Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe
Resource
win7-20240215-en
General
-
Target
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe
-
Size
712KB
-
MD5
1fad7077c387195f4a558e150a00f8b8
-
SHA1
511acdb4068c2cd12553e66e39e4c20f430c5d9a
-
SHA256
8b65d3efdb2ec34b98227a0d73088d807743c27dbdf1ca986c3aa269b3bff2bf
-
SHA512
5f439a27c7b09e648d250dd0f03b6f72c35b2e5d617868d890ea0a721c9c82b6d4991949ecb33165130dce92bfa95a5a91670dc619cf73a5929b97cdc3890f74
-
SSDEEP
12288:1tOw6Ba7FCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:/6Bg8NDFKYmKOF0zr31JwAlcR3QC0OXn
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4860 alg.exe 1204 DiagnosticsHub.StandardCollector.Service.exe 716 fxssvc.exe 1824 elevation_service.exe 2720 elevation_service.exe 3980 maintenanceservice.exe 1620 msdtc.exe 4388 OSE.EXE 1908 PerceptionSimulationService.exe 2424 perfhost.exe 3480 locator.exe 4520 SensorDataService.exe 4584 snmptrap.exe 4364 spectrum.exe 3428 ssh-agent.exe 4888 TieringEngineService.exe 4548 AgentService.exe 1412 vds.exe 544 vssvc.exe 4276 wbengine.exe 3996 WmiApSrv.exe 5080 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2d6ba247b4b1389a.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099af3ba398b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d320aea398b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022e793a398b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001c797a498b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e109f8a398b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ef8c5a398b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078c24ea398b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010e874a398b5da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exepid process 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeAuditPrivilege 716 fxssvc.exe Token: SeRestorePrivilege 4888 TieringEngineService.exe Token: SeManageVolumePrivilege 4888 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4548 AgentService.exe Token: SeBackupPrivilege 544 vssvc.exe Token: SeRestorePrivilege 544 vssvc.exe Token: SeAuditPrivilege 544 vssvc.exe Token: SeBackupPrivilege 4276 wbengine.exe Token: SeRestorePrivilege 4276 wbengine.exe Token: SeSecurityPrivilege 4276 wbengine.exe Token: 33 5080 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5080 SearchIndexer.exe Token: SeDebugPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeDebugPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeDebugPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeDebugPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeDebugPrivilege 4404 2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe Token: SeDebugPrivilege 4860 alg.exe Token: SeDebugPrivilege 4860 alg.exe Token: SeDebugPrivilege 4860 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 5080 wrote to memory of 1064 5080 SearchIndexer.exe SearchProtocolHost.exe PID 5080 wrote to memory of 1064 5080 SearchIndexer.exe SearchProtocolHost.exe PID 5080 wrote to memory of 4420 5080 SearchIndexer.exe SearchFilterHost.exe PID 5080 wrote to memory of 4420 5080 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1fad7077c387195f4a558e150a00f8b8_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1204
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1796
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:716
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1824
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2720
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1620
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4388
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1908
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2424
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4520
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4584
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2052
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1412
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3996
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1064
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5835c9578ae9be177b7825daf3918f810
SHA1a72ca989b1803e4116db1a99a637ccffee63babe
SHA2561b2d787fd632bc2584f5eae77cf6728af74c00009eec772abc94c861ed880028
SHA5127f668e8fdc453256a8b5aa4bd5bd197cae720b03d014672012d4dd91ba6ea6c5ee53f2febe99583795f557d00021f84e1653ad53490b7c336f1faeb90b00a9be
-
Filesize
797KB
MD5dea6668973643c813681b620f9b15762
SHA19b6e7ae530f012badbb8413836e1ffd7098a01bd
SHA2569fae1fdfab4d385ebc1b7a208b89c80b5f05b130522e40fe725661fe5901bf5b
SHA512921fa102f820a3abac62115ea8ec6ef3258622994b383b1f3918944ffc5e5a553f49904a6e60c51e6b5759773065b1205006fb4f312af0c65bacb93d70b4a6a0
-
Filesize
1.1MB
MD5e361cab6f5f06b9148d25c4a01fc7c2a
SHA1e1c0df0d022348b94b23eb04f83ac3aeb315660a
SHA256221530b2d18ce80e5fcde351f1fde264402f7b1ca8b92ee2baf147d27d5ac6e6
SHA5124064254504f1399b471332122bdd42ea280619960ceba2fb10e87c1ff88e206defb34003fa415039ecb73557e1aa4a69cedd61c3642ffd6f490f3a9adfd7f288
-
Filesize
1.5MB
MD5b80258cfd4091383cc699a7fe7c34743
SHA15bd3c69252d04c7eed25ad22c50e5f06929736cc
SHA2563e06199f739aec2daa6e9f2e275ba41cb9766f70f0500034be0e92f086003085
SHA512ce3b1accfbf63c5dff1ba96ae6cc0cb412e4be4e5bc113ee7c909db5114fe7f34c2e0df9a16151c852e1f0299fe6cc4fb8aa3b64b4f35fb00f416aa175a7b10d
-
Filesize
1.2MB
MD5c6a72e8d449f8c27d13c203567c54fd1
SHA18d3e4d937ccdc356ba3289bf2a2a2882fec861ad
SHA25638adcc90ae89e7a623899a1d44e7fa0f76e011948eeec3e6935249667e579ba5
SHA51233005ee2fbab1d33d0ba26d320934b15f8c61ff9b5f432449719aa92a4a56110b06a52cb59e4bed432add08c4e4485aa6203fe41112da3b8b2b957eff7ba33d1
-
Filesize
582KB
MD54b172587db8b027fa3f9fd71c2601b83
SHA1fc9085c9b91734f6b6eb2115218927d8731ad780
SHA2562682bc518c856f3587009717e90771a97a4af6ebbdc484df1249cf67c078e5cc
SHA51255e3b73c36cf671224a5a4a2e810bc0bae071f373064735c6867679ffa249ba966faf1610075731998c66b4f6144557b0224badb95b0c3818d900362c0406b14
-
Filesize
840KB
MD51be2e8e7f2ab12a8baddbee153af179e
SHA1425889ca5206530b33d13044e5e0f2bfc736b208
SHA25609117d74e3a9b8d936eb298ebc99a8e6c91386fda497584bb1fa325b1c056f48
SHA51228a25ad89bb48783319c534e75d887319045b5d82ae4447962c45957f63d7de6f5feb3c9ff1cb49f16afbfa2662a98401a9f3958a33d310d1cbf4550f2e4824e
-
Filesize
4.6MB
MD53e338c1462b69da0e292416f3242f840
SHA1e3a252b51302322d4bed7555dae7c7c7c6aac209
SHA256af323ad59dbf78d1a5f71138cccd508677b39e34b22c898de13b77e84e893d87
SHA512776d5d8b8d4d3565cf12b490debaade746e2b60c3fb28b67330d6eddb5bfa62ea8f656ce9879343d29da9bad4930f76791782c5461ad243fe5b8cb6900d55a5f
-
Filesize
910KB
MD529f873bf7df16dc14ccf6ef85bcf79c9
SHA1ec4ba92fd935565d70aafee43e6dbe29ffcf6820
SHA256f8f10270f6afe082ae5187e957a7b2c3ef462782ed4db4dd73b6a97d85a66acf
SHA51225bbb2a1a4f4f4af071a744f9763b70b303234902fe7e01389d0619355a54533dbe65509d0aa6477acb47b54298a3ac7ec5e5de344953dc8b7b97a355348b4b7
-
Filesize
24.0MB
MD585ecd37a40c2fc4e26cb50e90e276717
SHA1a3046a87ef169a0c540622b1990ded277e429b0a
SHA256e60bd73b7c6057788194f6b1a93e6912fad198c5fbc35828e068aa67f299a570
SHA5129ba840d60d84838f41d2c1dbf02221c22eaf5022d4af2582e902e840c3f1b3bd9b2f4e11bf816f2ba2352c2223f04afac05b26f05d9ec57515fb700103256f7c
-
Filesize
2.7MB
MD51c7ac725de8fe7898f6ce33d56a54db6
SHA14b1d84007a4a041d5e779c1cc6ff1f1d76e787f8
SHA25643ce1671ae672a9270374d7a67b302990bc191da62680147938257ef8647ec04
SHA512573f4972d5a56800a44ee55c1625b6359699df593428632f4f020dd1833c6c58159079c35ea97eddc0ec6643ac7b8f175edf200e451921b118956fcca7f38110
-
Filesize
1.1MB
MD58a3259d3060a07166a0a97985d1b9a23
SHA126915110cbe9dca3e2b803a2a2e48aa8d90ee26a
SHA2565732eb6d566dc84084f7918c45bd71282e49d961edb7a87c3ddaf96189a0a643
SHA512ba1accac93e034eb874c219710e358c211aeed5712a6ce0bc49ceded0dd2e734e3de3374e510ec389dec08846519cb2143fa1f60f8ff5d2f4bcc8e35db6949bd
-
Filesize
805KB
MD5995dc6047ff9fe226b6096efdec4c77a
SHA143066cc9a15252364c010052ecf8db3841a2b171
SHA256637966f1a0cce2591d1c8cf3f3abf29d51498037ff0c1979e8c59a489c3e132c
SHA51230ed26e78e3332c1fb6e2e5ef2ea66f35a4591c38789f36ecf9aa75954baa55603482c967ef1af20181948342845528a0735186767e21e4a797a11b5f1e2af42
-
Filesize
656KB
MD5b1068ecacae1c236f4009e7cb58e42cf
SHA12f4b21a8e0b450c65723f03fa998887d2b50888b
SHA256844b000c19aa67b28d28ae2c501fab1d01af4f79f926a59016f22877b2462a09
SHA512b63c6cbc713ae334e19098bb8234ea5512bc3b8f0fff59dd263f403c67ab6ba523866051366320856d6f973f0da85383be6088866b46697ea721b2ac22f31000
-
Filesize
5.4MB
MD54e81646aff213651600057a7708c54c2
SHA1d1483d482c35d10f56d35b8b4df2b996528cc629
SHA256a8453339a1b1b3cf6b6572640cac22702ac9d851eadba8665eab9fea4edc180b
SHA5129e8cdf4f69e590df2397d3b5519b551e932c8f8c19fcbefebea7cbb67b247b1c1fc7991e539dac0251a53041719efe0a7c24341087b9d01426a1a52a74936eaf
-
Filesize
5.4MB
MD5be9b6b3a0a9490dc57f5e376ce48d9b5
SHA1b3aeda794688047b3aac88273e1a08512f7b2807
SHA25625ca27de3edeb1ef3b2573585c877de9ba077a1265dee22d09d476ff836f56e1
SHA512dd64645b981a3c1ca53661059c8fdc45583c908b96069df9ac90a81255f22e0119d695fb66df53dc052edf09f9d8da96a9731e6f5553fc9aa545944a3f448c6c
-
Filesize
2.0MB
MD571da795238561a2347932bf011134f64
SHA11a4d2825247c59d2cb5767e53f49d3654dea2fc6
SHA2567852e2d68737ffd0c76ee29bdc0c1c96eabee53b2862b37ed9ff930b32ba9fa4
SHA51225eaf03b5a9a3b72236911be3677e6bff53533eb2fd3b8e2b2bc4c16518fb5ca450123cf524473daba2d831696b292172f79d251b213035223ec722914e1584d
-
Filesize
2.2MB
MD5bfdf513de9facb704255dde6836e42e9
SHA1fb73e623105126b9a6a21aa3973b2b8794554fad
SHA256050c519d937639e4ea501334052e85935a9d56009affb2335a2644cf10bd3b71
SHA5129fd567e9596161398f0829b76f5730f2c255e1d7134c80f663d3299cc081355de1ebafbed09a810576de35f87aa017bc1c5584cf248d0120fe494bd974728c2e
-
Filesize
1.8MB
MD5db1ce22360762cdc44f7699cd0162ee8
SHA1235b9bb2a70e439fb042c0f1be88df5a72578447
SHA2565be804ec7540ec771aff631ba073cd4a38ff0858cef580718e0cb0a0e4abc0df
SHA512b95e19bc51b79c30b8b9ce214bc1ec65010ea7f1725d772bfc2b9e0f45ec13fc19c65a16b039b07347b1502fa9ea50ddb68fff6d71a0f1680462fcca826cd345
-
Filesize
1.7MB
MD5eaebb89aa216ab7b8cf42ff3532528c1
SHA1ac292c48f3a36b487d3cfd1be9c9e13594b032e3
SHA256960d62cca03f43867f11c6fb8ae8a54a98bcd24bb581539ce7ddf0b7c30e3202
SHA51249429945f03bf49bc64f9fe7941516037c4231b3b7569c1557bca138d6bf7fc6ee0ee7027968d119ba85b6849cdeb1fc9b9428b99c31af7261a7bf804774eda9
-
Filesize
581KB
MD5e67793240839148255c57bd6c444a77a
SHA17cca1ae4d119e2da7925bf9e5e1ddbff7644012e
SHA25609c3c156bc70316665a76a6ad8085b1d4b053c72d723e2e144987f2f5cbbffa7
SHA51209068b784f3f30415e90e8a1c2dd111df9412412f4e8eaf83284f8306242908524a39ea341996de6383c2537b67a4c43805fc049e66dfe00138eedc360712781
-
Filesize
581KB
MD5bcdb9fd6642c0200554dcf51dd63e77d
SHA12c3647d11abb0513c305a9eee0a4d2fde71e921f
SHA256acd200a2be03eb275f26c58b6ac8d383b13af344dbfaaf8fff17401b81a7a390
SHA51243ba4bf0dd74fd1c6b918b3c28f7bb4cbd4cf2922cf6a2c333335b7c7a7bffaf08695087955ed387ddce0ef0af93f2126a763e54e77706d488fcc27b2b5d5779
-
Filesize
581KB
MD51eeb93772ed45a27fdd2765915225bdd
SHA17316ca524b1b8678a927c815e5fb941e4839f8ba
SHA2564d86b622d504878b2d625c30e3c2c0ce7ed9e58626c71b119616a0ae3beecd25
SHA5125825946b7b20f08ce6ad4f591eb89f1e7e38733f87405183c5772b0e711b1abeb7c594e82ff50493edbe653e2964e3ba7ba2280d2468574a80c542b677fcba3a
-
Filesize
601KB
MD5fefa489c35c95449c61f03d338d5cffc
SHA18c651d8c6e04ba03519518b98f76875c65ee5a30
SHA256dabd109687136e089d88a70c8fe447332ee0e315bf1613381c5770d7ea506e15
SHA51218d4677d67b7e1b0cae2372769d47fd51bb5d4fc2e41828a8ea8004d0100c82f71d8baa543bdb497360475a7b4c36ae021d80f0d190d21a6a72017637c463f1e
-
Filesize
581KB
MD51cc78b60eccffb612b2eddb94ddba9d2
SHA1193c22397b8ad614f3406aecbc593ac43764f5ec
SHA2567428380c6aae9300bfb2cca6940e6c9edd7954d4657bc31a735d386110233868
SHA512dc2c19fdb4d1eb4e2dc0506248e0459517f7780de2bc1bab37216b568d4ba5d22a71bbd1ac0fb32bf580dc7b3cb0581320b15970c0c7c2928d297189338747e0
-
Filesize
581KB
MD5dd3559cd8a52ac07d5e31e961d1c77a7
SHA189df72fcddd410a58252fd6d6423c4f5f52f2cdb
SHA256331fce3928ece118afeb2356d76ca425c121d3b5920bf8749809b821baa712a8
SHA5122c8d75adc5cce4034ae4bf278dbea381e6d496e430da020990d976e2190fb111bd8d54bc5cc439008f7ada5dc8156b698adbd98415fd317df642d76948d963f0
-
Filesize
581KB
MD5929e1d5f13caee3f799a968698757213
SHA1e1be12532fa92712523f5d5e582514b320a805e8
SHA2565705901af7806c03bacd046a5db7e5108107cbf99d710c69fd0411a03fdd8d8f
SHA5123b8ef3ec1aa6ebe8a3fead416c87b1233c67f2292cbe3419dcba613538e94c8d7b6fdf996e09ac022f02962037024bfeefaccfef0890592d74ae9e7548ea651c
-
Filesize
841KB
MD5705bf37c17eb4c84d906e31411f26731
SHA1149eb1920b27b6869d12b96a5db3df9d71b74021
SHA2561842dd2e41cb23f65d7b543d285b3b3e7716ac428c9ba11c2ee2dbd3bde6bc1e
SHA512742b17c12bb963df51681a58d544cc9234447d81aea8bd6afd697495d6dd9ee6449a04c83dede68d386032b9abdcb284f20e33b32c4f9067fcd77e63bf6dab4a
-
Filesize
581KB
MD57e5a6e109323eafb0942f1427378f38d
SHA1340d18952c429a91d1428eb86bbe79eba4d68d3a
SHA2561888ed161986f8be1b578682f2985842c82bf8467667954f2f45d0f519ba3e37
SHA512db5b7a34a946f1d60d20c8a5f59602b5b20db00df56323b828933ca17289c0497a3c8ffde0e030f9b03d272f1b3ba0d077ab50fa86972edd13515baca69965c9
-
Filesize
581KB
MD55066756314b81d1c79bea214ddf0f5a4
SHA158f137754e0c34251fddc384950a418915449c8d
SHA256caf7a17bad3ce118f19349ab4ca28cb9049649db15ca7ba405f112569346d213
SHA5127d1d178121e9125a025dcaf79af0ffc0774092f4af25beba1fc649683d04f3806d9116760b907a095b80398230885e8502d7a56a4e90f751eaa92c31c3847cc2
-
Filesize
717KB
MD5db63b2768d0e98eab94839a20edba894
SHA13b559c1cb6401d2218f5326c5bc3cd4f64db5951
SHA256082ab956a61e6ec89f3bf2b78e8b47e1b92030fc4282623d30e07d814d197f60
SHA512169160875181b2247ad86e9fe73df3d6a66aeac38da0b12d27946c3632b868b581829b45926850f531034e376fcb56eca6e0af19cc8972be5a545d34c09b070a
-
Filesize
581KB
MD5f42b2951179c0067efa9c054592de45a
SHA1bf78edd9e2c8d611a9151da7bf0b6abf0c90afec
SHA2566ff69c6059edc142cedfb97a997061d216f7a56f9c2d29d0655f9849f04e8ba8
SHA5120595f2fde995ffb5f6980d16c1f5b51b519a065c5cd2401d02f0290168a461de3d8dda770dad2d140ff18f99e261ee74d1177dbde645e0da6575942edfd6f393
-
Filesize
581KB
MD5c8226f486b60c0b467ce3e428f0dabbd
SHA1823520d511c6ee9bb4d59b02f9276e68bd04bacd
SHA25696058453122b209e718d9f34d96783b02355b0dee9fa05259876a65b9977cb02
SHA51260ba10fe29574ba9180c03a813a3c72d10403c4fc1be697e09b6b15c2c060c34670032c44c01e75d2970678e4ec3c2267198000d54364f2504532c205c58bf3d
-
Filesize
717KB
MD5e601b9da355701b17ab83cdd8960945d
SHA1e911527dc6224f4e5a4be99973f3842b9bf0335e
SHA25690dc9fa8510e2e58c4088b2065fc91b4fe48bc2c1c36f340ee6e1c9c7c7b451a
SHA512017bacceb70353c6a00c93b5255d070385b331c8f24a55789f1e12ca67b59212fae99c30fa96aef3c73d492507e78229482bff20b560fdeeac0f5e4915690245
-
Filesize
841KB
MD577dfcaea78e4f04358dc951b83e0f709
SHA165a1978529cbd227525fbb51f45094a37ad99eb6
SHA256f823fdd7837321ee2f245bb4960380cadb84c470d41b27cdd8d142c17141736d
SHA51202d15452c3b466b7ee997dc9c0ad5cea0a0654662b65dda69d6d76c7701b3281ab80861dd391d80d5a6035b7f59378aef793e4b25875929b844582e1a843ec10
-
Filesize
1020KB
MD52ef9d5a8d10b92ba58921a38f52507d8
SHA1aaa73bcef38f84d9b8ae024ea3d4455361753f72
SHA2561eb9f658a44fad2e239fc1cfa777e387e569badbbe9f57aec74003d8bf305368
SHA5122e4ae59eecfd9267f2f0ecf2b3c6fa7ddcc39f99ae3e57789c24023a5ec6cc34b08a65d7461326f815ae293e5797b564377410bd23d123f0be122d5d29d2c8da
-
Filesize
1.5MB
MD5aaf58d8fe0511661f309e18746e00020
SHA123e9754d04fbc354c1ebae4fb8b627bce124b7c8
SHA256c542ec5db52095f107001c8e194c2852e3a008653c85fb278e3b3ef27ac90c28
SHA512998b056a1a9622a872d21be5fb26b5ff7c5d45c68bec210b6ca27ca34728bf23c61f2526a083575fb0ec6cc9a6fef74710c033a1141572ae46208a18d65735e7
-
Filesize
701KB
MD523dbfc3c90b40a0a4887577fba1c9d26
SHA1a3794e8b0c19d08dd87a677909a765875f10052e
SHA256734731625343c4807ffc7ced4b4a53712f7a42d08053c2b7cbe2010a61470091
SHA512732e2e4d53287f98fbbd1f6e7d18c0bc1e7dbc310f323ab658f9e16bcf81d92335b7edae201cdbcb8623a500266d9a238adad60af4b29c5bbe3c39b511c71388
-
Filesize
588KB
MD537832290aea4a16fd5d2690c726ebbc4
SHA1d3b73dfec9387c5a73ec99eeeb0eb2404acd7291
SHA256e06a0de28c4438a766bc9dcbddb8b06696d6629f105a55fa8b4f3397d6543e55
SHA5126fc368b2ecded145e18bc7fcc5e115f1a135fb50ec1c5ef4bad17c14cb506e31fd8c7a615a495f94ab5704cf2d3678d0d435f6a915af6965557841166ff59815
-
Filesize
1.7MB
MD5b059f79acce99741bb9e83a8d376f490
SHA16487dba0e287ae76af40731771160308e54a86f2
SHA25605b43cd7946defe2fa0774ed98f4cc327632d6da8e187dfca88c2421d3d2e07f
SHA512be3a4ffe848c6ea1e4c0e94723ac421ac8c821c9652bd1080affeedc7afde8ba9612c3b48c9cb43e3ab4e8ffe90e65dadd33a7f1a9c20ef8c7f50686b97ee76b
-
Filesize
659KB
MD52bbb2e55bcf011e4cec8fdbb50516b6a
SHA15836d2a86a195b80d70c4e12a9dbd7acab7ab6cd
SHA256a632b189397e1ee15405dabf01f4a70f162151165a7d99059fb8b6966d840c1e
SHA5122f4fd46b66f1d762e42aedb31b2b594fbf4a3d8642c48eba0bfac591ef0c0a156f4403f0094898be771ffd1296eae7fb792c57d5d0b68c375c51d0fa598372a0
-
Filesize
1.2MB
MD51000b830a4f4261b3a91c978b7359ecb
SHA1dd7f4b02ed8565ce12c28b3a32b1531f6c011bbe
SHA25608ac668941563cb4f37ef70f80f3b588f82cc2b7ab912acf930e3e10bb8ed896
SHA512bcf60bd4a17626fda434fab61be2ef540825f7866410b3b12b19b993fb9a8a8448ebcdb4497bb3b1f2adae50cbbcd23a5983000ddbf6b9139b298e23d37cc97e
-
Filesize
578KB
MD5df25a569596f07742988ed76752cca80
SHA1ff3966b26e8a0cb07304996f2a69d8f64ba51e60
SHA256aa01742a8f0e0e52c4dfa24e17117c5604fbb195680835c5b729fc955f6cac31
SHA51242df7665a71396484a6402c63bb9099b2676ce2933a4dfd79cfbdea77de7121bd93b818895a3e8bb0178557f5be82c7fcef134c128ddaaff986d96c242f82b8f
-
Filesize
940KB
MD544e6aa513f5a213d67a64e44fd240868
SHA1b63165d7eb5cfb4a12063095414ea733cb7efda1
SHA256973b8462edf0aa128809b555a89172d8e131d60b51d07ea34d6b5a7838fa3ea5
SHA512eee7f272983271866383b1d470e77aae0de278bef598a4ac3875e3a658f012ef8e6b109aadaeeda09118616f86ff525efb5b7836ee87136b8cbf7b61fb6214e9
-
Filesize
671KB
MD50b5a7c26413c0c125d6aa3a4cb156cf2
SHA1fd98f3f9ab8dec94b9129e5849c03a87cae98bf7
SHA2569c3faea9699fbb350fc74ca498d0a1efee3b7639be742d406d67ec37e0e33a7e
SHA51250945ab0a6f2475991851b15adefa6c25c22a58bad9649f2ee83fc25c2cd42bd91c26eca9e963bf20e2ab4af78b8ee5d667995e8204d1349d11c4c5ef60eefa4
-
Filesize
1.4MB
MD555206e949cfba61bece7b9f61b8b314b
SHA161707a907b03b9b69759ca9b0ae814e221c0ce3a
SHA2564a6f174a27e148c14472832242caf086ccd37a3687861b6fb7e8391c3e3154b5
SHA512934559af83270ff2d032f14f502088999c0fe39aee36ca7d187cbda1716c7cd33436481e6561c063d584b17cf79af6d6f319bd6ecab73fbfeba1eb09d1183c4a
-
Filesize
1.8MB
MD57205ba0357c42529387949f46f300553
SHA199a5b14449f8e7494041c2e0a22dd8015aa44700
SHA256b3132152fa351b5849faa428dce472c85d167e5bde7c36adfbebdf64f25f06aa
SHA512a66cb20d06523d350ef8ca1afdc653171ba818592009bf55d1a31a70390075cabb999ad2e994d4f2b84bb351e2d8df09689dbdb7e2c5a37388b09680ddb46b62
-
Filesize
1.4MB
MD5345228814f2c9e5cf885468fa6e51a7c
SHA140368111f40d25551a711f0d3c546fb84d8f2c89
SHA256ab4fb5f91551026815adce2c7431500509a1f85dc52d4c26e1aa16f7622d0d57
SHA5125fa8b7f8ad58c93d329eb973a4b2bc33695a99b9064d11bd98d50e42619baa77f7e87ff2889b1bcd7f23f84d687c3096a37e561a3a3e7f2b67ffe67b909a8db1
-
Filesize
885KB
MD519dc97075efb677477d1c45f6b28d387
SHA16f8bf9c3531f05b65c0f88eb8f64c8a9b78c90b6
SHA256ef7102aa1bfd7a5b70dfa84a0e1fc483c407e063dbc1b96e52cc9ed3ade4a1d8
SHA51293590a84dc4712e097d2cadd0ab389e412f2ecb558b96767857d7d66b2f3eea851b69dd3fd41ef3d4bac733683d6cecfd4d8fc8128bdad94896b1ec40323124f
-
Filesize
2.0MB
MD5c897d65ca79dc9f0693d9985501a2b0a
SHA1436a364fcd69f5f7686fd89fc6dee03634d0a0c3
SHA256b1749a98fc8cd4f41bc51dca517551432e3c82f2cc3dc901261157a859d9ce00
SHA51255df577bb37b579e9ca4fcd6dc63b1c0854bb92ac51e1588d140ca3bc46d4516ccd39eaf5b36de5494f452f5473b4213cb508fe449f5b93850403200a2cfdacd
-
Filesize
661KB
MD59c45343a715277ce413032b40afdc7b0
SHA1e6d132de362cff4f3b0ffccd07cf8c80e63efaec
SHA25619025c3cafff4e11011ebd65ff89fbbcb3baaebea634550dcc9030134df503e7
SHA512a6191aea5404fe6bdb7eace075aab0090b41dd96c0e8bbd551513dff8dab2166d6161d02bb03570e42b3cf010118c97db2d697242c79fa0ec1e20ddcfe888369
-
Filesize
712KB
MD5f1060e8d4734b65658d0cf58188cc9ab
SHA171d4ad7f8585802de50c8077ec97758c4e70030a
SHA2569317c686c7aee778533806d95c99af418e21807949efdd71a80668f6cf340c7b
SHA512337ea0971d4f4cb8fc7beed1d0430a6f0efce349e2d718661677a8c7158264c0c23b334c304317e39e7e577fa5256ed41a8b5189f9d2e2774a478a96f34a26a6
-
Filesize
584KB
MD58bc6c876073ff35faf2c55a8813c1f27
SHA1eca23a6e48faeeda850ec7aad28b96e68ee74424
SHA256b3c1618cc33c592e314b835a7104a65c12259eb8fdff8049fafa6f02bbb4e9a3
SHA512dcc2b4ea8c856bf211dc615be8d8a6d2f01e7dd065d2d5a139ce1b0a31feb015efa9d0eecb3adbf62acb9c8deb396007a260d7bb3d8dd3cad4e31f87ce2057b5
-
Filesize
1.3MB
MD599abc0d7f60f1fefdc3bcfafc299bd57
SHA1d268909e951ed2741aa81177ef82f1ebad119ed6
SHA256aa37d3893b61c7b7a8c750ba54096c1d3335e023dd4f7cf773df3ed278a88cc1
SHA5127449baa6d4d9251c36f8423e2a1e313a6b8fed26a214cb72bbf00eecde9efb0f397ab867aaae1ebb22dce5bb308af1bb06f9a056309a911e2fdb05edb4f2c1b6
-
Filesize
772KB
MD576bde37e6192977d9e1cc643fb3e1c81
SHA11631efad1d4780e4dd06e350eb6f18b317e46c94
SHA256825f96fad7828fc03212f4295f2544b7bcf71d68d18679af368e714ef55b276a
SHA51268a26b1aed7c37a73f20c931964968f6cbda90ff6468eace696e203d4711c0fe882b3dd59f105a397fb4249bbf70298263f08f9c209c15c2898634b089a39b87
-
Filesize
2.1MB
MD5425477b2273aba0d490096ebfafd57c9
SHA1ffa5a964e2b74e37c69ba5be2265c66cf282d0b1
SHA2563e3836340e404b0350e7dd8c78019a4135e828407dc0c8e3ca134a2c5a1168bb
SHA5125ac0d814483deb12590cc98227bb3dee102914695e786fefc58e1cd343208f6d17569addaada53523f7b5f410b13c5e121b2138bba3b23db341f52fc301b4428
-
Filesize
1.3MB
MD511ca7ab477a13e9822ccd83a96dbcd14
SHA15eb9e575c9483de159c28f9746c1308168b6892c
SHA2567d6d4a41e0c73612630d538e089967a7ae7964da0ea5b7494955ef45487cedec
SHA512b4232287f1ee6255dfdd9ad582390c0e4c7eac111a0823fa8267350b72bcfd255e4357f17c85b9a7ade9029ee0ef7b559d9f0fb1823699cad4eb13dadc3f8b56
-
Filesize
877KB
MD57b575d870b78524187bdb7d435122160
SHA18edb0d690fd0ff0db1bd63d6b134717007353ea2
SHA256497ac67718c8349f019c8dda176eefede833d9540ab33b2213b807e406e6d31a
SHA5126b05bce7ca642508c8ec503c5e023c7a229f4bc7589074e566fe1633a989b2690db556c497959d5dcee025f0aad4593b783bb99c13a9184b87679cbf90213843
-
Filesize
635KB
MD504be113de12b163a88feccf5ed12bc33
SHA17ab5c1d8675295de8d231effe6e697b32d7eda57
SHA256c40e50ac16f8da881c285287836d481f44add9523cb14cbe2db0eb37a955b2d9
SHA512554a0c5a0759096b77456153c19df58139f8ef2a67ebb6ccd7cada976c4209188a1fdee5292221f2372a801c5c20f41b41acb37a6bf501b7391f021424ff2ba9