Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Resource
win7-20240729-en
General
-
Target
2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
-
Size
712KB
-
MD5
f6847ab67e21a9dd8b96a09b80daa65c
-
SHA1
e33fb83ab7c248491dd27b8462276b9f75443aa6
-
SHA256
77a7216e9d954df5898451cb6f61a150cca9e6fec76004a191a2fddc195d5dec
-
SHA512
ea99e7276be1302ab1ef50be21d5857d54722273492662961cb2cb9a1d4d332a766984f95f7ffed99ae70efc5bf68fe251d9d9d55be144a1b6bced8161d39747
-
SSDEEP
12288:/tOw6BaWMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:16B8SkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3220 alg.exe 1996 DiagnosticsHub.StandardCollector.Service.exe 3292 fxssvc.exe 2596 elevation_service.exe 2548 elevation_service.exe 2472 maintenanceservice.exe 2236 msdtc.exe 3144 OSE.EXE 2180 PerceptionSimulationService.exe 4904 perfhost.exe 1800 locator.exe 2672 SensorDataService.exe 2948 snmptrap.exe 4744 spectrum.exe 4688 ssh-agent.exe 2800 TieringEngineService.exe 1032 AgentService.exe 4468 vds.exe 4516 vssvc.exe 3536 wbengine.exe 5040 WmiApSrv.exe 3100 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8312ebef240c1bce.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efb94991ceeada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e55bea90ceeada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5bb2a91ceeada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000817e6d91ceeada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026f46391ceeada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f68b2f91ceeada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeAuditPrivilege 3292 fxssvc.exe Token: SeRestorePrivilege 2800 TieringEngineService.exe Token: SeManageVolumePrivilege 2800 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1032 AgentService.exe Token: SeBackupPrivilege 4516 vssvc.exe Token: SeRestorePrivilege 4516 vssvc.exe Token: SeAuditPrivilege 4516 vssvc.exe Token: SeBackupPrivilege 3536 wbengine.exe Token: SeRestorePrivilege 3536 wbengine.exe Token: SeSecurityPrivilege 3536 wbengine.exe Token: 33 3100 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3100 SearchIndexer.exe Token: SeDebugPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeDebugPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeDebugPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeDebugPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeDebugPrivilege 4500 2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3100 wrote to memory of 5964 3100 SearchIndexer.exe 120 PID 3100 wrote to memory of 5964 3100 SearchIndexer.exe 120 PID 3100 wrote to memory of 6044 3100 SearchIndexer.exe 123 PID 3100 wrote to memory of 6044 3100 SearchIndexer.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4868
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2548
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2472
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3144
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2180
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1800
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2672
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4292
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4688
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:81⤵PID:2968
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5040
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5964
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5146e162b912c91c5f08cbefa45e5feaa
SHA160e15d8fabd1c1051c52df9cd6279f287cb44078
SHA256db3dd3a1a5877eca384e0fcaf4953b7e9b3f58d52287e3287d28feb5aef4ee40
SHA512f9021274d03a7df3c4644aa6e3f3a1c0589cefece79539aa3944b9d2550b36b72453268f1dcf93c5d032878272016d769897cc93fde7203b131eaff948181011
-
Filesize
789KB
MD5bc00dd7c69bd55d4a1b8a6cfcd0125a7
SHA1ffb81c25e90ea5575c584a7a5f77d3ea1346ea2f
SHA2568bb673bb7c8d42a1a9a753d53afb1097a10eb7e9bc847a5b26d33570b5e5fbae
SHA5124a8a76515656702b4871137d4342ef0e6cd37091c0c2e11d380788e23730f385549eceb0a3b56029af5612c6fed64d22ec95ad54e5c7645616f917b0d33c2211
-
Filesize
1.1MB
MD58d90fde691ce439128a8bbca87ddc4bc
SHA1f13f8f376dfbeb04e4e27fc407abc26661bbedbb
SHA256cda1a9cb0cae2455cb8024759ee7aaed9c71902fbeb40ca5ed783bb098694447
SHA5128a6dbf8bf2ae074f6738f97bc164dc3a7f5a36e3686d457c2ef92c7f54ba714199f0d84b2d5737d32d90b3d890edd41b5c9f404b7b15ba1ebfe901db3e463e76
-
Filesize
1.5MB
MD5d6c86650a2674dd722bf9b7b08251f87
SHA1489ae47116b1570e38418f051143e24f896f462e
SHA25674993352f08053ec48ef1b3e1d1978917da63e9f791ac04db58c632d4077d9b2
SHA51272cc9bd3bcb4c0e0b8120104b3a92bcbf8aa846169033731c0c447fb17ab07ed298dbaa9439427e39753596f641e3130719471f665686e67986d58a4d72e1e1a
-
Filesize
1.2MB
MD5861f54abdbf807fc5528e12b3e658d6a
SHA167f01763ea1a20eb956aabbc023f06224bc3448a
SHA256b36e764c723151bb9de843c8647b54a7580ed45ea6aff2190b0217525e454361
SHA5126f35594d8420b3c71d75104ba1f389f29848e746724498a1b201b623d382acea4805d91a0ff4e9711cc9dc2400ccb88dbc6f319a06b8cc405a9b8c921f7c6b38
-
Filesize
582KB
MD5bc3afb87d03cef67b1093552d0a61f9c
SHA11f9303fbf30721f3ac76331039bccae7e5db9cc9
SHA25626837217b32c5594795b8fd21f09745f0ad8c46bf2fa9a6ba6bf5dc3b2a421a6
SHA512b5f55f2fff481d7e9ab997234ebc4fdeba86d3c57993651e99a7dbd2347dd0d505ce6e59d13e8c394f37acb7c26cb4b91fbb7849a44943d730a19f0c204bcd2d
-
Filesize
840KB
MD55cbd6954700b53ea8fa054798d8a60aa
SHA15c15622df0798dadeafd3d120cca8d5dd9463171
SHA25647ab2991f8c4fb485aa224ebc547aaf2c29352ac0982e23e861f62e8f3b90938
SHA512727f3a20ce385f5f4da737f80818432fad10564d95513d26362605930943f446cc7cf1f0ca383eedd5e67566dca01ae16bd5cccad38534411dedf9c3fde1b5f7
-
Filesize
4.6MB
MD59008a6ad0547adf8b4a7a692bf894573
SHA1df881c22f73923a14a673b01e4c8e2982d1b70de
SHA25624aa53d5dbd2099792705d5a32acd0e6fb6f1c22992888026c437746f8eccde2
SHA512778788c2662a1499bd1e46c6c72f5464be2d0a6885e0779a340a3552232e851b2326f5f3f60869bde03b1d4946572cff3ee88ea9a47843c13067afe0e583cdf4
-
Filesize
910KB
MD5684fb6f1e5b281478837715719391e12
SHA18211b5bcf45c696b2255eaed6840cac8a9541519
SHA256211d23e2a3ff00325fec25c5acef759a3a4ca7749285d7ef2ad4a961dd661b18
SHA512987cd108652b8c83a3696640152cb9fa7535fc1a1b7bd3b3efc36d096d8cc43f2d021a7ae39ae2446eaded03c73a8d262948f3502680b416e834bc1aaab46dd0
-
Filesize
24.0MB
MD5fe629b0a7296f5de33ae26bd889ceaa7
SHA150960afcbcea4e4a3e28ce6dd57ca202d0c18655
SHA256255f41ac11dd6aa42c1ce1d917ac3aa1a7cea3b8881ddf699b0943a5fc170d59
SHA5128c4742ab3b05e76e8471050f4055d0267830061f6e1f946458ae63222e8344f3f8c3edf515e1e7a1c104b8ff558d9307d55a3b6cb2e318d71de86ff09a613493
-
Filesize
2.7MB
MD5e1ce2173654368757b176eb4723b281f
SHA13fb499f4e13bfc766139eeec7629e18e2da95599
SHA256d9f6abdeec7ed274831dbabf189a1d49de60c05c7671b5840ff0294db3a5a4e1
SHA512c00354938a90813e1cb2f4904b4a70d791929fae1359e9340b916044e54a32dda49cdf4f15d28931bc9fb713230c90b47f725cd4ce00ebedf21ca74ca4315e15
-
Filesize
1.1MB
MD5dbf9e10a112ff13924b344a024b75f23
SHA142c561e00208ab849d5a41ce4877524c7fcb31da
SHA25607df6268e07db37d0f93866d1a1a26b81c3f26add81769681a984ea8aa94877f
SHA512ca884b414e4ac7afbab6c9d208f2e0b1ea7f6e6c2b864a73b9bac7c70abafc6786ed8c880082a7455fd52a8cd09d0aece6e60879705ff055583086f51bb9e03a
-
Filesize
805KB
MD5c130c7928f1aa745974e920239402352
SHA1d29f95ac892615a2fb6533e6af237f99c0b757a4
SHA2565e22903bbe417faae33a778a08450c85091b5447860c5f9309dd31c20d59cd95
SHA512bdc284493c8fef0e27fb7c4e1f4fa6cf9798eb0b19f8e04511d3b963aec945ffd492e1511a73bdd4cdd4a26ccf73309d186526a287dee61c389f56d35844b0b1
-
Filesize
656KB
MD547eb184704b1d56c6d29a2c773164cd2
SHA1d5b4f6d5a37bfca9e6b0edd9049b32152c6aacab
SHA2565e0667a6450e0b08b21f9ff2e197388c49b54f416bc10ed4481fd5801c5f56d2
SHA512a34160700ef794358cd7cc7c1d466c920b95a87b22ad3782abc03b270ec38c4766326a6dc5d5d63e4f36fabcf73729901cb4a639c0b22acc7d76b489ac413cf3
-
Filesize
4.6MB
MD5fc0660855d16eda65071d1ba525e0a05
SHA10d0addcf55636f5b0e9b197d595be4cdb0138ca3
SHA2564419edfea05792ff48eb75306e9d1dc70e24cb689eef1cc389fe6deb0d15b606
SHA512ac468d05442df7b822600f203234b3bb0cf9b4065ba33d83ff7bf92ba503e025b3ee51c6a1928549f7a90d8152d52dda06962b781623dad02b4c05e0d9456fcb
-
Filesize
4.6MB
MD546cd27b4e1459e5a015768ba503b0021
SHA16b550dae8b26037a61173421227ada8ff0671b30
SHA256b655f842ac1795ae946e2a270bbe6a0b3d698a21a25477e5beb4e96877f69f7e
SHA5128d1864bb390c2169935795915e8d7f76629f61830e1d4b8fb9f7cebb152f44bb7158dd9141b4b430face64912ea7109aed2ee4efaa1e48fc940e1e25569453c0
-
Filesize
1.9MB
MD5dd6683ef3276b74ec6ad48be9fd38afd
SHA1c2585e3e8170a65793f08f8e1eeb5f94c113c8ac
SHA2564412ead8e655d6f857cb8fcbfa81adbb9706a6b0384e9c62a08aacdd2fe5b09a
SHA512b6e5c3ddfa8cb3e35c9ab6a2ca6aa595030c897390b8d0968acdcd00369385a29645b238b471c28478f8700a734c0ccd550a749a629ab91ba11c7952fe239781
-
Filesize
2.1MB
MD52c204e84ce50c935231bcc6dfd9092bd
SHA1fcead0cebe35cb5595362c0b6370eeb7fc2f06a9
SHA2568ff22ed52b274fd74ee452a69b5054c6e1561db3240691c5cc80afa4d316a865
SHA51260b59ed6b7699082d16ac8e95383f3951d43b5116368316941e9bd3fcac0bfdc1f20821b5547f4e1ff7853cd6bcbc5fe2ac8ecf889f75e6c21cf45b4d962faaa
-
Filesize
1.8MB
MD5efc455b621f61f67bbff166c8993f5b2
SHA1053cf58547447abe2a896791462c489098964bce
SHA256d91a90c1fa3ecafe6be4d99b15793136c5c32280da09763fec7002098ca4b5f0
SHA51230d7da73e762cb4eb7c5e98e6e73017485670584b34d33841ff6c6625f2bdc7044684ee94a9218fe5845a913f92e3e17a075c2a709139d7afa46be36cd004c46
-
Filesize
1.6MB
MD5e41a56f6bdee1542ebbf590c7bcb8f90
SHA122f1337594e9d804aea8694de4494c30907068d3
SHA256c231d6b1092b7731a0eaf7e4dff6d5a48319c2f4cd564b21da79d2a6ccceaf80
SHA512c5e3456426c8dd3159547fd4f8c695e86944970f42450f674a38e01821e0218501c43fe005bf3c0a9930ba09c271d3de0e4e440a1a7912e272704e8720ac44f5
-
Filesize
581KB
MD56bf9ad85b498e5218537084931b7f5a0
SHA162e7ab50d23d3d6eaad2e54be0911a0140cd1178
SHA25650e9fad8da2987c475f884d98c2d5966dd5e8e55f603efdc2a8827534a158f9f
SHA512ce09f60eb4b3c466c3a41ed2adc8ca3534f346071f621a8f2717e45e79def6fda81caa9a0ae29b39d02e4f740e6103f9d1db3f43141dd1e8a5278f8eabd77459
-
Filesize
581KB
MD5f6713351cd8321be04738b25486198b4
SHA1f023ffce9858389e47683038da41a3c11c2984c2
SHA256df3384bcdeb78302c84cf3b4f168a0034e13f9bdbad8b2719df424308a79ec3f
SHA5128b8621660dd46c1a7e0b1b36d08600e74d0998bd87a2f582ba39c19f55fac5e4eb4e8293e31985e1051053a1a811852c60bfd0fb46e9ed3000a4c736340daa14
-
Filesize
581KB
MD51604a4aeef57f7bf8e11baaf0a1598cc
SHA119ed857eda5552f8470cc19df3a4c4dc22ed3c18
SHA256ba7515e957067a2586f8c26d86144b922428b4208216140a6d2f3dbbf4ad39b7
SHA512b67259025611e71f2771f35245422568481bbf6a608d39c8d149459e8f6d7af2c48d6fb3d38a4c60c41dcbd809901fcc95e104c34980bd0a74ee1870f30fcf66
-
Filesize
601KB
MD564a4df015de4c6f9e506def0faded181
SHA1d6fb5ea82dbd232cdc884a757bf23f14d850c933
SHA256313c243c07e334c9c839060623b4b9cbd2df76048266bc5109082ad76bd766a1
SHA5120e6172b4db0026d63db57a770deae1636d65332dd9fb542146f9a43646f63d2c80998ba945d5f500c99f6964077276842b596a0b4481134da237f1a8cf537e8b
-
Filesize
581KB
MD51a517087b2e0f008c68b164935475662
SHA16ff46c436f26eebab7ba29201919e7a21159775a
SHA2568a87318964780cfd8ab8d38c2cfc22b95c23023c79ed9d8e9ac6e4cfc69298d4
SHA512cf64a20146fe64e2057f8416585c3e353f3c56065830349fc6648b101332d862af33a97233ff99c66e303b3a6454f6a97794c4b26bd3823910896f70c7525cc8
-
Filesize
581KB
MD5f057b9bbf03d4ea9d36293fa3ef67fab
SHA162738223f990a743a44ba3dfa763a64ad30de64d
SHA2564f1c34e6974a2c63294994b9099ef71ad5025a010e20dc0cd1bcce36c1e7ed7f
SHA5125ded8e800ecf1a49e0de660e610a75f073417eb39270f8f42f77b0009cb1efbabf49b0acff502bda903654277fd339fb1e760bebd59820b7ae33be1a21c23cb1
-
Filesize
581KB
MD57045f0aef823eb60196b657f6833685a
SHA1983e3d9f4ba76cacf1ca9898ca8eacab3f064f04
SHA256a41f4ba30e721b072cb184872d41356b81dcc9a79da4fdf7b9f2fafc1119eb95
SHA512937064aa0842915007a9fd20d13a57b929e89dc428e021cf0a68997721ecada8f13db34e0117de6238ea0b3b005b8f78821b9263d45ab9c54fdd52c064fde8dc
-
Filesize
841KB
MD5f842304fbaf5a06b6056c589c130d5d6
SHA12b21bd4b2a093a7a541992f9683b6ad3a8126c40
SHA25669e4bfd99c20118b063252ea07839b96e076e684f7680328ac687f01cd7626da
SHA5121ea30d5125f581d213a374e0a505be6844efb485ff8cfbd571f455d807fb3bb7aa6d887a8cc0df0813dc9ea26206ddb14d2ed9491cf99972c0b7deef3a30106a
-
Filesize
581KB
MD5fdf0a0722e51d6c91723f9af4a166df4
SHA16ec4a3418966e9856598194ba227b96e2132cba4
SHA2568baed6eac321a0642f4b7c5c9dd390441c7747b3a5034745058170eb64769eec
SHA512371c85b259b2c7943fe087e9471059d82b499fa9aa0b4884f682091d93d8aa0e2a439fffcae6c00017d1a3e3ba61b0b66d40552f990843bc62015f09d8dee934
-
Filesize
581KB
MD5e8db8add4c479002f25631641cd91b32
SHA1764e75d3a0a821f991d09ab14c196450e552a847
SHA256c259775d32a156a8eab78aebef9bcd6f7cb0cd47a2a0711b2157e43e5dc84354
SHA5125950640e5f5d4e7cfe0548eeb0858e91a55ef296882fc4cba63f943ce2010d05cf81652f60242bb56151a36cdfbafe36412fb0f1db6502987bd364644893ee20
-
Filesize
581KB
MD597c28c4091c02213540c8d4ec1641edf
SHA13ee40f34949e356f458790178d03882636ee8f33
SHA256710122832c3515586eede053bba3b00555e3294e72a33d7fba1f9e6b555fad18
SHA51294318fbccd000143a9789c6755816b860aa8458c10ebf003bb74db18cd0baf0a96b0c933fcaf5e3448e898a45cec40d95065c7b8a5bff83f770eec5a4d22a05b
-
Filesize
581KB
MD5ccb8f7822034552f7124c70fd1d334a6
SHA1c94e4b70207ec39fdbe63bfd89b03215de90b2a4
SHA2560a8ca74009f6d8945399996bad4b2d7fa9e2057467e9761cbf7a72d2489d6de8
SHA51200832127f58f572181572a88e708a9b44e015f04238f5a6c5ba8d521eb4856e39239ec17cf0e04d35a17d58a55ec566b52f0836d410870df88ae68e588bdfed9
-
Filesize
717KB
MD563948ca7b003ea9bdb81b1b7d1c9d0c2
SHA1a20659016f7c475993f869224b97eb4946d7bdde
SHA2562793f092b458afe41cd67f481f89811bcc0f9d3dea682d0d9957e5c9df58963f
SHA51216047e5c4cd3675d15433c0c97380ff05e31ee39a87d982f92466df0c3fd1682ab8cd18f0a48dc5eb8ac89cabd96007f56d525d8a8464aae50205741117f528f
-
Filesize
841KB
MD58020190faefd97966581f0ffe81edf5a
SHA123f11e917ac8ab087c875fef2c3632434862cf95
SHA256afede0ca3f6ce7ed5a9fef76eb908a473946a913383cc25c1b982351a9bac0a3
SHA512b37e90bae68fc1ae00352cccdf31e801af159916615be8f2f6bb2bf4b42f535c40c9275f93e178ee012635d09a712821ea77425422eaeb4be549a30ac532d341
-
Filesize
1020KB
MD5844f116e5da93fcde5718dcf2baa2fc2
SHA10ecb8671d715bf0c4d0a70506b1c93925afea90d
SHA2564bd77997373493240b48228e887fc22d8cfeb82e781cce1128f4e400ddc7c2ee
SHA512243f9f002c952d3ac21bbf4fca21347f4cbf55e746a2a133cf02d799d0192dacb8fbba9f2488a54fd7622ca5ac90c73ff5e4f7cbd3771e536e2f70b7c8feda88
-
Filesize
1.5MB
MD5ceae022b7397f65f8c6f4ddda469584a
SHA16a6f512b30678b54b5dac1a04060249526dec426
SHA2561671dcbe4effa1421fef717ffc86d98637eb729a48aa5a1d814e751d3843583e
SHA51201cfc978193952fce786689c5d3ae2d04ab8bd66978ce17ae03fbbe06e27890033517be1ae408a08ed8683ab405f91bb3ac8f5fb215e9b8201a64df98a45105f
-
Filesize
701KB
MD5cf2f2a1e420eaedda11951d1e8d8ebe0
SHA1d78ba420fe2c866bb8055f6ae66fa4f2d80db865
SHA2562728bd8e00302c2499dc2742c6d0b9d4b28598575bd27775e79c7eedd0704fb4
SHA512c480ed17de364996238f5592ed01750dbfb06fd93af39cb2dd84fdc06661c68876f12c435bead0ca9696e036e42bc4d4b9cdd105ac8a65595488679a620b5940
-
Filesize
588KB
MD54d00bb86a1fc8e9a2fcb06d6ec2c2ad2
SHA1b5e8a5e1f059ca78bf502099ac4486800a4010da
SHA25624e0cf50cd4b1614b840296a2d733b81952581dfc333c0e8f9668de616d9c637
SHA512e184c04d288b485e6bc917dcdc60a73547da0a33798e917c99f15e92eaa39c39ef279cbb4f1447e4f65374da6d1aa31c633536ff00870991005cda0302864294
-
Filesize
1.7MB
MD567ad75cc7a738baf4d62d901d9949294
SHA1f036fc024b6acbd747188d5aa7ba90c2fde8528e
SHA256bd2a3e5dd27243db1e092695f2992d1dc52c111caf6bce18f08fae0ad972e621
SHA512d0815e4f4167f674f0be99796143c0f1658d41e5bbd667f04615020f74353a681ae4fc06c5433ecfdd0514a66ee6859e03b3f109c68dca6fbfb591ba45afe47d
-
Filesize
659KB
MD58f68dcba8081a8b04be6c11ec024204f
SHA104fd87f924a1ac4c2b1f3f4a1eb35e5578143bb8
SHA25623c805493e043b3774301365e4f02406c193b65c13a93d700e79d79abd57d8d5
SHA51282df4ade37c3c018fb5f0ec50fb4c0e881616d60e0a7a70b190f548ae6c60993190a93221275b8221785ee317d87a2ffdbdca9d1c883218162c1e878b1a78de1
-
Filesize
1.2MB
MD5420bd9bb00809001e2813e39a97c181e
SHA1bf2f498943580ee8bc8a652d03145858a16e18de
SHA256b4c00e727d9884f36442e54b3b3ddc6a1f9c25ed3cb16e46cfbacebe24cf00fb
SHA5126647580c360ef297e78d11438e6789ab7792a85fcf6a9ecd5bb646dea5de7237779df7dee5db033d237d172a1e9d28054ef4398790016b80d647b70bcbb26418
-
Filesize
578KB
MD58dddb38cd132d9b1ec73e4d5a2c2a30d
SHA12925d6f3b79758814ef04ee38e870df3fd914355
SHA256e3b3af9a4e43032340367c2cd9b0a1e9cd3192b4309b6e6d4bd0d2febb8aeb65
SHA512a2f2f7c9c48f966e9816b34e81549445c83379234ccfff133d41985179e663170edc99877d1da1851f639d0b5b3f07afeaf8c2bc21ea8892bd3a71bab9814a16
-
Filesize
940KB
MD59a4a3f81c6279f775e27cbfa8ce26f6e
SHA19a75e00a449b5b2821aab66eb2076f4e15181cd3
SHA256f64f45dbd9ee4a74fe2baebeee14d43c61fdcc0f864ea3f6e0344b2d77727f41
SHA51277db750c330718e73857a763731886aa49389be2ba9500fff4333b5bff91fbd7ccb7d4afd37bbe0e870cf4ba796f1363b93bad64287300ee911564309b0cfe4e
-
Filesize
671KB
MD5ee7389a95c9a7c6cd0f2865acca87da1
SHA190115bf8b535de870c69ee640062f172f6c6e899
SHA2565c12b308cfc13dd6d390ae479290eba417396c220b5006f6e9265e55eebd8319
SHA5128db085b6c8fe031962fd3610cfcfb2a4b6274b34e885ee0ed3383115046d118c2eb1e27e92963becd62c1e07622c886f00e46e684954e01038e86d18fc7f4f44
-
Filesize
1.4MB
MD5a357a34fefb33d877194e27c25ab4a33
SHA186ecd7c033f90d20174780fbbb35cd006b3908df
SHA25645671311f11046d4852bc5e53c822b22142a71032cf0f4299c39036130f3c5af
SHA512cc089da0874ac29f37b7b842b775ab3f9a159a3807db113b13b34b78e2f8d8ec2c4bd7e27828bc1b020b77a870a236575a622fcd44619b952f2e16aa9873659a
-
Filesize
1.8MB
MD52642fcaab0f8885a7bfdc851898358cd
SHA1a5adc5c44a816317b5f2317cdb14b540c392a35a
SHA2566ac890c48a412f262d182d92e70711cddf15794f511adc9f78feef020bdab6ce
SHA512780ca9519b52fed87e452dd2e60ddbaa7e074f5f05685b0c3303c14619f14f9b08ab9e737a3ee9565da29203c56ba5e3333dfdca150ccca66e28c80190ea4ea9
-
Filesize
1.4MB
MD53daef93db35fe39a49d8a6ae810d9cbc
SHA1a598822db68f12d7ada45e71cfd459939d9032ba
SHA256c57bd1e048b24cb2757d06151ab0b0d37b797f0482dc862a5c1297af456449d0
SHA512542394e4b9afea88faf60baf8c31f914204cfc4ce067e0fd0f27ca502ddc067f2a0a22be3b01722b035e47d5a3781eef532cf9df1fa4699d6f2950af3a64fab1
-
Filesize
885KB
MD545186b6e61f1e265e3c03d9324045e54
SHA1f62a0ae18073acf1101d0f2028c453a2c54d4355
SHA256813ffdc4f31cf4f9c6953dcdc54ff094bf6345cc3428e02047a4a19607a5ef0e
SHA5129c45530351f4adc0ab3cb29c657a7fdd7dbf4d3d322105d6d5166c89ba4d41b765d8752cfc86182f892ef4815e72fdd252c80a671e387f2d26ae7f6978f51be5
-
Filesize
2.0MB
MD58b24e73146777b5d925a0224d13c3387
SHA1e14063d01b53fecd0331f8f4f1cb8b7f5f500b86
SHA2566ec53a9d3cd66131722e7f7e0e070f24f8ead1c9b46fd532c09386de61316234
SHA51206e265c87f976a337198a442430d42fdfce34a8746faa24dd26846d2e68f7f8cfe308ce6e3e4ddd28d92acf8c72f7e5fc78e3b086406dea43c2443d7b9884c48
-
Filesize
661KB
MD55ce8a24668a3eb128fbbddf502df52b5
SHA1e8e3959ee94475a92c043b7249ea548d02aa9eda
SHA2562c2aecbc20634c3de077fceb38bace541fc840dd03919c63df092aff0e4a58e7
SHA512fabf5073c7f78e5af621d77005e53b9fed0bf98210bc7fbe277e8119480dafbb9c6674af65050755335b17e3bc1fb3ac88d5a3f3d0b179a5c042ea257dafe52d
-
Filesize
712KB
MD5aa7e8590f9a435debd1d30352c0bf359
SHA1db1f56918d13f8de34f03f986f95eb615c436b76
SHA25614dab581120eaaba466a298dbebfd6c6c14d6f394d658f158b9715b1ded0ef00
SHA5120895edc7d0554bc7c1503b0c81dc0f3d8213d575f21a672d2f4af4d341ada129b84b1704d22ddea21211ad2778b2faf886c89857c03e81ddb0bf794b3d118584
-
Filesize
584KB
MD5343f516be024ebf6dd72febb6aa96302
SHA1129c51a9fb29879b22a02ef24c96a5696f88f3f4
SHA2560fc96c90be3485d99b478499c2a33388edec948ece624279b2cf1b7b6b83ef88
SHA5123a9dd91657c824f516849ea833c23a9e283e5de28d67946b5b1f6f1b8988c78c68f59c2fa07fedea77a3cca4290283694005c1cf7239bf0022b5f904157d4933
-
Filesize
1.3MB
MD503875e9989a793f2cef24c42ea2d93c8
SHA10f0983912cc6f019c99028665934a2e6f07e0d69
SHA256669d1ee692ffe864496ab7d928f5fb896d93cf3ca9c1687c474aec8714f1f1d1
SHA5128c36b6509ec66ec25d23f1933c5d47c4af7fd6138625fd2ffedfc6a0816deded4d7280173d5633f974245aa2794960cea6da48580477ab000d412bf9348c7dc0
-
Filesize
772KB
MD500dbaffcd6407c974ab29dbb85dbb745
SHA19426e0d86147b1e217b96d54e66ea82e9c1b63f4
SHA25661ebacb647262db8fc0ea3706e2d3ffee11966905d48b6b89150fb76a6fafcbc
SHA5120b0d67905238f34e35cc2c790b4e9aef0e2239f33996b6d2533376fbf0ec3b844f22a92248d57c42050b7c414b2f63475578d0aa26c9c8140c998a8bf39419be
-
Filesize
2.1MB
MD5a916cadab60d20e6da15441cff7e7c5a
SHA188e75711ede34fa120b9c14597c07b5234c87ec6
SHA2562612161a2a615d978e1307e794695fde400b7cbe38c61b2ad7b516207418773d
SHA512497feca2958a1715bba3f374483faf8ed732eb89e5af3e2763491f86ae97b2e9050665a5744703509a5bb8240e3a6139cf67f324ff97014f2a2096084ad13afc
-
Filesize
1.3MB
MD589eaac9183ac0a1243d0afb15f93b762
SHA1102269686940ffaf99e1b20468492415f38de809
SHA256f8bfa461a01bc3d8a79d1ca749c60a67407b8f4a1acf1b9d0d11b7b215e09089
SHA512584c11bf285f5b37546cc1fe864e2ab7b0dd31e2be40af32f553db4bd9a111177fbb9ea9d6d4dcf09acf6e2579dfd2cb08f9c505c7391a1eed5b0fe29929a096
-
Filesize
877KB
MD5b2e2ee6ff7d3245c327c21e1be61703a
SHA1d0ec3affb0ad58122da517909fe0e90da96916ef
SHA256a4fa16a15afa8d5299c431741dfcda5a165fcea01dd3e981e76d5f305e155915
SHA51289aca3552754d4e8b424d66876db0aba1e501dc9095c6c95de02f9f7791ceaf9ab931554062a17250f73e91f51ea52a0ec2874d3b8552a8fb7d9372c3663ccc3
-
Filesize
635KB
MD5f55ad8eaf24af9f71a49b8dae4bf5c61
SHA14e06d2b294dd186647b92446a9bdb053d3ead6b7
SHA2563fe17642db945b251c6817ab599053306b5031970c3649776866fca3a6e33a6f
SHA512fbdfbfff3d93d61b6bdbf4adc94382ba335f8d8f911a5fd79656c0f112329a4162f83ce189eac233e087289040cd69d4e540f68cccbc2b707060e7f51a6d1991