Filesize
841KB
MD5dffc7616263c7ea0299e7bd9e3a4fb83
SHA178a2d369b3172578254954031565caa12bdfc1cd
SHA2564ee8a2ce6c56cb0057641954127363ae0e429cf9cd7461b5b8cf4463ae6dc829
SHA512a63b9301ce1dc7a291e58907d75615cebc7c6c3428397edbe224f19518beed3d2c148f4f3f74d85632507c32a85ccadaa3ab87235913fe760780656b01402b3b
-
Filesize
1020KB
MD586a68351970b596a6626c87acb3d5444
SHA13aacb9025242483450e8a29606050a0f05d52544
SHA2562e1ccab500eb89c465c7e8ba43e034f9371d0da3d387f329b6ecedb93bb6752e
SHA51295f70da1cd129be0f2584c969d22b5d6a00ba5f106da9abe4b63f8fccead5ff9e39a7ac2e2e98f0ebb5b315e6836c75d83361a1e905cec289dbd7f9c0b299ec4
-
Filesize
1.5MB
MD52a3e62fd0ea2fe255541a7591b0c9a36
SHA1c344aaeaec31c809bf1aa6468c3188bc0f53735b
SHA256d02df6abeccdf3b0e31eb04cb1416df96cc91570aa7f7b8c2b14e10194175979
SHA512c0f8d4125606eadfd4ba6e3406884b2e74244027956324a43671869ab8c7c27c7c7d91f768aa7a730d0fb7b8c5220fed2c9fdb9ba448b8db4d2af31dc425311e
-
Filesize
701KB
MD5f6378e63652040cc018f94f29f905354
SHA16359d7e562f775aeee24ba9cd973f60fea2aff95
SHA256dccd0bfc38526a90b90fba44d4d3126a054c108d9f3f095e275d45e92b432a0e
SHA5125e64824dc89f83c90db811392fe54129369d232622a130201fd4d2decb92371636e7b1ab465e88919eac3bfab93554b6300c8b52caa481518401d9a45f67d100
-
Filesize
588KB
MD550060e75a24158550406f9f74a1eb6dc
SHA17c9ecee5506fa0eb741c2d0ad5c322ce5148abc7
SHA256fb51605d6590db7157a62b6eb6b16325523d44dcd3f124eff689b2cac2a5ae3b
SHA5129cb3c623ac9e1078212770990e1cfa9511aa0f0d3dd9a73469352bb0f40179644ae6dc3596a784a46da0612f9030fa0454286b64354b95618139bef6a555f397
-
Filesize
1.7MB
MD537d6f40deed1bfb5c1492ce9649d134b
SHA1fde62674f426ea8530999e5c3e11da19ad772e1d
SHA256eb849b01e6b13f65e5927f0328af5201c2abfa9bcf4f8a0bd560a6330efcc26d
SHA51203d6920d09df97a63468469ec095ac9c8f90593324e9ddd1c91dc03b076eaf56edc4a683e32093971b7d87752a33d3f82d37656d015377979590cbcedac574b9
-
Filesize
659KB
MD5b46acc7ef4cecb2da4add04faf584261
SHA1b7c70b0d51743b28ad43b6b298aec35df12a3125
SHA256b57a722a99c59f54047ab168f52641c4b721639303d9c8c6955c9f948034116b
SHA512645ace5d19e4c4b66d4009fc8bf67d073195e91116577ed4618fdc7c3dad91891991d0d04df4d7fcc956c41d61fe2ed1512ab7d570f3ea9005b6ddf676ea8bb4
-
Filesize
1.2MB
MD52e34b68fb7aec069896cc38a7adc7d14
SHA101937dc98fb5c498f183c7ddf552c51a52702894
SHA2568b749966a53c6f95bd57dd1b5fd8830f8b29f2b153da50cae7f66de4686a2d5b
SHA512752ea63491981f7a9f0d23ee8a105dae4511f165776fcf3a053e7372b6ff0cb45773179d16405a333468f3892a83429eaa94ed879773e6e16b706d939209a8dd
-
Filesize
578KB
MD57ad6ad77a2192816b4a0bd315ad0d683
SHA1865f13da7abd71c561058b1780366153dd41cec4
SHA256cd3c803a19a9862206b4eb1466cabb13649149a72dcafaeb603a2d28df99c233
SHA512d5457110999979e58a2eff0c05bcaf8d07f044be39f1914c2499a339d32aa5212ca42314f1e5614bdf7407dc5f8afaafdb618ffd39638fab12157d8ad64a1214
-
Filesize
940KB
MD5bb896f624a7cec4f1bebf79bdb3759a5
SHA135fef7862480e3ae57de728b658505b4c42b2887
SHA25648afeaedf1ec4d86ca9adae569c5b708be00ec34ea350afcf629db8237a36e2a
SHA512d0ecd3b28c432d278e103f952a30615f2130e7b77708631c75f68caf2ffba3dbb311b3e694ff961d735618d0677c259a3ca7c0bff98107693d3acb16587ffb10
-
Filesize
671KB
MD5960ed739b4d2847d9ad6e3d2c188dd0c
SHA15f1a24131b3f9e1478145042566b4e5ceac17787
SHA25683a4295fb35345ef68cb1d4d32f9b1d1767648dc5622792fde9c55197910fcb8
SHA512ec58d06a835ea7239d8de66100cc7a0f963a4aca6dd9fbbc09630819f14863533ba97010fa704df6b979143fa80641fb0f4958bcafd36c548837768a48c4b1d0
-
Filesize
1.4MB
MD570d0fe4e7812e68a524f72e0b5fdeee9
SHA1994ff971097fc0f3cc9e83072343e2bdafd310a2
SHA25684cda7de3a07d4924958f37758000aa50fe75f763a021bce2a9273e0990e58e8
SHA51250a7ebff4880bee30d378e3d2ac976462417b0d823ef3398d8ca6a0a22a1d9d95d9e6fd39987e7ebd74fbd6b565c1d6a7035108cb84866f0967f92921a9ed5c1
-
Filesize
1.8MB
MD58bcf7910801dc57e9f8f70370aff26d3
SHA1ee9d172238335caca748e39347dd0c163b7cbe04
SHA256eb804ae2cf2a79d330306ac612c0eb4cde4121b95bc8be166a1f5ca563cf712d
SHA5126bf170f5c28b6e914f95d55a5b752556eaacd932638f112e5d0d5efd6782121b6f0c5a9af8850980e7ad013a481bd01e73a14aa8f74a267fd6928bd0cf2f1410
-
Filesize
1.4MB
MD5a6f3bbdbf6b23e079b259d72ce7b1afe
SHA1a17460a15b600d20e2064d06b525ddb4b430c6d8
SHA2569e8a64f823ba846f5b1602f026ce1df5dad4e9dac055c65eca2f9a57b49b986e
SHA5127ccff589b100608e6274127014e12728eefd53d0cbb93dc7548466df6f92b02c2cb381a2befc7474732c84bd742368259c197a078907bc9f04e2d554b77923ec
-
Filesize
885KB
MD5b76d98d139504ed25376174bda50115e
SHA12694aa8e0428189d63470afdbbfa872becf735de
SHA256fbdf0c959e22789a604ba9ed2407ae6c5d5e40ae06f47767b8dd03dee2454560
SHA5120542a140c4f2abb526691e37fdd6832609504ce1a344b49f01ca79d05f6dcfb763c5570278dd3376390932b4e3823057d7ae134edbd51c90b97b3f1472bdbea5
-
Filesize
2.0MB
MD57db64128e41b733d4b295ce50eb2d8ba
SHA17fd927b1dbc6ed7e52c5f1d2b34d29016f8cf799
SHA2569d7bf9f0aec42797e79d5b92919402cea3223d6146d9a61e9ef15dd788278694
SHA512ea4d2b89d9bc3e4ee63aac9bcfda6b3db380ac38a8dc20b9407f62a8287fbfa8291b99d7bacdb56943c0636fe01eb48f26431da326da224e96e1caa216b48035
-
Filesize
661KB
MD5be559c17832024b8921ec9da43cc6fce
SHA1ec26cb4fba882b82747bfd103f2b15d36982d8d6
SHA2560329accd6b5c815d7c7839f50a901da8050fb193e01e2307e3fca5299bff3e05
SHA51215ff97278b05cb1b5aeada9da67bbb6e1e542909dbe471db35662f3a18d1e7920f9a47a8f289f777211c25adc3279bf3ae4c1bb2846b3eb7a5bac51588719f4b
-
Filesize
712KB
MD53fe70ec6c14da839f2496509eb0afd4b
SHA19aa9c38fdcf59b1e20bbe6c9422096e63b73b68a
SHA25697c9601e6ef9ec18af724255b999a1f5897e254dfbca694c578d58f759cff011
SHA512d28fbd99208eaffc21d6ea040bc66acf1c110b9d294b59499e4baa315808eace6de9a938e403d40ef5032674b267f382353160fe752cb2bcce75ec22dbdb3b52
-
Filesize
584KB
MD56da3a925749267e5976b152e2ddc0997
SHA180161155687264eed819f24c52f5344ff0df9f90
SHA25668558c5309fd2b7ffa120534b7f1cf2728cbff0b96b0a161088bd4000d75f952
SHA51282a05945091f32396c24297f39111a4dea22cff70fc39512ca9a8c3ce17ab9ff742469ba1266ea7ee6c22f5c8b440dfd664fd833fc06168e93be61c2c8b1d542
-
Filesize
1.3MB
MD5ad664c1a6361a21ebc5c394a274890a8
SHA1496a121c8608284dd31144188ddaf37d6aaf999d
SHA25671e342d1ca4d7bbd716f2ce7fb15dbbf0cc4e792c259e30d53d57838c55468a0
SHA5128d00feef54c4ff40b80d7a3f5b14a4776d579514452d9fdcc113c0c5cf6e6b8e7298f053dc2c2894facc3b968b59b79b0c41855d309fb9e6d500a4557d15a334
-
Filesize
772KB
MD54bdfe438e7db88f42a66ccbe55e64127
SHA135ded880e4e7c071fe42051a46e39f725d34bf3f
SHA25645f6e669b179cb4d718570441b80371c55e9981d8fb0628a6ae1de5faa8587ae
SHA5128960a44926b6d97fc75fc25aad30db5c51be8a5ae888ef0ac53453b45318a9f115ce8ff2fa3520aba197d4b14b64a3565108a6c33990812a6986f957ea553ddd
-
Filesize
2.1MB
MD5299803efe1d2020ed9434a0edf1fa43d
SHA134da8959de0409493aa7c7aca47dd19f63cff3e1
SHA25601011f29d0a7cc1a49dbecd34461043c2396ef96ef2dca5cbb635dfcf0704b1b
SHA512edb6ce4a0785e57d62f69202c9d5143b58761f64f2930e07ad21ea22b917b21e91a4368dd458624b8f459a981464c819c698d94b5b12243048506223e67ea4e6
-
Filesize
1.3MB
MD5127d62b15784dca4587e5b0090003d9c
SHA1b416270de74ef5061055e08b252c3af6ac142692
SHA256137ac490ddc123fdef8974db16a02ab0e64c5e6734c4c9e6205735a88af8af74
SHA5123620974964afc844c66600f7484789b96c90b711430a5fefea628dd3e4c3d9b3a328e418d4f019f99aee5b5ac946a5fc71a9927e1214fe5c2d4209f8970671e4
-
Filesize
877KB
MD5f1ffafc8e7c5fc8bd0fa31cc303ac173
SHA12745f999a1c57d84c8468b30b02edfa0ec983196
SHA256f42f403c890fb35ab08d5fe3283b8b7470549d40af2d66f8342410b79dab5b84
SHA51230661d9c14bf05bc182b05b6e87609e399fc6bce809bcbd3d4d8a594070513e57262c0c9210f63d966e6b5c0e0893352c4a5a7092e1fab1bf2183e80b362bbe8
-
Filesize
635KB
MD58242ce1015963b32b6d479a7a40af0c8
SHA141a7beb66625c3b0203058ef1666485b99eddea1
SHA256303f985d60b30f2ab60e89ef0226d9f6a73e429585378b0377243e3b8beabafa
SHA5127a2729571e47b40fb33d6aec4d0237433baae1b0a70e14c169dd9c055cbdea9ea700c29f9a20d0685b415ca96183d6dc319968fe941a5f3fb976ae213cec8c6a