Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
Resource
win7-20240705-en
General
-
Target
2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
-
Size
677KB
-
MD5
90727caa58d20a1ab87b22e697842dae
-
SHA1
eaab5775d75f50b58e07f55460848e9dbf05b99c
-
SHA256
fab3acebe7d20b6086c7305f297ac2dbe846b1917699ac9c3cc45c03dcafa336
-
SHA512
8299526c6752a43adfc19aff20008e2430c02735c4ee2cb9d2151ed17e0703bdd6c1092ac73480364e297f428b1841f45f9621c0837733feea39dea18583d2bb
-
SSDEEP
12288:rvXk1yWCIkeRlk7ugd1EOFcNW2f+zRIxzA0RJ4P3Zu/t4ZJ0FSlg6BdLET7bI/IE:Lk1yWHRlMugdD+JsRgZRJ4fM430Eg6nj
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1060 alg.exe 4964 elevation_service.exe 4784 elevation_service.exe 3640 maintenanceservice.exe 1236 OSE.EXE 3624 DiagnosticsHub.StandardCollector.Service.exe 2180 fxssvc.exe 4224 msdtc.exe 4828 PerceptionSimulationService.exe 1792 perfhost.exe 336 locator.exe 2480 SensorDataService.exe 4648 snmptrap.exe 1912 spectrum.exe 2080 ssh-agent.exe 764 TieringEngineService.exe 3040 AgentService.exe 3656 vds.exe 4384 vssvc.exe 1276 wbengine.exe 3064 WmiApSrv.exe 2540 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7324b49ec8648821.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dce7194b2cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e0a394b2cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027caed94b2cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001308ab94b2cfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055098c94b2cfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c587b94b2cfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4964 elevation_service.exe 4964 elevation_service.exe 4964 elevation_service.exe 4964 elevation_service.exe 4964 elevation_service.exe 4964 elevation_service.exe 4964 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1576 2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe Token: SeDebugPrivilege 1060 alg.exe Token: SeDebugPrivilege 1060 alg.exe Token: SeDebugPrivilege 1060 alg.exe Token: SeTakeOwnershipPrivilege 4964 elevation_service.exe Token: SeAuditPrivilege 2180 fxssvc.exe Token: SeRestorePrivilege 764 TieringEngineService.exe Token: SeManageVolumePrivilege 764 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3040 AgentService.exe Token: SeBackupPrivilege 4384 vssvc.exe Token: SeRestorePrivilege 4384 vssvc.exe Token: SeAuditPrivilege 4384 vssvc.exe Token: SeBackupPrivilege 1276 wbengine.exe Token: SeRestorePrivilege 1276 wbengine.exe Token: SeSecurityPrivilege 1276 wbengine.exe Token: 33 2540 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2540 SearchIndexer.exe Token: SeDebugPrivilege 4964 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2716 2540 SearchIndexer.exe 115 PID 2540 wrote to memory of 2716 2540 SearchIndexer.exe 115 PID 2540 wrote to memory of 2216 2540 SearchIndexer.exe 116 PID 2540 wrote to memory of 2216 2540 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4784
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3640
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1236
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:748
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4224
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4828
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1792
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:336
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4648
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2328
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3064
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2716
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ae4f1119ea398df526c0577845a9f4ff
SHA1c6af7416544c9dc97174c100f9ea494632b0c030
SHA2561f6819780148f16cafbe862ff1c46930ac55cd389741ddfbbc68f84f22124500
SHA5123ce3fc5c4bd84c4a59a9353be271782e3c6be8f81582654d46ac6d31a7ddec458d2bbf644083149ec8dc3b8f7e8a8da249520ec06c69401bcc453dae308bfc71
-
Filesize
797KB
MD561272a3607c3b254e28b18a8fbef324b
SHA15f52ac1d759ad9256b34c1555d22327962aa77a5
SHA2569afbde2d33ef98ad280f020358def8fe07ad719f0de6d38142fde7de91868b6a
SHA512fa144e7f90ff214d947670431a06bc05388a9b5f65ab243f540f670a3b106cc76ad8b237116e6f2291f26eb0c589b48324d9547390d2cec46b63cc743ec0e8bf
-
Filesize
1.1MB
MD57dd1e84c3af701ce0d50660d0a7599f6
SHA13db4043ab36ec11702da9b24bc27ebdda7787f37
SHA256516fa385d2d71903da3caa3809bd193d0360d928acd0e8e25451a64f3d774a48
SHA512ec12af7544b7d3d10f58733921f3880ff98ca0db4fd309649ab9abec752aa6ddbee90b62db2e6e05c0a6461bb3db09a126d067018921122f5ea35f5edf0b59b8
-
Filesize
1.5MB
MD57c5228c5d68be1b40f5793cd7b6988c4
SHA12a76218a023d809f425fcb363aa4c1a78e03a809
SHA25612e737f8ab86087431ac0a23952db068562011ac41f35e98f03109a18f85cfba
SHA51226a0f4935e94d88a7034c6f68b85e5746fbd02b8fd61ff447c4780564017ef811d2b559740f5d7d533dc0b4417ef6abc03c052066fdb08fca7189579c33e06a7
-
Filesize
1.2MB
MD52bd5a6302cfa32e5da6330da35384846
SHA1e170081a6a26bab88ba6a6f3288e6ea73d8c97db
SHA256dd9ecfaec42cd72099b63f12227d37c247a64a26902e7418beb92b002f093074
SHA512a56ca9a1578882d9bab61b480188ef4882ec7f8eec55ba66b20b54a48f8abf422614a773d4a98abddd3bb495abe8f0d06c5e18ab4f7862799c2b3646105ae195
-
Filesize
582KB
MD51a67d8bc9f352aef0d8d572bf3b89cc3
SHA1d7381dda4e6af64ad486bd2ffb8a92f992c058cc
SHA2560c747735248d80b6ca26cebc526fccb6e1d211a2d6787ea901ac17dcb6014a07
SHA51230e70ff2212dda37b75f763f6cf388acf7d1aa1280aed11e164d60d973f3873b571b6df6944a123aeb265d0d87566af744662329cb88cbe25527d3b4cff6603d
-
Filesize
840KB
MD56f96de3f468534468660bcb192f50521
SHA1afc46675e3246209d63bfaf83ddfab01565e3eab
SHA2563ac1aea06a196d27915ae5bb9e3ff2ce15c081774c0a818ed1425305c7912bd7
SHA5122a8aafdb9a06da5c0b088248fb084dfb4592cde4245e9cdb819c8ca2069f4c91358177f0b304341807b59af39702b892509a3df22add71c80b03c6afcfb38a34
-
Filesize
4.6MB
MD5ca3b9c07843d4994398a71806b9ecaf5
SHA17b950ced1ff431f470bb5281d15acd706d13131a
SHA256af188641037f10f762b156aeb7c1a40f30ca2ef01feb942cdc4c82eb6acfb2a6
SHA5126ca56cd34a438a1a87dc1e5cbf19b7a4692a41bd64dcf1bd501752d6d6962d8081f5cf725cfdb24593cd14a21a34750915612bf4790c79906ad1de76ab35b3cb
-
Filesize
910KB
MD5c1f9df895cbf7ddeebda52ca8b775c41
SHA1d5c5d857d15879973ada10028ae6c3e830bcbec4
SHA25609c42a03d2f09b52884cd4541426365dc5a33ae4617463d737ef46e7edf83170
SHA5123af0abd89bd33d8dcbe83142ee07f283c926bf407d13c6a251d301660eea061a255abd5294175f2e0c23bf7c3ee19ded393cc1aaae4f8d1f02577c4cc1d35b89
-
Filesize
24.0MB
MD546f781a740da9c8eb19ce393a2cb49c9
SHA1db40522dfbd906853a52938b7d9c0ff7f38e12ba
SHA2560e32a3f4f43c80ef05292e1ecfafcc5efc5766a3cd11f5fc48877f37639b8d5c
SHA512de052759bd71ce74335c4a3bf15be4ddface5de1ad8075e5cdf118300f4f04ded1f5b965baf1798eeb1d2e3db821e13069f82968b01517d89dd0d02a6f9685c6
-
Filesize
2.7MB
MD5432657b5beeea3adf01b89fd2bc4bae3
SHA145af0aecc7342fb06c37ca00261a11e0319b2c15
SHA25638508ca3acf3dfb36bdc57be4478d092efef23ee358dca53fb8ad1d3b9831985
SHA512d8a548b3a43e462e8d96fd82693f7f55bf1adce3a91c4b08f532ee309b96d0ac7a5aaa245cd330570e3fe17a60218258e824aeaa8227675fab5c791c987db14c
-
Filesize
1.1MB
MD52543606c231d28785bdc278f29a5af11
SHA1721fac697c1ba4a733f10f8af7dcd696245cec49
SHA2567998d74003c2403e36c6b6bc7cc2e26928e1967a6ad7bc98749850d02552bdb8
SHA512f9794d0fd3fad462ac0aba18c80c1f5609d8d73e991f32f0f0c92791a58fadcaebcb7f84acf84d41fc119ad295f0fb95a637925e28bf17f627eb70f984698500
-
Filesize
805KB
MD58ab35b292a6a776f99ad2290d9d1265f
SHA17c700e8bdd2e36e431f261f2be7cb038cbf49fed
SHA2564cfe14568494820ab0275c473f3076d6bed0440c9958d5607adc4bb517532b42
SHA512ddaad7587fe88789b544b48ec7f857c37fb9c5c56f6690cf64a0086232b39ede1972eb592641de62cc5c0c0afdc770cc804b3fa37fbf3f07e0871d5359074a04
-
Filesize
656KB
MD543ca302ba273d538ba55e515a8707ea0
SHA196add6bb060768934e6e7f2d217518f11df88b17
SHA2569a2ba621492ae17b3d357d4bc798519fcfd3c1adc5da5fb9958680e7903814b5
SHA512bbc46a6c49f5d87f3bc568e2f6bd2a87e8addf8b85c8b7f9c4fc753d3668f6e7f3431366d301bd54ccfb335d7b2093306598456fbe254f2578e964084ee23f7e
-
Filesize
5.4MB
MD5f931ee5459172e63598b4081f196a73d
SHA142e49e8c0031841be7b49e84a7e59639d5c7df75
SHA256b7d9a018103a109618b0d00899aaddfe23b17e5c0d95c87542062d768172b519
SHA512df14346c1d262dcdd26cad3e2aadb4cc9dcccf81429332fd570172d422b0fb17f0dc72d837330dd2ee2fd5eb9fd2560029260506c3cc7c95689f70a0ee71b95e
-
Filesize
5.4MB
MD541e365bcb23af2429b0286b396c6a08b
SHA1ebf0207025f991783be994c53b006301819f66ac
SHA2564bffeab79e72a6f14e127808da9ccdcc7c19a584c0137f755dd96f33174a1bc3
SHA512c1dc704c76ba162d1e00af4cd2e911802eeafff6d042549c0f78e6a4bd28dbe26b131412d0af0d0f979af3f983f48966f777e07c502be8cdce7f4e6c4029bfa1
-
Filesize
2.0MB
MD550fef864a835064e093bf3b8b32cd2c4
SHA11f09798ef4898ee11682a61debdda954cc0fd605
SHA256cc1c2655f202c75fad0e767a4404491d3ecb1a64d07e48ef3d59c38176677d12
SHA512a217b0c6ea39e6f7f23a2aa48776df5ccf5a3bf40277c71090834dd0a98c24cd35a873706846d86a53130b9910924ba10a34f7070dd209c29fae7cb69ef53d58
-
Filesize
2.2MB
MD598636c59d39cde5e5431e84ab46051c3
SHA1330c5211bec470292ef4f7f268678bc19442357b
SHA2567e8184d65678f96247288d2dd0e275ea3e00ee6af3b3842f4f34bd6f3bdc4ad8
SHA512d8d0073f8f9c9a4f7b488216b283ec6d73f6a553767da17bf534176c78617f58de0e64d94d0b60b20e8506efc9d121dfc58419a358cc7adb191a4448aaefb667
-
Filesize
1.8MB
MD5174f30c7523b86272612380adf8f22e3
SHA186e811b8302f6e47dffa367151c8f068abebd54f
SHA2561eca5cafe7da600451797fa23259b7552c7fe29155e52130121e28556e90f224
SHA512802e4747930d106cf38683597a837f64c30551bd44786b496c49b478ffde43affbcb30785b5fe2bf2d2be6a3aede8ea0bcdca737bd15acef03c886bf418d1f1d
-
Filesize
1.7MB
MD53e461a4a1c141076f82e4d4ed30dd9f3
SHA1cab56e4da4140833ee97783b1d9d09b57d709068
SHA2566b77f8d840f078292652dfa513dc2636b450435d7021ca14d774a7e32807b0c6
SHA512ed30fca7b3087c414ba8cdef6a383dcc74f9e114d31f4039648570057c83b0d909ec0720d32b03ec9dc7f1a53cc7bf0a5660fcb56382ce5c540de7867fb2fa31
-
Filesize
581KB
MD5956dc2b87dfa07b34c360ceddc66ad2b
SHA159f6246ae492b466b9c3041cbce03ae10e2428f1
SHA256ce25b3f5677460122f997475d2c3ab19dfffb67217380d0089dab24e97304bca
SHA512802cc3bfcf87644a14249e6db5a9218106627652700fa7c15dcc3371f4c872209f51e1f0bdcf629ccc009ef37db1d3fd9878357eb36ba22f04528e45d41b495e
-
Filesize
581KB
MD5f7b5a7e4ff665a02088cf606fe62342b
SHA1b8c8877b78f58e01c2460cad0b4b995a992a7c37
SHA2564c9e00e8601d313578a626efc9d1391fb576b58e218f79b67caa1c06f29e35b2
SHA51206cccd196570d6de9906a934d7dd8c5bc5c218bfdcc3d99bfbba308f13aa445fa288f4924f9d8e472b47dc7402aa1366807e0edd26374b9366635535df70544d
-
Filesize
581KB
MD5a593c64e40b7ad6b9e0f76aa1427c87f
SHA1527e349cc5a74d2c4955167001eadaf8359c31dc
SHA25615253baa266ac65c3eef8e886c3202fcb30711dfdde0691588710a7ca32c592d
SHA512a43639aa771501f9918a0de79917ca0a74f6e58b0218bfd1fdcb01b2f5ad90d3470dc0b31c41a7a02836d8ba9c19f46a17bbdcb456ff7bdc4100cdabb42f1c08
-
Filesize
601KB
MD52c7d2e41238ceb2cdab031721cae4c56
SHA14af4f25da33add205727432a6309bd38989f1c28
SHA25618f8f76142141fb0f5bf5e87d033610d9d52192e0061ce845e6f9f66080879a5
SHA51293a971b927a3b378b8300bee67f8eb97e9448d5ee7d89062cead1bfe6444d60a451a82ca2256e7990b31b99a4cfe7e8baf9e8830c42cf89cad5c6c3ecb7856da
-
Filesize
581KB
MD5c9d25428bfad28a3bfaf6eba45d55347
SHA14aa98bce8145c2e9df33498775b5511986da503a
SHA256b806d506edc9b2d9ef807a57b8a5a102d7739b3399af91f30dacf97418c28575
SHA51299014e5e459fb4a4b1fef9e90ee1accf575134426a560dadee55e2acca07b8b03f53fed3e52829ada8b31ca027bb3eb1d4f819a564763c04515adb3a7a9b8d2a
-
Filesize
581KB
MD5beeca73145e7c54dbc935dcd64239de0
SHA14fca26ed5df3b8efc5c41a98fbb09969bf5ec278
SHA2567a707e30670d2f396245ecfd013131ccaa3bf3308bb1baf8399a53ec3a19bc74
SHA512c1c639f4c7307717acff1793bf075d0ddeed3b5280e5792ae94026e45091d1ac09647d4497cb242fc1b9866a7aac9fb5854f9d8cfced76f5686a5a6ab8cc7144
-
Filesize
581KB
MD53575ce476cdbf73daff93b0367e9c6da
SHA169d929e3279eae6bc64db8e5bd4f76834830f322
SHA2563c6ea52dd66f3032aa99b1387b0c3ee7da6fe84cb193a07886d2480a03babef5
SHA51208f25ab78a605b2aa8de7ea5ca150d736beab1eaf0761e6e311f5cceab9cb8f39eac929246bb354569eb0d16da9376aa09a7ceac674cb61de8f6b2ef53984ba5
-
Filesize
841KB
MD5b458286a2d3f3ada071089143e1f8265
SHA1ef36198132879ef5105318cf0961bbba33b095d0
SHA256d67c0e2ae5b5ca56f1238438c239b8d8a0d25d36ec1847de17d6c22c504ea50e
SHA512a5e33d8a9de56343a84edc58c05b3448c07afc3e1e1ce9e882492f976aa42c0327875bd9bc9582bf6af1ead68602842e5b04e7e446fe71effab7e7af24a1298e
-
Filesize
581KB
MD564ae2660866bb48d6c1c7944f78b2427
SHA18b303b78dadd7bbfd08bc585d81b5ad8e3c92b5f
SHA25606009b684a6893731bf2529356d8df72bd7ea4c4381be663664b8165fae7e6ca
SHA512549fb080466696a7799828376536ab394ba17c8b9ed391d43dc71e1735bef90ef822b4dde44c5948ee37f97dd3683b945e2b0fdf724f159fe64a97a6e3d8184e
-
Filesize
581KB
MD5f3f85e6ce90f6422f6dfc948d72676e6
SHA19aef5dbb921986167b2ce547c1bdab915ee36063
SHA2563f6067e966e750c3dfe9355eb65528a5d135158f4a6c2348fbcefc2062eae4f5
SHA5127aa584d9b637beda78c1a67b59ad4ca952abd74dcf348e56ed90afcc2c2409f3681f569f0fbd09993ea7a1f5a2370d2b2e44195c5d533ca8414d01ec34ebc61f
-
Filesize
717KB
MD5a1510a31b9852b6e32292ccc869192ce
SHA1bb2f20d092116c791404078ef298f293fef8ce69
SHA256dfb962f16bf12d37f9e2faa5f3edef75441848759aef87698e745eb87cfa9b77
SHA512395290f35c96905db324a572b53dd27b5c83aaa55005b8970405b8193a64a64b089a93d410b563c2ba32f70cd81974e7378f2fdb876b2db28c92efc41a43b302
-
Filesize
581KB
MD541f9c8b864b62015172cfc1e4dea74ef
SHA1cb2a202e315210b9a1a32c7c141a38ce2adcb737
SHA2560103a2b9e45162ad7fcc2b50e4af18a653caee93e5748149ebcdcfda3a8fa718
SHA512b84b08390147f285aaf627af5656da953a6caa6e30338fb4083416a44d825ede563c4b3b7f84096d762fbf4ddbc6855420c9bd2d7744f97d090a463210171524
-
Filesize
581KB
MD518d164c22ad3cf05c4759df79bbd9d01
SHA1cd25b7069cd8390b4f3f80fb93bfb35b7ab2f5f1
SHA256caebbbc566a654b81e42849d16d2e4ff541b7d46638505c9c8e9e7a37c3056ca
SHA5124c9da41b3177f605eb5ee5692504cb59c3601e7fadacdfe8815dedf1a43804ed48fd1ca4b61973d9143099d9a92f92ac65c1db8c9d28ddcb779cd20a8393edf6
-
Filesize
717KB
MD54b9bcd4686ad46f42ff1f51e91f659e5
SHA1b9329d0618e528988eb44ac78691452052fbd9d1
SHA256ea08738ddad4a980741c15df1e249214f5179e87e79fe8b97acf050a0378dd64
SHA512607a2bfd100fb3ca359a9cd6c6f23b5d7609f3ed169694e9d4c33288435be25b30b138e94c553f028d1776f3fb1df47d82cbfce9eb667e20c9bd46f96519b220
-
Filesize
841KB
MD5254285aaae4e214b417041af5a3e9c8f
SHA1c71c37d6c014f74a0db59c986e4718b50f086c36
SHA256992cfeadedd55d2525c50b5955238eb3b183edf2297d63d84d124c18e1073d37
SHA5124457ceba16b1f0d6df85fd83a6727dcfda1ad6a01c8cacba0306df4301978c171277bfd6bccc2e23cb12372fc4f057a8b10c1951a6079f27fb236762ecd54e8c
-
Filesize
1020KB
MD572b782706827ee042586035111c3838e
SHA193edecf6371e7b569d7a75fb5ec4a7146a522a6e
SHA256ec5047a8169499fc5b8b6b1826a0be22f42a51474131a2bc4daf4c27548ae7f9
SHA512033427d15c1b06d56f17d46f1178bb0a105bbff1e374d2c578c8e89d0253bdd6124526673febebadbabb0310f0f15019153ad53c3bbccf7f5a3f836648706026
-
Filesize
581KB
MD51a9b5a06d2e9b36db844a0add5db0d94
SHA19c81058b325cb1efaad55cd21cdc229766bf797c
SHA2567707e76ef38c994e66bf7c30f016dc8759d6a8f4d0cbbe79d49fb691885df50e
SHA5125e2f93f53a62b8bc263fd78d1615578b867202cd647b3e9cb2f7ee4c611d52a42c97ae76610799ae49b744429fbd920b33950908da1fa6629719f2fa551c7054
-
Filesize
581KB
MD5423f0f46bacef20d759695e85c71c577
SHA12bd255862c5192b47a07573e1f8c51e1a1f95314
SHA256f256cc00d036b153735835985fb59bf7e9a43550ed00a82603a33ad60f75c6a4
SHA512a0f1ec3483697d142dce77389116086e821440a22f24037b99ff1fee36e3a6f3a86c281cf1ea5a002692c6667faf741dd429e509b4f7ec34129a8c64b949601e
-
Filesize
581KB
MD53cb8e4e3ef6652e5cf898d701b886e2c
SHA1ed35b6e40db595511b2b3c8345587b4aea4ed612
SHA25657ad07434f15608491c5492c481f0e4af50a3c4cf323d36601c4f707bb8d94a1
SHA5126556397c365c86f4cb011524eaa3b735499637c56798a3cc5478bb52f11120f48adc255e18f38bd6364dc20082558fb85f26d7ee129c6e824f4f5d4877293924
-
Filesize
581KB
MD5e32cd7498ae7daacaa4612375ff4c604
SHA1390b7eca1eb01daf500efab92b3fb0365fdee8e9
SHA256d2ddc42d7ebac8cf25704ce807bd48e9add0b3dc2f2215c6505105d54af666ff
SHA51221b342d09fd82061419ea7e8f5a5015657c8a2512df554c4c11c7946585f3707a52c0541b624a78e3a2954042b4e80c9a4ee1a3d16a981d8248337b6660ad36a
-
Filesize
581KB
MD5ef38ef01533cf530c3bd75cac1a0c671
SHA1b6697e18b01e3828c42e6abcc248ac5e4c77dd8e
SHA2560fd0f684748383d3fdc9f795b278b980196217736e365a406140c72272a03b0d
SHA5120f2ffbca5b077c074f624cd725c8a2b94946a520d93c6d169a96636ace2aaa3955173034db11ea70f11b42c43691e3200bd464591bc0af45f00628620c0dede4
-
Filesize
701KB
MD570ae8e0c3a56fe439b5c49771fd63393
SHA1dffdced999b21618e19b19c1f02bec1d4d07f694
SHA256a1323443585538e2a9a7d07a9703d6f6813de3c009152890e9f6443f7d9763d7
SHA51282cba034c7d1e6efc966abdd71af77c57b3024d83ddf77a3349e791df6e166771945c975bcde70e5e65e455042c66fb4411a541f5b63395220b96bd15ca656bf
-
Filesize
588KB
MD5d981092997c07da2c0d3505a8bdc2c40
SHA1f1f26b89a9a7acfc1dab2374cffe465f37bf9e3b
SHA25689c39bef1f55e260d7a1d803772fa393fe334d3588989bb7f77f2cb259f46832
SHA512c7a1cb7554fc535932b298f4b5909eee99954a5839ac062e6cf05bf6a6aadb95bcc435a323e767dc9b2e18fc0abf83ce75166fc9ffcda7f055a9ecd1cdfc6967
-
Filesize
1.7MB
MD59f19ae455259e02a067c1aa10d2cbdd2
SHA17459dfea3fda6eebee920b1105b72516ac1363fb
SHA256ae0f6584f167c946ad941c4d47f6cd2b9bdf5d24eeaee7e2546bbe075471989d
SHA51261d541258fda5ebb376afa6430023f0dc3e821b48e6ead1c9c09371f49c604d569ac97fbeb5b5054ceeef9993e9e92d6695af286525d08f9315f517d055822ab
-
Filesize
1.2MB
MD5893cc8986154aa1b8e34f0a5ab08941a
SHA1efe4ea34717ffb3b6127e778fab11b8821af93a6
SHA256cc1dfa4757beaac263dbc66b6bce95ed6462e0fff1f9c273d905bc427dcaf743
SHA51257b511c52917db31df62c4a6d32f9e171392054d0aa5dd9afd8df8c221890c26cc650efb499b9fa8c56986f40fce872c839c0391176ba832bcc4dda09d9b39b6
-
Filesize
1.2MB
MD5afd634ae6528a5c0fe4d89a3976616b1
SHA1b96e76628595bfc3da3c22c05ecb36aa9314cb4c
SHA2569e69c5b38accbe610ab413ce66d978b53af2bcf6f6aa90de85a9dd91b37a732b
SHA5124ec98de99cc97bcf9ac3cd8e74c2ec8110951ad904b9f534273738ee06497524fa48bd7d7aaa7f43267452d5dca83b965ce06c816c4f27d9f7999ec9fe99d7ef
-
Filesize
578KB
MD589166540bc1ce05e738e2b445de36772
SHA10ef91af593249cd8c73f8b46e7dd66b8a10cfbf3
SHA256d79110960efd88c2ba355cd458977518594e95a77e3d3d536d08e76e856e2010
SHA512f7d857d110aecce6384d5ac4441c90a3e49e9068d50edd8f12ee9ec6988da7ec3c5dba6067e05c8fb22b53e57275b3d9671cb700d13f6f3b6c819f44b630b73a
-
Filesize
940KB
MD57dc3e55ccdc27e3bb2b5be93e884f73f
SHA1cf88dba73e2833c510aedec58b61eca375b96e1f
SHA25687bdfadc02ee68e181420f005d110a59a4963d26c091cd729b01d2452c8134f2
SHA512999ffdba70417cb5a442c0b268cc1ad8ee0b353bf77adbafcd08986e1d951256de95d3ffb10d2398e50b24595184832e5251b26f20115c31b5db0e56ee3b8300
-
Filesize
671KB
MD5438ed65e7d1bd971bc1bc574e71ab1d1
SHA1834d9ca2557270eb2b61cf0f6d6bccf7669d12db
SHA2562a58c9933cfc061b0446824ac898a69c0ab97d6f1b14f9783dea24250895807e
SHA512b1623c5fdc833c3daa6a48c0a21348f60f3bc45e39ec572e220c7f6cda72209de0fb98c5bbcb56e21ea3f294c640f2f20111039b34bae67f279061dfde53cda3
-
Filesize
1.4MB
MD55fb83d9b6c276222fa955defc9ff057b
SHA1c72541d5abf194a2cbdc9597d2f51b20705a9424
SHA256604d2c79252638cb11ac307c5bdfe721c0bea070e19c31e15da6c6f7fdf34848
SHA51261d107cc11038ee54c33e1e7f217bf5aaaa0aaaf9bec6453209e1cf4ff6cd843e36eaf11de18781513d8360e5f6986a151994f836091953eee433679e64938f5
-
Filesize
1.8MB
MD5e19ffc5a2a355e97d91d2530ed5413b0
SHA1290ac2c9e9897d8df15b6efd87b4650e55ec156b
SHA256b97533ade4dc08fb0bbaa6026ee09a90cac179c2218d89b773d2516041ef2de0
SHA512a54152b0aac685e7b3ab82787c15a3fc819c4e71ecf9d4f92fb99f0ccf1955e1200667158292962b6d2c9cec462bba21eafe960555f9ae2ad1002eef85b13b67
-
Filesize
1.4MB
MD55a9f174df2287a2c84235fe24cee6350
SHA1ffce8119029a02703f4eb3e3aa400f4f1a870895
SHA2566ccd0bada0c2390ad5c570a9ceb94487f493cc74977aa2d92237243144a90b80
SHA5122b86a8d03794f3578302e3be8c25ec1ec487226bfedbbead9a4f270ef2b7621061a70e539d8ce6fd658ea1611ce91be2eb6d11d90c9ca959639d0578a19dfde0
-
Filesize
885KB
MD552cf6d47652e7be49a1aba1db7438feb
SHA1f3b6ae239b78556ba9b2995dfbc9b729e74aa2b6
SHA2562ab17de9dcfcb6453fc61db25f5e485eb6bf2431e5d5c2ec93afae0cadbe1e67
SHA5127450a9ea6a40ce353cdda4674dc602832b767dd331f4c3d96c7ff39adb547f6cb262fe48d5a50acd359ccc79446c10b133c399103b21395a80d3fb1ad52ce02c
-
Filesize
2.0MB
MD5310d428bbc63b314add040e869489916
SHA1e8df605fcfe4b583bd8b7dbfe35e3fb55e4a01f0
SHA25669770d98a91ab4bdfa58ff534409e96e10cfaf20952de7581aaaff7e84e1d1cd
SHA512c68f7dd1fa6f0c0e28c522486415584181b991d70c1c8f04cbd57d37161eff9337a361380f0c691a14898f2bf12a2fb4ef79d3e456384b06a1ca88c3da237ce3
-
Filesize
661KB
MD59955d03b922670c1249db4d3295d69c1
SHA19a9be6ff69cebb5992f0a5b1d44e2f6bbf3d54e2
SHA256fbca23b70696609b2f6ac58f69edd8abec05996924fb995f307e93d6ec4b71ca
SHA51269fcb435ad992a6f2f00f29244e19d2096842c9ec1a7c447fe4a9b2c2dedab92fd05d0e32ad777956d47cecdaac16090d0e3192993b0c9f692d6722ecff83d16
-
Filesize
712KB
MD553700259430a2ba3bb2697b1c976c3f4
SHA195c1edfbe8feefddcf4cdc6e022f0eaa024f01b0
SHA256fd879db0fca704fe95558704b778f5ccd2b2f62a2241c39ebff7577f5b9d807b
SHA512d6844b1cd89f81318bbcd520fc1fa10e582eeaf90db4fe93e8718e98fe9db7c270d7a9ccd021c447187b072bac7618852875215ba577b5408f860a6674fded27
-
Filesize
584KB
MD5e1284704280f2c47de8f1e27ea7a4990
SHA1a48ea6418019b930f705be315aead089efd80591
SHA25684bd372e2d2ff15fffb9fb942fe05aa931525456ea341b129bd91616d832cf7e
SHA5120fee3f8911110a08e5cda906a69054c893910dac10f9cb997fe77dd60fd9d81571d118862d5d630f9c0b08efd1d74db3edc4b1bd98ba7dcc4a5ae3e9ddb010c2
-
Filesize
1.3MB
MD5df26d8283313ada5567820934644e7f4
SHA15501635ffe522f59f17b990e5d87d8cf0d8843d7
SHA2561b867850368be7ab0164b99276aa0119f9e59afe9e33b5383935683a4db14466
SHA5123e10292ee7e9a830469814afa815f57419d43e93359c795a94f5e9e354be34d3c471a55cbd0a7c67efc130c59500ab8629807dcbc7f8040b2e82cd0c0d0d07c8
-
Filesize
772KB
MD5e69646efb9bf90e93a961224ab36800b
SHA14903943eb2535d0e1efe4fa2f6871bdc244a8df1
SHA25643f8f931081badac11a52a590202849ffb350dc1d7f7a93939bcb52dbba44edf
SHA512b6c38fd71d41fd77c519ad89bcd8c812c92d577e1fea71d134193ad0c1df6008479f75ab3cce653949500641459274c3479a42a671901709e0092412955ee62e
-
Filesize
2.1MB
MD5324ad2f1083c927c24723db7e21ab55e
SHA11c3399e2aedc10ffc158d0a7d3d191a89be3f244
SHA256cbc99980d4c199eebfbd6d58148f8214599dc53e187a96e080c7b11237f5c1a5
SHA512603b7c66fe7d78a9bfa181441fc1e5b5876292963ac6212a438eaa0684dc0a6b01a7665952e3c161cd07ec89e2778fcd61e04a8b49fb5fa7db5b627da80f8581
-
Filesize
1.3MB
MD5452a48dad61f6ac4bb0f7d319314dccd
SHA1980576edb92b538e504aa939c6ea3dbd24d3ea2a
SHA256dec12907924991a07084f826e1f282a9941a453e34a33b5f1b73c8e0c819068e
SHA512fd8f391464aeb88f6bda73738ab96c2f5b1f9d17bdad789f3e8a33d689d0cdd91751c28fe1282b179e4220325e69b5337f1d49e349588c7a1072b068fb9feeb1
-
Filesize
659KB
MD5357d5e72a8af88f5608a7553528b1bda
SHA1a83d408c4b874ca8ddcf118e90d5facde7be5c7a
SHA256b29d9fc16320135848f19bf780d67651a4efe7db8c1bac0e0a139c85d27b1719
SHA51284d4acc6b74dbb58ff26218119a7dd083ce2d6e5aed789b50a5968f588e5e1aaae3b1a2978bed4ce572635b21e8cf3ec79e3f81ae3c57a4533c6b4a25079c505