Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe
Resource
win7-20240220-en
General
-
Target
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe
-
Size
1.8MB
-
MD5
007ad9660d0e32d6e7a0bd9310224c21
-
SHA1
048f83d43ce1729089e4d11dfdc1b0f04480b737
-
SHA256
aafc4c4f724a5c8d274118ee70494ff687e4d5194b6067aeb476bde9e50d621a
-
SHA512
30f248bcaabf92686aa90c57feab9d4c4d080e0c3f82dafd5f307c8abaea273987dbee3a18f24605ebb38e3af98349aef8ace79602eb2a78adc58865e6674f74
-
SSDEEP
49152:uE19+ApwXk1QE1RzsEQPaxHNZ5UbU62FAQ228QKl:T93wXmoKrqj2FAQL
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 1224 alg.exe 4520 DiagnosticsHub.StandardCollector.Service.exe 4724 fxssvc.exe 3952 elevation_service.exe 2496 elevation_service.exe 3924 maintenanceservice.exe 4660 msdtc.exe 3800 OSE.EXE 4056 PerceptionSimulationService.exe 436 perfhost.exe 456 locator.exe 1196 SensorDataService.exe 2824 snmptrap.exe 2304 spectrum.exe 3380 ssh-agent.exe 3220 TieringEngineService.exe 968 AgentService.exe 4908 vds.exe 3736 vssvc.exe 2844 wbengine.exe 4616 WmiApSrv.exe 3060 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a41a0b50c3136770.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exealg.exedescription ioc process File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074a910b897b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036630db997b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043e32dc297b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2f61eb897b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275ec4b797b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005763eeb897b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024266fc197b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb6ef6b797b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9c40fb997b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d66089c197b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcbc04b897b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exepid process 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeAuditPrivilege 4724 fxssvc.exe Token: SeRestorePrivilege 3220 TieringEngineService.exe Token: SeManageVolumePrivilege 3220 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 968 AgentService.exe Token: SeBackupPrivilege 3736 vssvc.exe Token: SeRestorePrivilege 3736 vssvc.exe Token: SeAuditPrivilege 3736 vssvc.exe Token: SeBackupPrivilege 2844 wbengine.exe Token: SeRestorePrivilege 2844 wbengine.exe Token: SeSecurityPrivilege 2844 wbengine.exe Token: 33 3060 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3060 SearchIndexer.exe Token: SeDebugPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeDebugPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeDebugPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeDebugPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeDebugPrivilege 1692 2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe Token: SeDebugPrivilege 1224 alg.exe Token: SeDebugPrivilege 1224 alg.exe Token: SeDebugPrivilege 1224 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 3060 wrote to memory of 2988 3060 SearchIndexer.exe SearchProtocolHost.exe PID 3060 wrote to memory of 2988 3060 SearchIndexer.exe SearchProtocolHost.exe PID 3060 wrote to memory of 3788 3060 SearchIndexer.exe SearchFilterHost.exe PID 3060 wrote to memory of 3788 3060 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_007ad9660d0e32d6e7a0bd9310224c21_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2308
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2496
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3924
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4660
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3800
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4056
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:436
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1196
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2824
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2304
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1212
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4616
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2988
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d7d0639d6d465d26a50da20cff9f4c07
SHA1e9914fa778814e69cc76e1800d82a12ed35adab3
SHA256bb9aed74bed846688ea837e1684257a0ee0af86fbfc05abaf4b17fba240d5045
SHA5126b57300a341bc81957b9dfd8d9d1ca792e3431ccd79039c87324609019dba11ac74b4a767c1ba40df7c78b8493bb4d14c33e46a4da91d79fc6285ecdf14cafb0
-
Filesize
1.4MB
MD55ea9d67a0ba111e7aae3767d7d05b678
SHA17b7a1d81fb33a21424480fb107bdbfb38696545e
SHA2566e7e09f4b33d218d7d3336bb96639cd2dc416a8abb1f3ad097a47190a6f80cdc
SHA512432e13b5a506ab46cc47a884113016358b0b85449ebfd4983da4d8991f0341b6c8dbc419642d33f71d633def3eebaffffb4b3106e7c7bef418e56ef4c4c237e1
-
Filesize
1.7MB
MD59e206ceea0b7ace4460f4f5f9f5ff8ea
SHA19c3783e6c861357899ebf7db0e2b95099aaf85dc
SHA256391d28ca0b50e897ab42402cfc7a3ff8235125b357072071563b6786fb461232
SHA5124a5fd20a62da6699b4f098b0e938dbcb4579d9d6d726dd40355b90c5e83127725b9212e4618d67c293a6d03f0ae390021efbe4e6538621efb79e60ce959c7041
-
Filesize
1.5MB
MD56f791c6c67c66bcac01774bc02a2d2ae
SHA14af03030d0471623274e09f895580f68867a21c6
SHA256dfb01738b6157906f9c5fae9fd13db29db6120e7af8672799a4aa1df1c51de84
SHA512230faccbd1d26770c9c898c4d4ee11491f5b2337cf8a053175b71ef4bc8295aa8954c933390ad687f12e7975dfa4367b4c9e81fe02dbc0703487b61ab0ab40f6
-
Filesize
1.2MB
MD54f2195dbdac04f96cece227cd6b4be9d
SHA1997580fb617f9b96b8fe9fdab782bd4c0320af6c
SHA256f576975847e8aabfcb52f81eff27815f39a571255a9b7a8d52f697cd1dabda65
SHA51280c199b12685473c8eae9e4bae2681e0b9e756e906f090f8e960984c248e08c1e46d7bbeccb1337181e8a5b7b3144742b4c01a6e86ddea052917d7442711160a
-
Filesize
1.2MB
MD56c582cb0b3334d5e23efa825a5d519c5
SHA1ed39e66f6e4b72cf685f4b1911c0becd824ac474
SHA25691986c101121d38408f3af7db82700993451bc7bbcc6441ee6163dd4da8b68fa
SHA512ebd4117843c5c9044a21a63de1e31adacd28eccc1ba64f3d0937ed1b07c750bc7a544eb8be9d0169b709666239cef283a2968c990120d22ce5956413e3607f06
-
Filesize
1.4MB
MD50701710735cd117e693c683ff7d21e7d
SHA1fe73635898c2eccb76c14acf7b865c8e9802b8b6
SHA25645ef34f7385d3a70a77fc2ab2882dbc68e252e3cf982c4d390c3ed7f0b231f85
SHA512600706a733469c6d3a10e6ff242190ca408ff1013aeb6ba817b1fce474b45068777009409bc411c825360cec1459ff4c8d90a16d6af896a8ff335c40b205b927
-
Filesize
4.6MB
MD56819d6e0d4177718372cb4654fc98ee1
SHA112b50372ca36c3db0bf066b6ff9d4592a1b17cd6
SHA2568b740bfcbc5964c521aa2c3fe2dee3fb467d815753c5df033f0616070b5323d4
SHA5128e0cb5d864d09bf85d462b078529742bafabadc7836318600f2dad7f5438daa9fa5270a33218165eaffd141b681c52ada86f2d533dec7566024cd9b7b091932c
-
Filesize
1.5MB
MD598432bb75fc19f6a9453a16b092c0322
SHA182f8554a1f2f98611206400c71998b9bfe1657be
SHA256ba36fda6e0e459218348f05c719712b9c5a1f5ff6fe0439f40f7cab52433137c
SHA512270a49c597e5115ea533e0254653112d6413edb1c28ae29c15a23cbc1a736e652d4be67a03b536d7bcde5eb58448f60dcf77acc629439de1b3458f16130d3dfb
-
Filesize
24.0MB
MD5eaf5eea83a183bcee5a281de998e440a
SHA1262380519d1a7822b5c11502928ebdb8cc544ffc
SHA2569fa11fb310663add01ab1ef02bacec6d07b17ce153bd3bbc3fa2fc3266fe47c4
SHA51236734fcb60bba06ad262ea0919c849a0570dcdef0bd16be8740c9498fbd69ffe2e34ba54dbec9df30f9d011dbbd40d65d06df7630de78a96587cc0aad7b2dfa3
-
Filesize
2.7MB
MD53a2311c4fd4945b3e2dd756d4491d12d
SHA1b6c8e0eac718fde126a54a44fdb3daf0782c2647
SHA25613a6eecdfccfc8c09d2a848816be785b4b6d53a8a455b6991daa1dcfc3d8c3bd
SHA5127e70ef4b0506935dbd0f631cc763656ad20fdc6be7f08e8e83df228c91dfe010e9efc4dbc2c0cf5eeaa493e2f2911b535428afdbb502035d735e559a146bcd3a
-
Filesize
1.1MB
MD59b85d80fb9eee2a0b34f33eac01a4127
SHA1cf70990b1dbb2b8969b9dfee3f24d1d285ca68a5
SHA2568c51b1fece81dfff029d2056ca801d10d725decf5988646df59e3d4291e1f173
SHA512c3d2901c197c878ae3a5456c5df57f3356ef2d8f73b58d04060b742c560a13e88aea8326b297f884594fa41f2b67ad7ecb17fd0fa57daabf49249a53bccea97c
-
Filesize
1.4MB
MD5ec0b5944fc60e74f1547ef9b1bcae915
SHA1cd97403bccd2da68e9d25fb3582e8202338ae566
SHA256543860dd6328a34cb7e36e59de2ddb68b85803350b635cd027f42e84f4918d17
SHA512ebb81b6c3367e74fbdf7951069219d99feffb740eb3d8119550d19e000c6346c3b64d8edf94fc78f104ae7eef2b5e9a126fd626c252fa2eccb6b55c4a9b38445
-
Filesize
1.3MB
MD58382aab2379e6a2bda08291bcf95e099
SHA1fadb99fedb1d04d517db6229d164c6dba0620fbc
SHA256959f34f3bee2562cc4e83845514ad0e7c41f5deada1c7e05095b6a34f884e761
SHA5125b4e21a074e8d5dd39d8673237be537622bab9182a424851b33f74b2b9d521c399de3a41fb7137bf09160722767bafc49beeb15184725ad842f79e36d7642142
-
Filesize
5.4MB
MD5890c11191d6ba9f1b83ff49af708fb0f
SHA1856a43c772141ccfb2775e6fa1d7b4c7d0d7864d
SHA25614ff358aaea6cc5b0b5ccd2257c2a8d6a37487cea370a53f1db29bf44ecebf66
SHA512c481d6f2540b5564b6fc0e8e981f1e0aaff390b22344cdb218a060215e686e5d16e96c5743f810515775ff255fc30825ae67e1326df1f7cd19a33252d9ea28a3
-
Filesize
5.4MB
MD58628032c6942c00573a121afa1b2c6d3
SHA13fc739a7f6190fd6ff296ca1b383f25eba3a2c26
SHA256cf4dfd56d7bc2ce020199a58014ec4a822830192ce2c87dc830d5a3fd093812e
SHA5126aa9b7f0ec2ae6feda45a784e29d58f341b4dae6399aa89c19397d1898564aa0d7b0238fd4576dcec2672f0a6d49a0d7e5597fd27d357f7467dd71fc31cf0df3
-
Filesize
2.0MB
MD5b7fc9644e387696e5f50d97943d4651f
SHA189f059bba6445c6f03d18d7f58dbc874af78a486
SHA2568ce876ff272b067405b9916a7702892c7d7fcbbd214a51c1937161d3baebc4bf
SHA5126ac1f4b2c91d58c6b1c9da2cbe19be5b564e664578294908b18444935c3e262745707631dafaccebcc6e48dca6569d5967cf5afa14a643657ce4523d484454b1
-
Filesize
2.2MB
MD53486ebaa2183073dad35bf44d24a0e03
SHA1f4459bd38150e712daedfd27028545550099748b
SHA256fb47cb75a732a3f4a34d40eca54947469ade2da05bfaf811117575277e256373
SHA51222e280f0c246f95bcb59cd794fb3851c265c0749728b5fcfda5ef381432a67113f6cc093bf5b5dc8a4e56b8ec8a67359ed9e18eed66914b0b47f2db8a81893a1
-
Filesize
1.8MB
MD55ed0c3c12bad8efffe5d385426d86f00
SHA1853b6629b6923fc76dacf7f4da5ea610fc3d0ccf
SHA2568acf80863163e0dc931572653e538407b85db2d6abbc2a4688670f4377929c32
SHA5124872d11563f731dd68fa2bde6eed6733775aa5df289260284f78da5be98d7f6ec37aba0d383095107ce777b52d9b1f8cd311425bde5f98cf77719692e0c0bb9b
-
Filesize
1.7MB
MD5276e39266859ca95082910ae5f65bf47
SHA140b7cd5fc3d3ee6f92dea660c2710198f414ea52
SHA256dc5988d0cff5c1714ecf6eb536ec5a9154a6b03169f7fb13b21334cd1234d51e
SHA512433e8e59ec9f0ad3336471b299fcfcd0c4be0a3de69f4052f66024d9e598e26003c632767ae5b85b35a88b776bd2713372bbaf3d2b9f557c054908673c5b367e
-
Filesize
1.2MB
MD50addc0569722091001709f86c6f6b499
SHA1fba0d8fafb8571c735916c81b303e4496a385934
SHA256a2c697d672c9577a7e35d3d7e1db1ec08d91fd1b73c6bab4610da47d80f661c4
SHA512e52f9fb6e335471c7334f72d672dbfc3525caf35e4dd49ca848fe7a2a75b5658d98d2c6078d10574034706270365585ade584e662f96f85cf22d69f443842fb4
-
Filesize
1.2MB
MD5edfab73553fec85df7c5ff0ed162c8a6
SHA1469dce2c28f7e981a689d2a9ccb67606be929bd7
SHA25612468a4c1b5ef8dfa2201792a1a45716092f6435815259399949dc4b66a1404a
SHA5126ca44c029bea074326ec1f9beb165c8530d9fd30fd518c5538540fb5ea93bc3ad14efc249c876768c7f8ca5437c531c67bf0cc43be476d2b67f5da7e76dfde9f
-
Filesize
1.2MB
MD58c5d5deb53999776af1e74d1a14a7451
SHA1e0531d4748328ead1bb71fd66560eb03188701e7
SHA256b7501d48c65ac6dd305eb8dd3f12e121138c0efbac0234c41530f4ab59d25ad6
SHA512b3367e2f75e4ec980f33923ae6bb1a8cc889e23c800b1d81c5c86aa2de2c65d436ed2a70891cdae7e6d77b7d3d1e4480430eea76acac37b6bb6931a8f71e4ac2
-
Filesize
1.2MB
MD56145ac458b94372d03637a9cc6b16467
SHA14d91093bbc0d6dbc3b63051e8631ab30ebc35dbb
SHA256cf2378116efe30e91a63bdec05ef241b53342f8b1f63c3de1e72e3db9095eb44
SHA512ad273db4fbd5893ac5395171ff4f38e8eb5b89f929fed95bc8733100f3d432852c6c451ac9709af20f0f8d56471fa76f17c5a48b17c3e5fd9dd6f29b257bd8a7
-
Filesize
1.2MB
MD55c72801bcd749481a83a00cb29af427b
SHA1914b5cd965b708d0edbe60be6469afba4c71bfe2
SHA256500754554e9947fbcf6ec4ebbdf468e2fe51c462606e79c970f8a1a56b02d7cb
SHA51253521ea6a8dc6183a499e36d15b3bd4f79abd487d5e2f98cfba47f6cb6b676a21f2f63f0a252f245c7c8fbd16c24ea8005e2f52c15d4c21a46930594c544d20a
-
Filesize
1.2MB
MD5bdc8b32eee044f0816ca16ccda261aa7
SHA18a303836ead3d25140748ba501080e262c32dc4b
SHA2561e2b7493383e35f0cd830ba2af35187793deb90ebe649c5003047539038776d3
SHA512a1c2cebd8a658b8462a1fd010628467cd4b96ffdc10fc8fbfa1f4658b80832bdbc7b8b59af46c339974e8e8d029466cfc93752d05273b581ebaf66fd782fb6f2
-
Filesize
1.2MB
MD53d1271a7f5658a1c1584f4d5ec53a32b
SHA15f769d5aefa7471b0be4913e61c36513ed6f8abb
SHA256499b5db88dc0b7f9ffd2c82a21dea924488c1b7ad081c9457a930457ed1973df
SHA512ad5ec2c3de42f8a162fa96c6c4ad48edec0f6471ee794d65b5750802978ce64304c0a989beb80ad847aaa28cd9327e3898222453152d28d84afd4f7018063f58
-
Filesize
1.5MB
MD5eb2ecb9b1895bbe62d5b023bfa829211
SHA180c3f7046388e4d58400ecd27f3ea980df57b9f1
SHA25689cf984a05280bec164219255c6d2d4c6275d22e13c36b0774154b4be4e537f7
SHA5126c6bcf755b35990170a9f04dbd610e4dbcaeb077c24143e35e16bd461f5e562ffdf4f7366c7bc26e8b4a881bd51717e6f6ea0b9dfb9e1da659e91b1a5e5a89b9
-
Filesize
1.2MB
MD5cae4f718f7f38e23c6137b0eeaef0fc7
SHA1b24a2d22d4876c8de04b360d2bbd1ca295b75cd0
SHA256c7c7101707a28ad6ab4aff286d39310c337a0ba80bdd7d61743ca8fdd38b40ae
SHA5122852478f8433f364ed99fc98dca5a7fedfc9eb22575acfd982959698efc5b129f86083ade2ecfb1c613b2879f2917e5d4f4af9001f7ff340ee535031233a02e2
-
Filesize
1.2MB
MD5e3831802643fef840d0fca7f25c06745
SHA1914df57ec42035cfefad5a39843e1d4986d44538
SHA256aa59a8d5f1681d91ed2e3c9ed0b549ab00218e9a74e6006e6f864f3b216e1232
SHA51220cd3e0f030ce1e12082e0251750a825b23a5023712e9e51ff416fb07dfd2e72831691df70e5a34102fbe6fde2580fb75253fa06bad942c01776230ea3ac45a5
-
Filesize
1.3MB
MD5655bf5a50d9b014e513dd08591376ce2
SHA19243f99eabaa45d82a0608b925e1e038506e765a
SHA256f13e95de368276b78aa575915b2de3326f06dc3f7dad8aa3cb02712c348552f3
SHA512b2c0fb19682bff11d8abaa25dd3fd8ece02fbb0c81d62227cd9ad50906f8a89bb178da87a86a653aa9b875ed73ebbc4a6650aeb6eef69545e12e01e78d13ab6f
-
Filesize
1.2MB
MD5408d80d47e7353de8328954c379749a2
SHA13e2078eb8d442131529364e3746bb8978118c0aa
SHA256edad381f4112f4465afa9f5a7ded4712a35fc486e37e8c9a3275dfb21e80ab37
SHA51299ebaf3efe6b899dd72e5acb36c11d7788f7b6a17a6629cbfe29a89cffccf89d91bf3d5884a0bdd66715582d320f76f8ac312a78edc66401ddcad0fbd8511cd1
-
Filesize
1.2MB
MD59cc699dd15341b5cc50c6acf54c88bf5
SHA1be1a2e2573e0e33de3360756d3c54371ccc4e0dd
SHA2563f4c06b6ff4aaca6c2b04184a1cd1186c9b3698b5a05a93256934c3a50a58c01
SHA5122298777cb8970f8ee93d78a7948a57b082f2a8a7774b891e1fbc477f5b0d20fd610159f38bfeecbd73ef5f440857f5cec5d2eea034a9215e725fe60e1c0e659c
-
Filesize
1.3MB
MD5dfe01277f6f5e4d9e2e465e7c92bf39b
SHA121df1c385f7aca470bdae3ac8eb0e40bc7244b23
SHA25678bb3cd591bcd6dda96227291d7d5bc6c1902f8026a130ef10e0fa4293300559
SHA5124c651b9f70bbbdc9d91eeef08371f5df67292f350baeb9106a09fbc37bdebffd8e5181a7657dc5c7810f551b3e973512f01d3c91969a81a221d86fec61088540
-
Filesize
1.5MB
MD534a3695c2f134159c3914177fd1253dc
SHA1137976c35d39394df9bc881c16d051cbed3693d6
SHA2568d76a750781169aa1448927cf7dfa492222d26395b31dc25de7eb05114f39d26
SHA5120af60ccfda30da1a2d92cfe5fce7d1405db7b08f6dcc3c27f2ad274404624f8bcc8ec516cad5c58ff5658330674b0743fcda6cb3ebd50009fd724c7994a835c7
-
Filesize
1.6MB
MD5b6e6c82ab4f8270167a7410f5a89d731
SHA1b2fc73b9846aa95b7e323398e38d80c39d567dbd
SHA25675c63ef64faac8d1b630591ef2abf67bef73169716c84f77c28771c22e47351e
SHA51290466f44a3a553ac015365e8b77621b7ab022ac0d7032ac037d4ab222eb7aded6006bd06dbf5cd7ea7fdc8832f0ac693edbc3b337062b3548b7cdc9c2a2bf6b5
-
Filesize
1.5MB
MD513c7c5ce32bf8b5853489abe73f1f879
SHA14c6a13d9a9ac579f555d7404340cb09fb723d239
SHA256982d8f8c029ab7498a2ee9ef3d55618efa6996844f0ddf7851762793d1752ab8
SHA5120da4b67adb88cedeb722a3213a48c18132a913fa07a833312dd0c45aac36c634eac42f107609dc2830795df81c3e6e8b6256615d9fed54eeee97bceb4ffb0b84
-
Filesize
1.3MB
MD5ea1a0189586b2f2fba9f43cb58fbee1d
SHA11669afe452f86ac524482cd2ec51af965238cbe8
SHA2563ebcd2f6474f281690212f008e57870d89d5e367b09e6281ef67638ddd46b21e
SHA5123dd8c33995e6431f52ebb71dca3ce0bdb717d910e940e23181e334c3f798eca534576616674bde34329a80bce6c1ffa842fb976d072fe23f1327d8826ef3274e
-
Filesize
1.2MB
MD57907175f7ed8490361423db5a4b17d0c
SHA14768ae8186b84ab7eeb5b3907c6e06d6e35e68d5
SHA2567a2bdb325c73eb24c1c07df025b8a89cf8a21aa045af8b208cfcaeb0dc23ed0d
SHA51271c2071746b91b7d4d404132c675b4a9c99553a3c681558b7b8109cef9dfb7dd2a25c3d16c78b0fec2979428a937f3d913bf29ff4e1c2ebbac70dbaabd94a52f
-
Filesize
1.7MB
MD57354f0483f4c1cc38ad6e7904ba165c2
SHA174c7e96dc20a4e6d66cef48d7619bc7f77704783
SHA256b8860a7192007ca04edcf2c9fafcea416c83a407fd5b8e16e67b39d1d0f92a5f
SHA512777dbeeee9fe6288eb22b6743258392d56bf85169a676497d78e918b540deee02af9220eead316bccc33bc01519d165679aa1316e9207b28d07a802e39e7be82
-
Filesize
1.3MB
MD518e39ac229115315fe59c0cf3b5946a4
SHA1f5ee1a858ac09f1595c913f7bee8e44f81cfd5e8
SHA25681afe149b7492ff18a290a01f377b622a174a9721e9e9f2373ddb533173754bb
SHA512b3d6ce0aab13d7dcb905b365ac77fe77f973a05ee24febcc887e88906942832bca204ccc373c21deb47f8ba4344befff97949ee5556dba59d41e53500bfd3b04
-
Filesize
1.2MB
MD5f899586d0f061b4d966812dd573cc52a
SHA146ecad0bda028c832b585bf61388e42c29d7b076
SHA2566061645a6d470660d184a2664882eb7ea5acefbc136db1f178d80eb2ac2c16b7
SHA51232ae148bf32fd3fdf691986fe76671b61b8025631c199cbe1a8875f3006ceee64eeb5a03e47c91f8743cc471ba73fa6096e2b82281cc03b222ab38bafd49fb91
-
Filesize
1.2MB
MD5a338a4eafb8a13ea6505415088678c19
SHA1209dba53da52164e2021410e0aba20402d3183ec
SHA25633d536c50c5cbc0a4724231a9a7f8c8fc80bf467ec53193668016b6112461714
SHA51228a232ebf041e0f880405c112a4e27febb67707a75fb8a5236e6444a9903aff2aaf73c5ede7eb3fdfe5ecc2f2713ae52aa3b57a76c83170efdacc4e3270d3992
-
Filesize
1.5MB
MD53d48a2d9d4ad65c74f68e0284b193863
SHA19190b527ce11e697ccf71e6ee327325a4a0b71d7
SHA2569448f484e9f5991b21df557e6499cbd06d25524f4c2d5daf57fb5893cef654fd
SHA512d002b570a9c717fd76185d6ec174b5437af4bd9c290437a338c1c2ec141435e2ebc7e0b40f85bde092e1a259849c8dba084be782c4d7b07ecba7648b0056eeb0
-
Filesize
1.3MB
MD560e6719f622c8931b01d0e08b7f99710
SHA1465b4abd8d9d4fa9ac75760eed954208409344c7
SHA256f1a17eae1b22aa63b427f072fef003da7eab985ce5b82033246cd934b76a9c9f
SHA5128d15af5901ce781459ffe08e32588ffe5a92af582aff867734737d3780d575f0f6ff2947c7bd893bfd965aff5d051a655bcc7a338790c6eb0cfa46bcecd994d1
-
Filesize
1.4MB
MD5c90d5ba7b6282a25abf2d945d893b4db
SHA183185b190025b520de6bb1677bf29bb657f3cbfc
SHA256aa0f9ab56e81eb64485951c400a630cf1195dbb4015d70d89306cfc19e822efd
SHA512f0da167e430b7bce9a41dd738ea49d1c75864dc114957a8ac12428234532cebef470c49613ddc0e1d327c9c5bcfbdf4a85d19a01e649ef3abf24f5e4f3b79115
-
Filesize
1.8MB
MD50c57d75cc1e63c8e6a15197aa26f3824
SHA1c860825b0369cb74d9acd4acdf2ac7ace09dd420
SHA2565a50e553889630d767f15d7b4a7a03f194148148490b029f70e165920efa0da6
SHA5129115fd1a494fd74a17506938e21643a7f012e098546e4b3a0ddb7e81b12522ae32ad1dd071ee71728b7a082946cdc5a98c75e1639b56a87e1d5948a54b9a6eae
-
Filesize
1.4MB
MD58dba428f9a775b4d1a04ff4c5aab9fe0
SHA10e12f2d9b58b2408932e36f8ccc0e1bb4950584a
SHA25693960a32a8c5691e4313ca04bf4e5da22e1be680f2d9d9454c9975b1c12b15fe
SHA512c0cbaacd54c4ab36576f00594f15ef16c71cf5497000cae43a149153e2f461c780e1f0486bf54d03a26e6344781c15491ec560714553c868adda6163688d1351
-
Filesize
1.5MB
MD55240b6b49c7538016899597beeddf99c
SHA1a3fd1259ab6999d84e668aacf69a7f660756c592
SHA256e94ed60c76979b175bbb3a815473c5b47151b3882c45f1d924fd60df8591bfe6
SHA512e47a652c56ef8815c2dc8b8070894135d1df8d4ea824c26af39399a10fc68060a705e5c9b4cf0e2c4178829aaf3be40e3d9095b16ce80e76708f9ab70f2aae27
-
Filesize
2.0MB
MD54be7b532b4e8d071c822ed8e91a56406
SHA1037ec56cddc68cace366288924da1bbd479751f3
SHA25629de1a4193dfb0f9eba3565cdbdfed4bc6f3a939fcfebf343b2ab9eb96e404ba
SHA5128bc20f8765d74b6804122b8c895a9f3bc58ceeaf3c59fc78ac8063cf40b9c31d1a0334cecc71c92540a0f2752b53cd8bb964f467b541d1acde24c521effa8bec
-
Filesize
1.3MB
MD5c2f13d40c6df5e7a277a8f5948f35a05
SHA10a3318e0ff38a5e7f2a6fd52cb177fe1884cefc5
SHA2564483bdb7cb9215ebfc21a9dea6051f2aacde780623cfaa6764da6d7363fb65ac
SHA5129d7610ccc13523969f33b5ef45e22e95c72718c0cf590ac9d2188c2a1c7d5030f61b4629cf4b014f05dd62582e19b4821790341f5eb989c0ee09942a620f6d70
-
Filesize
1.3MB
MD5abe75d1c367a4cbd7e978c13f1fa7688
SHA1a1f65cc78223948e6da05b8ae6334fd1dd056a32
SHA2564637e5715e055de453d880d633b6f54dd58204e34a3e49f1aca26e5c104ad113
SHA5129495ecc71218158f1ab39eb1fdee83e927635324177041fc35c9e995aeac3f8026f71f893e7c416f87dfe6ae93c574fd12a649cea106dae8cecc96f0281832bd
-
Filesize
1.2MB
MD5daddcf3e80cc067aaa096390b0453e39
SHA19bf4827aea86e2b7976d813a15e017c0a0686d4d
SHA256d610fc1bcfb0eb96d3b23092a54f7d9b5ea1e9d3f244e714676f5c4d8b1af7f7
SHA5126cfdd52e7893fa0e8d1dfea5a4cd0cd51160ae19c3c6aba935e6588c118cc1c4c4d5823263ffb760861533a641a0825826b7dffa375ad92a3c3af8f33f78fdd6
-
Filesize
1.3MB
MD5416755b84e900519e78ab740c78ee6d2
SHA140b70b2978ab3b23f3d9b7f1ac17578f461a9de8
SHA2560a4181f739d133c744d70614eeb7727a0d2326d3255a3be8b219447757f0317f
SHA5126b9ccb5e9b2f332f9130c284cc16d958477d0720d74eed7ff5391226f4f1b37f6e28d119081f7d5f7afcef908fd4c2dd43e8e626dc6ca85a4c1b18943c96ad56
-
Filesize
1.4MB
MD5c26390c4d75a8c491aa41baea98a1254
SHA1bede5b3de05daf853e6788376cb2c020b27101c0
SHA2563f69b24bb90740412ae37e84220cb910f0d8da5ff07e64c89712b800c1f235e0
SHA51220428ceed51ce9208cfbc534e432b6e5b04349c37e31f869f004980506a90b68e12c6bd7915793c60e3bccd6b0fa6f974ec84babf8374865d325f90f5b52da04
-
Filesize
2.1MB
MD5916d203e4ae79f2794fe825b5fcc2852
SHA1d931cb825a5a32379c643424f3ab769d196482b4
SHA256226e696edddce374ff52301aa16cc7a4be66ac34813be31679d62803943a7ea5
SHA51286e85b095e39dfe03663391a421690b6b92f87ab20a45be3d583350d691b2f36fb55f733eca886ba1f2e57c8a7bdd8e056062aabfe7f8989cc985c33b711a32c
-
Filesize
1.3MB
MD5fcc1ebed7870394fd912aa5acd900bcc
SHA1f782c63a82925cd432fc1135355d2b487e49ebfc
SHA256090c9d60cfa82c4b7e59ba1a0ea661a76ee4a7f4b8a6c7f5b2aa9f932d7c1cc9
SHA5127dfd3f0b59587c3813f8a49e68c686e49eab7f5acc833d1c0a37ad32894bd44e4a50cca89e6073efe91cea2f8de5f8f2fcbddf32fd7e5541efae1ec955dcc160
-
Filesize
1.5MB
MD54ab9462c6ffa175bb837e9c2202d3ada
SHA125b3452bf18404ea571810a02b8b4358af03b88c
SHA256bb3b4a8ccf8a42c1c6ed7fc65868cda6fbf65940df040dd2f58cbade97dd21b9
SHA5123c921a6d00a76eb0bd7a6c91bd8c4b5cf283df32c41c8edaf00a3143b9dbeae8c70427b9dbad229a38cb19fed511827bde99539c2f00bb4f38940280678fae31
-
Filesize
1.2MB
MD53498a412ec8c342d0c3c282d11774c59
SHA17f8891a1fcdfd9982bf28a6467026c23b24d5f69
SHA2569ca05edf66417cbe63fce2c06d58002bfcecbbe88bbdb961b9f3c69b8cf988d1
SHA5120f4773bb6d7a6eef8dfa8bce54ffb80341fc29b72f4ba1301b3d3974d4dccce5e96ca52dd54002cc6f302449bebfa305c69fc0b952957951d66d8e18cb71217d