Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Resource
win7-20231129-en
General
-
Target
2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
-
Size
2.3MB
-
MD5
95ad5b10d65e86b02da3d83778e95c88
-
SHA1
b9703462217ee86de5da639c46f4c30296afed88
-
SHA256
c0d24d7525a102dca04299b67806b479495675eb4a0ecafad9558f89aac4941c
-
SHA512
865169daccff297a4d850e7e4318b7f9c6ee28a8e0395aa65506d145f5f32bc3c9ba0802341f1be6dd135ff5c54ff93c8d79d322a79340e3d93aa19a301038ac
-
SSDEEP
49152:if3ZoG3UCj5qzWt2skmzb2R3NBHCYcMKCqy+XyTmp6I+e30jaNf1TWbdz:KZP3UCj50WtQwb2R3N9cMKCqy+XuU02m
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2468 alg.exe 5080 DiagnosticsHub.StandardCollector.Service.exe 2196 fxssvc.exe 2164 elevation_service.exe 412 elevation_service.exe 3216 maintenanceservice.exe 3188 msdtc.exe 836 OSE.EXE 1364 PerceptionSimulationService.exe 4892 perfhost.exe 3916 locator.exe 4984 SensorDataService.exe 2932 snmptrap.exe 4232 spectrum.exe 5016 ssh-agent.exe 4020 TieringEngineService.exe 1788 AgentService.exe 3420 vds.exe 1952 vssvc.exe 3612 wbengine.exe 776 WmiApSrv.exe 1540 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\locator.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f57e8283e703f493.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e5f511aba4da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa47f811aba4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eec5a11aba4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002636c611aba4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dd78511aba4da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc10bf11aba4da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeAuditPrivilege 2196 fxssvc.exe Token: SeRestorePrivilege 4020 TieringEngineService.exe Token: SeManageVolumePrivilege 4020 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1788 AgentService.exe Token: SeBackupPrivilege 1952 vssvc.exe Token: SeRestorePrivilege 1952 vssvc.exe Token: SeAuditPrivilege 1952 vssvc.exe Token: SeBackupPrivilege 3612 wbengine.exe Token: SeRestorePrivilege 3612 wbengine.exe Token: SeSecurityPrivilege 3612 wbengine.exe Token: 33 1540 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1540 SearchIndexer.exe Token: SeDebugPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeDebugPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeDebugPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeDebugPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeDebugPrivilege 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe Token: SeDebugPrivilege 2468 alg.exe Token: SeDebugPrivilege 2468 alg.exe Token: SeDebugPrivilege 2468 alg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe 2600 2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1540 wrote to memory of 3840 1540 SearchIndexer.exe 116 PID 1540 wrote to memory of 3840 1540 SearchIndexer.exe 116 PID 1540 wrote to memory of 1220 1540 SearchIndexer.exe 117 PID 1540 wrote to memory of 1220 1540 SearchIndexer.exe 117 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2220
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:412
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3216
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3188
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:836
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1364
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3916
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2932
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3052
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:776
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3840
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD53990596b6b0788510eda955569dd7949
SHA1558ef4028b64d94eda96c838d112e0230625038c
SHA256a5e1ac424872c81da91bb359e380d143cf4361d18453b0ab4422fe7b7c199429
SHA5124e60a9f32f02fe1b74efedbdd2d3ec403da6fd7e174485c85afced1bae6f3f37f8c7d2af242ef799e489a13db4eec086205de95fd24eeaa52e85be1c6accd24d
-
Filesize
1.4MB
MD532aee74cd74c3b22ba0e6b29e2f2d822
SHA1241bedd06b2afc02914f9b0fb15cb007e49d564b
SHA2564ac027a3d925618b8b31e7c7af684b7ddcb41de2410c15ff0ed83e498758f71f
SHA512630dc62cffd69635ff0fc517f09ed8933d9049da4c528438fe40ae8b1dccfd32a65cae1a09d2a5b17b6e638a1e61d6c671ce9285989f09169447c0a586a1ce1b
-
Filesize
1.7MB
MD54ddcadc5c205f81cb20b2fdf562f2abc
SHA1d7b3d2eb84ea259ad45abdaee7d8680d453b1dff
SHA2565c47842e5a71d99e2636b6825a825c56d3c87a54c5e70fd02550d05b94b4a923
SHA512cf29f741cc925d0dc1a067ad4d4e377f52333fe5eed40d13ab1b2ec6f249cd5bebc37751dc439ae172c27cfeda78267aea31697740799b3ce9a674b2b7d3ebae
-
Filesize
1.5MB
MD58c5374ac045116f0b1c50027b1954bda
SHA10047b1da79af73551171216f793ceebde615e2a7
SHA2565082dca8349e79fffff924681fd19a11ea78c364f2bff723d324d55d33bb5c5b
SHA512163b4218faac1207cf1a0594a38ddd9e17b03212ebcc70d897b40e10768f1e8ac6cec0bc5afb4fc59a002a5fb62c9f4c64223674bd08e6dad625fdfdf32254d8
-
Filesize
1.2MB
MD5275f9992293c0ae545f01d6ef47a252f
SHA1a9b7b0eb7f732e9a159a6b69d5a6191368aa24cc
SHA25662cbe1e250b5e3f948a6050ef3f43ac322fad977dd043415ea77cef6fa7df932
SHA5121d239b3799c31e78473e3cb15a4e0154dc9f7fbe52055439ec9e16a9c6997dfe5836af8cd6c3de7f6fd8ae7cd521adb338b2485b2ddd5b11dfc37b4d05fffa04
-
Filesize
1.2MB
MD5dc71cd240f88883124505e8abeb33e97
SHA156420a78f96236f52878bc82d9e88199c7b7712b
SHA256fd515872fc49e38c362ea0a067e0cbf4ccb1bfe32711229ba2bb72be9a87c26a
SHA51207bcac7c47051657dcd1321cff9fc4ab2be66bc2fb3ec90addfd158bee71b00e914f697168d249bf4f2be97e605aa7c195e9e7c847ab61e4f99412f7ef08185d
-
Filesize
1.4MB
MD5bc530c4ecb4c48014d11d926d078b27a
SHA1c5f46fd5ae784136c7ec8374ee95a768b2300a62
SHA2563de6bbe5d8ad958795e36c8fa5375f50df23aea2e81c8d2023ec53e8f0b1b605
SHA5121d0d4313f3d13a3c019c683d687d590e9a439e7c8bfeaf9c78a85f9a4b337a226fb84436a87f90c841a9edca25f10add414fac394c0da8dd0f90f01cbb09b726
-
Filesize
4.6MB
MD54c32308619875635bf605c494c82420b
SHA1dca53a1653e059b600ee9d82e5016ae0ad8d0844
SHA2567e8120a5f2ccef72d7e42b3eaecd7086c09feccf006a2357356134854c634a46
SHA5123e7a0ad057b08c5ae7d62ceba849ab0081fb84a0f120ea14de97c2391dfdd9a99cbdcf9728cf7d0f27d8a40a5305ee78919db06a793b06115f1c8462b07b1c75
-
Filesize
1.5MB
MD59c49c61dcb005bdba478fe784f1a9015
SHA197672d12a09adf379de3847175b70673a40aad4b
SHA2563ac80bbb95e3db2470fbb9771251de968d4d2b33e7904b7452351399210dc8d1
SHA512b52c6d48f7618b4da56a28ccc31f518551085cbc287ac56418e677aa01a86c688291e0edd07fb45e0b8ffcaaf7626d45ff2545275838390538ea07e8cc547ed3
-
Filesize
24.0MB
MD51a73cfa44ef3800496ef2eec23bb322a
SHA11f0dcdbc684352aa8924f33f3b898b5f3809d903
SHA256e0604e3f08d516990bfb6d8f81cd5fcf3d4911bf8a6483ce83095a74c93456ad
SHA5120806bdf4e54a49da20f4ddcedae78f9abf64579a4fcb067c2632a7b3b380646c23ae679e486548946cf9bb7d10d68eea37bd8ca674b5651f28dde24279157a7b
-
Filesize
2.7MB
MD5747d92bd07112a88d206461b29c233e0
SHA1cddda743ea61618f7d54dc59f474acc1e438f0f0
SHA256dcba4dfbd5d636a87a7af1cb4c224515958825e9dd941b1f181d5776482b0a46
SHA5129f347cbfddb0d71476966e72d3a313ddcc0673c276c1955204e2c8a76bcb5811231a3a1f411c85230666347173c15eb4119b4720a348d88c059a9aea879f50a1
-
Filesize
1.1MB
MD566598a452354cd4e2de45625f3c4ce70
SHA18d65e4c81978f771895cb51b95c284e90dbcec6b
SHA256132bef01002ad378b4a2b29f3005d97fd179cd1ebb0d47c7351542e4766115cd
SHA5123297349ab56da0866efb76de9bfe007a116c3e33a842ffef3122e1eea6111a3355dd6e894e4ac6a099950f9177b9b2d34660e2a19ae841629de6b8bfc44a977a
-
Filesize
1.4MB
MD587fd05959ad9dc0434360b70ac3170bc
SHA18b5c982f238a688523e7d4111296baf04351a697
SHA256a777ca823d607090e39a9ed00140cf2d6bd023daca6f956be3a27f22d350d908
SHA5124e9b7748a540a8f975642ceee74165d932171b228d8b23446d047b2d325b875903afe38ca209ee2762dba5ffd68d6174cc53110089743fd18ba9a7af498cd418
-
Filesize
1.3MB
MD571f00540d9505eddcac755b0a432ea9f
SHA1cbac2285145a317735c785cf032462049adb096e
SHA256365d4357112b3e58a2a8b29d155fc85bf01b8b5ddc61118c4872ed2d698bf79e
SHA512f0c4888f6680835c3f65ffab836f07b2c537d018a79a1095327c68b34faf950afcd6fdc229accbd7ea7bcd0d6f97bd798a5a161d1d2db23cb32d831278d08c11
-
Filesize
5.4MB
MD50f82e41c9dd8b4bca521ae8eb368d7e0
SHA13398d4336b8f3339046d6048148e7d84979f0a55
SHA2569ca72617dc6ec10abbd54efd5184d58414b282577fe33145c0997fab31c16aed
SHA51233fc2b8ac3c6d344e2e5f39a4b330fc5f85cfbe52d367a0c68cabf2cb848e97da49acdff147e3f84406292757b8993b09b314aad01207b261184d64d84b0feab
-
Filesize
5.4MB
MD573a4b5f996bda4efcf00bca49f3a4ef4
SHA1e43090978eefbe7c217dd2a784191d447bb3cb6a
SHA2567fbb0a714e42405694185b2be1c71c712937f0916887473e18e37eecbdaeac2c
SHA5129bd3a681373687cbec4edd1b368e554494262889abf97344207b9b8b6722a7dfd656378056a9cb32fae142aad5dde358a1f788ea50698f39bf2d7f21ec8e3f98
-
Filesize
2.0MB
MD5167808647430b52f2b64a7fbc773414e
SHA139a247dd8a256220f05241e4e98037049808fc65
SHA25672b5e8d4b1865ee81e7fbbd672d1b376ecb28a5d2faf788c88e972980e39fc3a
SHA51292f75d120edc7dd86d8aae35a465cb15a4ffbb9e9a95d8899c64763e77710a041a5ec8ce7a9162f344081b64a2bcfd3ba5f56ef8183e7cf0a6cd804497aa31c2
-
Filesize
2.2MB
MD500280ef2504f0bc9651ee8381a9e2714
SHA18544a43ec1bc066217729239e22269dc40315bbb
SHA256d045604103a708d187f3d81d68c58fc17e8017c0b521973f1e3290e3ec368929
SHA512b7555eb8b7e802365f9276a1ea062113709be74a4109b37718ecc67b7220e4cc700bb6f1ffbad2aafe84156df0d241ab63389b167fc4d6db9fdcd8f91e5e4aff
-
Filesize
1.8MB
MD54e5579e4f4f80fa4f3d209eddce9e15a
SHA1b2ddfbc88b3696a76dcf02a1244fd6588ceb2a70
SHA2563f1de4ed0189862ff7ee32abea1240ef296a173ac094117aa6042be8b46c2441
SHA512098abd91a4709393b77d9c7eed6382f3190709306c2871c63af43bdfc5c5f9a7cc62bac5db1946a56060a261cb62911471d5d7eaab3be2a9f7a3ead9ee347c9c
-
Filesize
1.7MB
MD56f77535431b620282257de39acc2ab6b
SHA1193915bef143e100a44a7976cca499746cf55131
SHA2565e9b08ebd99a0c1514d1ae026e4ffa0695c744010be396aae014edd2ff8532f0
SHA512aa1da76070ff1c00bfd20189f15ba206d9750b98c54617391322d0b87de42885288f1d8c6262a4a7921a2694e4829e8b9c898f6817927efcc5f467b8482ddae2
-
Filesize
1.2MB
MD520fb1ebf7a1c174e518cf266cc38c909
SHA172231cd625f3f75f0aaa9bf56ff172436d27f416
SHA256c88b44d810dae16cda629c554ce3b4dbe5eedd5cfdeaa1bc9d95946fce943282
SHA512d215e49411637ead7df09b0744fa65cffc80f9f61318322105ba1a3c7e2dcdac0b67ce0afc954bee0e5617c026f8492082f7e41d91e46af8e3b1ad7c9508318c
-
Filesize
1.2MB
MD5c832d008b6c8daaa12375dcb54da4910
SHA164bf9f9705baa50eab98225ee55393618cf71634
SHA256b6a97a8af7092e792924c94df7f1c14db9b93b15be129aad08c52926e30f8151
SHA5128c1c68bf123994ffbf2ae0aa851cf9c8235255758ef7c5ec139a3e93257d40d7f62d137061f1d0e46f4370f244f10b070079b42336e794f5959083dd039c15be
-
Filesize
1.2MB
MD5293fc8a184eb814fb7349e55608560cd
SHA102a27ca8113fc74ce50c0cf25198908a42dd9fb4
SHA256f7abfb2542c9f7b10bc932955df9a531b0ae8e43626fd0dde2800e48232f5a9e
SHA512b52f236e1ee75e6d5f09e2169f74a81a57fc568f0a6ddc43a198ecb3f7c7963b400ac679d06a7dcc26e5948cdd8f381ef58960f29906b249ed33f7d8de6a4e92
-
Filesize
1.2MB
MD5432170e5015e6fb6bba0780b6b22fa54
SHA101956eadfc90b95e718c3a78897c65752cede36b
SHA256b41f3e6218e3add3a831656f0ac39a76cd64d6aadd0c61ee6a86f604c0d3040c
SHA512208fd084c13cb9fb272f96f47c067403c88886d30aee807a50c587b52fdf759ca0b95718b103bb1dea0d3bdb3413a2187b79f1aacc143ab45e88303daa13851d
-
Filesize
1.2MB
MD52f60df6dad4e1f9704b322898413b5cc
SHA1703fbc8f975e1029d15789056460761ab376b526
SHA256c85d2cade42e65f7fae3567dea7e1da563986e44e62460033421eb3047d103f1
SHA512d4eacdb606f11e4150dc0fa111c1a3c4cd9090525561787536dd5d2f361be89ec83219dd691b09ada4db3e365211f110fcf65d78c95445b9ef5f9c8fc50fcc17
-
Filesize
1.2MB
MD554a9d5d5ce4b7d1a54f06f369f3bfcb0
SHA15e68e70cc7840538a3074aa1564eb5fdde37f5ef
SHA25687eeccb27167d325e54320ad8c13b0fdf1cb4d70ab02c11ab7cb7e3b26c8c6c6
SHA512e2f8e39ce8041180ea166cd1e898b1b2e92bc916781ade5f2304b43663515a295036c3060c2a085368345df7386fb55980c5306a1c78aa3704dfab33fa8d730a
-
Filesize
1.2MB
MD56dd1724f33a833b0575bb1a0c0cbfd13
SHA1326f88ef9e6080fb231ceca4ad690646439ea601
SHA256c67e4d1f7e5f07af3b12a1bc89d6f83e38572fb87f1d5001f3c58fff7c309ff1
SHA5121597cc73788ddefa21ebcc2a366304a57547376e77be9d9ac29cb5329f458c8f6b17d25a6f9f034583fd359559101574ea3ea67d78ee85146964d0c85f4c7e0d
-
Filesize
1.4MB
MD52601af98248661ceb30712a0b184255c
SHA194ebcc371768c7abd3d3f7796c9e5f8dc02261e4
SHA256147eead64598b93b8165fca9f5cbdfd131bf5f086f36517c374a2c2f1e9f4d6d
SHA5127bfe9bcd69418ab920218d1bea75bedcba5120fcaab066de2d0bd845bf0cab9893ffabfa0fa736ef281e0777d075bc3e1063512e71d7d7ce501c8ceeb2714e5b
-
Filesize
1.2MB
MD57944304590b52d7f33d350ee7ad204c3
SHA1fa54f18e2a4ea62a74a3b0ab2e0ff517f05da339
SHA2564d8543c8da0183c694ea5fc53f2c16777eb54371534724aaa6a7d6218b8a056f
SHA5121a23a9f5900511c1f7bc7e3ee1cfb4e7d3ce3a3a5a71d14eb7c538d8d68b9d65b7f2a22b769966c169f4ab1bc6c7c216c13421cb00c74d816a5854accf72a162
-
Filesize
1.2MB
MD548dd0f8b30efa8347ea3e63ed5d1b1df
SHA1fa2c2e0844b2b7678f667ab0b3086530f2834f95
SHA2563af7b0354199cec8113e1777434f022f156134a7962254b90b3d036a094f5046
SHA51296bdcea713b86df585541620c82f1e65b73bdf77970a74c364d229fea418425940df62c42bf9f0f9e2178321bf638fc292f80786c23228c6adfb2490ecd0c362
-
Filesize
1.3MB
MD5971eceb035bdc7c4a14f1aaf11b3eae3
SHA188560319313bb122edae0f729f9b14310be53081
SHA256c6a309c5eb98998cc8454dc601c7019c76b624bf722f6e87466b1a9c9113e8a1
SHA51299712cc091a440ac26bcae8b60b0fb2ae8481c7a67211a619a3212d70c883a47b05e6725043eb5d6eb87cd502c98218e155956f20b94d6d51f45948ef323fe48
-
Filesize
1.2MB
MD540d97740fc5a4d007c3b47fe863e6e86
SHA141032012d17a237c6301341fc4a5aa71f28a89b4
SHA256b5f634fac959de215d643eb7b716760edb4545537ea4bc43e44a89a302106059
SHA5122f36605f260fa460455e7aed48091597656a8836530bc629566fc92a7c7d3fda0eca3a9327402eb1cf152eb81f544742c3c7bb0f37c20af08ef2b58941368b8b
-
Filesize
1.2MB
MD52e578e92db0288de552df414b37d0d25
SHA1140e7c7663c1b43fa856c2bd4bb602ebf9a5c994
SHA25652ab1553b0ba0beae9ecf5f678a01ca95f8a556163597159964a0321f4c7cc6c
SHA512dae9f4d15c60c1a8abe21d8e704a1fb4fdeb6f724f7d7b1944f1ccd27db89a19d201c6964417c68d9ac39c59454b74823d720d9f7b6fbc0af992163ce5e36f9b
-
Filesize
1.3MB
MD55c8570b1c5635d5d796d03d51b21498a
SHA1f3dc0b4bb6655ee024e3dee2393e3a0f82c0d774
SHA2565df2a30c8ebc0600cfb78aedf76f7a244c1ee4ef34f00e7aea5009d8f68d03b6
SHA5126a508be8e0757d079f43686e2a6b478af7946480286ca767de50c37971b63d8dbaf6496a7f40d110ae331c8f6447a005f27f7a39068f962d784cb5eed0c9a89c
-
Filesize
1.4MB
MD59cf8f046bd80b1612b5740759efe0d41
SHA1b890891190c2768f9d23aa4b6099a0bf71465dbe
SHA25688022da1609844f5331dfb38491603e71daaa13da5f1ae763e5a360e9347b1c0
SHA5121105fb3bd5985d563b55d52f2a3b0dfe7d900233f3cf910c2a05872db44eab48f6bac40c46cd3b02d2bb1fed33601bd9fa1df38b83534f9ecbe5c06c6212a682
-
Filesize
1.6MB
MD52438917667cb84b3182866c63e0d9cc5
SHA13b314d07fba5fe3b418c0bc9ce619320b158fa20
SHA2567fe28283e200e06aeed67e3524a41321d12f2d63f78dafcf94a8a8a6f872d2b9
SHA512b6f927f85a896c227e606c72a5386a9143d1cd6f8122616114e90dcf0119aaf43b330ca0a5190ddf4e29d587be8b00a4942f4882478c7bff07462291f3aa15da
-
Filesize
1.5MB
MD54600e8084ba80f1684d652d1feec7516
SHA1958d5d86f8fdadfd44f0268856f7ef8053b45a93
SHA25649eecbd5bcfc68722abbea0ce0a4459a9277e950fb077e40eb50c0b005cc99a8
SHA5125616771bcf1b98243f682671d77bce5d029dcfd4fc73e769fa1ba51edd79f2300b305d0aaadb1434c47d34290aacdf159486f23ab4f21cc765e6005e9352623b
-
Filesize
1.3MB
MD5a75ebe6c0981c338559eba3b34e27095
SHA13c9f39705f04f91f6c904df2e753fb771420319c
SHA256b5c3124258ce5bf93112d021ef13c6b506d7438941299c653873e2aac70fe1fb
SHA512f5a0e0aa7eefd23e2fa30868c8695c5c403d91b9958111018eebffe9deb7ec7d9d4f22442d47851e3df3d5745f7eb0b6cf00da2b118689ccfe4589d7d2fa2cc3
-
Filesize
1.2MB
MD55de41d261de236aa4e7dce130f0ab521
SHA1085277fd71ecf2492e79f250157750eaf3a1ef6b
SHA256307daa34630320407b541ec386289e7d65c896cd66e451ce09d4cd21b4993ff6
SHA5126d86861a90d8ef17361a8ae203c55b30db00ad55c3c6953b08a1cb53b18b52dea810afbe87930112ccb83940e917607ecb9497191fdf4d4d9925e6b9d8fd3813
-
Filesize
1.7MB
MD5c03263e44944ce18592bb05167af7c97
SHA1a914a5392a0bd87fa92fcc33a1959f731ed07f57
SHA2562121027af0c3f7c3de7a87c8476e240d95c546588e2469601793b04df58b7ae9
SHA512d4c3fe376b8f5855889d2d795df375885b19b150afbe6ad11fe9d28c08f562f0e677fb619253d5604d08404c6119371652f7efb02fb01d71243c6804a9947121
-
Filesize
1.3MB
MD5adb9b9f70727e87259f3856da193e4fc
SHA1829d6909424bf4dcb1424c0c56652c62f7954189
SHA256a8e2e6707b11bd7ef8127308d811b03bfa094fb992cd70e5b20628310d2cadf6
SHA512bd5125d774c6967a919044d9b752e13701bff3c8f6bfd38cc743c330517a4cccffe092812ed32136f8e6515f1efb16ac327bd5c985d2cf6c3469889aaf56915d
-
Filesize
1.2MB
MD51d331e27eda0f8954bbed8188866a874
SHA1cbb78ce51bdb803a18a1e78b93f0266c22111ad5
SHA256152cf94b1eb524f553fe80655864182b1340666e10587e6595adbac0f0914afe
SHA512d5a339204dce6059d0ad801452751354e88518469c5921a14e851f827eaa8defd416a5f155fa0495a900dc4c21611f413fbae27d0deeb233e2e7d0c3316293f3
-
Filesize
1.2MB
MD594d68ea4d39d39463e7cda7a2a13fe15
SHA11b1f323b2ae2c7e2c05438505bf4ec9b79a1f110
SHA25668e09aedfd4263347de09ea3f9d0745204227e10fa1ed564fa118262bc1cedde
SHA5124400a5ff8e43a65c38b9364062ef3e2b210ef0e844e934e9582a16a616f4003a951ab82af7199da9ae5017b6095f37fa259702d3f22870885e7ef70a718125c4
-
Filesize
1.5MB
MD5aeaeff8f8a029bfd7b6da0f473630586
SHA198c31a5169c1a7b8850228d68bcb76486dc91c31
SHA256f1e152c68827f6d276b25d375aa5c18919e3b0c70ef5d5efb37722c873106ff8
SHA5126109503d8d2336b118e5c0f7da876026187585f9116dfb0f996772c00b8157cb27f64de6373cecb616b7a923c718274c14696c6f595d0cd3acd1214cc4c01f99
-
Filesize
1.3MB
MD5d6b3bbee425f5efa68a9985e213b2411
SHA14d01c2194497ec745771c65a2bc15c68eee04d3b
SHA2564cf4fd70f2e7b77bcd4731c25103cd828900ef5cf88059ed5b8beaed3ec2f2d4
SHA512f22c124f8ab078b7a329b93c9b28afdd9634f422ad487efe27777cf449a9ffde6da602b0deca4d0810581a5a3bc9e890e0826bfecde930c7a6d87697b06a5218
-
Filesize
1.4MB
MD5d79ef081f09fca63dde033dbbad84ab1
SHA1b2e55f16c1232287ddd6d4c26adb1a9966ea47ba
SHA2567c0e920ca6fca04ed46cfedab631e51ee3554f52b6cb77f1da7abea925cc6bb4
SHA51220497c6428c771cf77af6f7f8cec9f3ed3e17eec9de47cce700ffe041ca384a258714a325fdc1fbf23f25f08ade089f156e26f75b7dae28b146ff50cc15d90a0
-
Filesize
1.8MB
MD557f70a49e69d9b9c180ebd7d526b9ccd
SHA15bf79c65ff3bb8b3e2449f7c9291462e0fd4ce67
SHA256d39a0b388254e59c19227a25d2ec311f636a598edc7ac9709c9ae48d9cf77a7b
SHA512e7c2d61413a54a4fe30ef3159c5743c526456e9db7f89fcf0778f21a012f1ad092afe31b0a03862e93aa205c138492d227452a5e64eddccb599793f01ee76379
-
Filesize
1.4MB
MD5418b7dad111c3bd6caac3f78b0b3578e
SHA1b2c6d7c4f8ee3bc3c09b856b453fefadfe649f34
SHA2569fd0d632d50008c8583e042ccef92e63ec7cfb75c86e16a53db283fd6b1bfba6
SHA512a1b5a9c638060ad03824929402fae7e004d48d18650746b5ee91b4a983aa699053072e67cda990fc5f5d324b69f908ba809c3238d1cb785878b64e285933b979
-
Filesize
1.5MB
MD52df937041d2239b92298970d72919d50
SHA18c2002b00c2924670b83c5f97258b6bffcb3fdfb
SHA25614e3d94f8e8128439baff53e74eedf1a828d37df6b8e0bc36cdc6e774b8b2ba6
SHA5125b21ac87ba0c330bffa0a0a022e0fc99ef46fb8ae49baa94b4dc989eb793e8deff41cf214fa00128b291ae76f12edca507fa109223d8e503494c517b6d68c8e6
-
Filesize
2.0MB
MD5007f1cfe57b09b1f4199a7fcb9961737
SHA13cf75584ec5e4de41a10e697dd161b3827f33844
SHA256795e2aafb7c966a0edf5d653e140e1ac0375c99fbf51a0ce4fcd858db6a4a55d
SHA51220a1494fddcc8460a506741901ba6a40c17c10a38d6b88cb9b872f720e921a9d8f3cc732aaa705176b73c6bc275c142960f53f13932529009f464f664e50735b
-
Filesize
1.3MB
MD56ca3d2189dcd093eda2e8a9dce111da1
SHA12ffea2841ea6c8f00f83c1dc12557f9556457137
SHA25621330c9e60f30d40214ef9e0dce7338d0c3deb26a36a6f0ebe64fd1fceff36a1
SHA512243cfbb006a8414b3e92b227ce788440cdda53fe38cd7bc4f61f279687d4c6c0516df54ff402b5628d1d59104304b04245aab6203821d9206471beaa295884b6
-
Filesize
1.3MB
MD5c6b2af72f7357431daac2ac22d508d9c
SHA1c4ada317c97771bd387a11c566fb43b3ccec5268
SHA256ce56e3269da7d45267dac39f89526fe11fe83481e86ae18bff47c3c53ac5520d
SHA51250223ba0556ff9a1450195e43dbfd520e2145d9209c3e72d0bf276067d163bd1ebd9f746b13a2e0534348ca9062df7bb16b081f834c1936dc888c416d7089c5d
-
Filesize
1.2MB
MD5e41ec606cf8def21c2450047ac6ee5de
SHA18d9861c41c53100dd7cd31a48cd6d167a284ef01
SHA256f16902f1788f4f2c82b78528e003e9994ac46d009400ed72df9d2a67dc39f474
SHA512b0ecf046014eec96dc521a1e6d141b2382c6756a7b280824b24d56a396d8c2ea031a31758b000c8c27607049c8ca1f908d7c060a504b95766bad3dbfcce2ea0c
-
Filesize
1.3MB
MD568ff0324204a74558a6fa08c14854925
SHA133523e9d484f164d471230671d4041334e161a30
SHA256f418e6c939096b3eb5b4fc784d8043ec9d25190897dcb2af1eaaafeb919964b7
SHA512ea0d52787e5991bae18ae635efc58cc58278ce276208fd046dad1889b19d0d36fae919beeb01f7b6c573ed2da14b8bd42afcf0fff9d699604943dabaaf8a72f5
-
Filesize
1.4MB
MD580333b7789f1eb1e56b4b65a97e07502
SHA11c66870b25d5a427f59dacdb4e15822a3a9d81f3
SHA25606f57ed05555fd51736b48c4012ab698028682cf716bbf32ae4d29789c51c008
SHA512eae95c23d06b23654b238b2da64b25fa1a1b8fa92c57dcaae711a6c28be89028fdbd233b2c074504ffb46ecfdf2dcd19629c7dacb33ec571211a35094f7f73db
-
Filesize
2.1MB
MD500f7ed60fb42c010e40ed6b3bd368f29
SHA1122f6ad6d8a896b1c74062b21ef3f9e039204a9a
SHA2567ba2a99f2e55aa1039756a566c73ac200e20c62fda7a5743da9d4b8f7e7064d8
SHA512faf6abb97697de9613536dd7cc9cbe2946c1fc45a29b72da574314be14ce634d4f539176134cf0a83749f242523730158908283a82a0bc9c12be4a2a62c803ca
-
Filesize
1.3MB
MD521a269e379fea8bb37ae1f5181187abe
SHA102de6db7b5fa3586ad027917ce309d46bd2bd92b
SHA25680634d3ec56db9fab2b40fcaeddd458a3eefc815d4befbaca3bb0fe4da2b7042
SHA512f3bb30c2ee9f3d4e56f73c896a9a20a6c623a6d604cf011911368c49b1d6c9e06af076e2370f958722aecf93d134ecc52e602b65376ea6eb632ea944101c71ad
-
Filesize
1.5MB
MD55c6e3e9da80169d4ce8eb0c3feed8b61
SHA1cba07d1d118818e64f874f156d74ec894bfd6f11
SHA256ec5cd614ca905c697bebda6a2c6a5a796067829dfeaf6af295ff918da9e0fdd5
SHA5125b6e72f153e1a2cbb66944b5b7d1be767a39e187b439bc0822e3478f1d7a8fc3d8af2f00144f67bebd5c136895dc8ff50007691ae2c16c0676d7f5e117cd35b9
-
Filesize
1.2MB
MD5a1a893afff9d1ecb734c8a21fcd35f91
SHA139cec54a9822c22007507ce2e9db84c7473fdf9b
SHA2563455e740d842bfd16ce46e20df20797abc69db87a2bb5402278d7a1438889daa
SHA512ee386cedee2924d61ba6345e44470e354cf8d98b7352868c80445e71d0f22eb4db196b7afbe09bd03d8c13aa4c01fdab6ff1fff4f3c717be5650359826745637