Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe
-
Size
712KB
-
MD5
6e80d0f86ed7c92693a4b2ab9c4d621d
-
SHA1
36d562a3855059aff1f044b50c3866d60218f620
-
SHA256
3d2bcc511c5ace5c7f69605067a0d894f7f02990fec31850df5598e173abca82
-
SHA512
6c4cd245ccd0188c59520c9fd02df39bee0eaa714034b70d9955c489761ada563cb6945402f6b7147148dddc0c6b4d8643081a1b9b146b546b518fdb3bdc4f7b
-
SSDEEP
12288:vtOw6Bao6JvY67VMBNO/aXpXI22+VufvdIOKek1h4TA8bXQJYe:F6BL6J17W8CX32+KJNA80T
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3032 alg.exe 4508 DiagnosticsHub.StandardCollector.Service.exe 5024 fxssvc.exe 2904 elevation_service.exe 5088 elevation_service.exe 1984 maintenanceservice.exe 4308 msdtc.exe 2860 OSE.EXE 2912 PerceptionSimulationService.exe 2388 perfhost.exe 4264 locator.exe 2436 SensorDataService.exe 4752 snmptrap.exe 4424 spectrum.exe 4496 ssh-agent.exe 1464 TieringEngineService.exe 2220 AgentService.exe 1124 vds.exe 2812 vssvc.exe 1828 wbengine.exe 1088 WmiApSrv.exe 4652 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\98817e15b4b1389a.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exealg.exe2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exedescription ioc process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchIndexer.exeSearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceb2d7b199b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000846c0fb199b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056f5ddb299b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018c8acb199b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d15dab199b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cf980b299b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c50d5b199b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exepid process 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeAuditPrivilege 5024 fxssvc.exe Token: SeRestorePrivilege 1464 TieringEngineService.exe Token: SeManageVolumePrivilege 1464 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2220 AgentService.exe Token: SeBackupPrivilege 2812 vssvc.exe Token: SeRestorePrivilege 2812 vssvc.exe Token: SeAuditPrivilege 2812 vssvc.exe Token: SeBackupPrivilege 1828 wbengine.exe Token: SeRestorePrivilege 1828 wbengine.exe Token: SeSecurityPrivilege 1828 wbengine.exe Token: 33 4652 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4652 SearchIndexer.exe Token: SeDebugPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeDebugPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeDebugPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeDebugPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeDebugPrivilege 3660 2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe Token: SeDebugPrivilege 3032 alg.exe Token: SeDebugPrivilege 3032 alg.exe Token: SeDebugPrivilege 3032 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 4652 wrote to memory of 3684 4652 SearchIndexer.exe SearchProtocolHost.exe PID 4652 wrote to memory of 3684 4652 SearchIndexer.exe SearchProtocolHost.exe PID 4652 wrote to memory of 2816 4652 SearchIndexer.exe SearchFilterHost.exe PID 4652 wrote to memory of 2816 4652 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_6e80d0f86ed7c92693a4b2ab9c4d621d_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1176
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2904
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5088
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1984
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2860
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2388
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4264
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3440
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1124
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1088
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3684 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5514457d1f694305a8015203c4f9eabd1
SHA1674a771baa5772072c171fb7dab3b71b5cc19616
SHA256be39e39779cf63cc08c80c8711c571e8b93600fa453f14c7ae59e243de0ba075
SHA512ceb855727deab76f954c726b04dabd4f83aebce488e3f27e9892d814b8bf6bb4526aff9772630ff99a7d45e1d3751f896607b565bd3744d06d499de33867f1ae
-
Filesize
797KB
MD5981b93a83256867a340643125d3c1a94
SHA1f8f972b0a41fce6e8a577704daf603d7803a97eb
SHA2567356ed066de76e990854252b1b578438381ea3e976d3588c5516d7b49e7ed0b7
SHA512af9f4242691809c5f93205ef337225bf41ddc31f2b9af089d217d586eb7a8bb1d360410dce5dc315fca976b396ca893954fb19ad92c807fac0aa1c8161f39cf9
-
Filesize
1.1MB
MD54dfb844d31311e58dded092acda5bed1
SHA103c3cbc4de8b34f71b15e27e3e07a79171da47a2
SHA2566e029d42e4d436ebce36d8ff2b4827285e7df46ffcdb949936d721fb4db84334
SHA512341378759a885cbb78ace58331890b64554fe5c777f099686dc8b0e084c2edc6a28ea577bf9cc720d349771d07692a56848786b5d8ebfbb4b0748f4a457b103d
-
Filesize
1.5MB
MD59e391d401b59621b8b4d77cd404d7ff9
SHA19cbc482dac1a5d9fc3b8b48392f10ca606d745a1
SHA256fd932dc6ac23115627d15da23dbf02dbd98f4ba41f1feab920ac9b783ab3727f
SHA51252379d704d7286a8493ac2d53ca4a9864751ae722ab90566a0db9dad17fa12c7a0c276a2f4b63e03fb5a2c6ff6913544c1148f0c5f1ac2c22415e57d481c3b9c
-
Filesize
1.2MB
MD5a2759694ee620e404e918355441b1413
SHA1965aecb4978ac55bca4131cda6a76c5bc88bf156
SHA256a6fef90c8410c976c0dc1f983e1d9a999c43e9a8ad70bb8a82d70de81fb27a4e
SHA5128846da5d5f9e144fc9f2f3ad2709cb2cae6e2e44e2a7cad90209d495da3e2fb1b9e362fcd9353f8dbdfadaf81a048b0111e1e4bdb168c95e31e3ce390339f41b
-
Filesize
582KB
MD58c475618c6b91b917250c7ff00d0dbc0
SHA1585e42b45c1de1868c4a51656c82a9a9a01caa1a
SHA25698ae69890e0cdb545086e95c8dcb08d696eff3ab901ed306d9a309fa7d915eb4
SHA512b71094890d920216617f4f7a3dacfcffca62bfb7573185f4b80fdceb628222deff295728bee6ed71d3c923cdf7e894ca160d30c7950b6191724c51680dd6a7ad
-
Filesize
840KB
MD53190d7eee5ba39533208429b287e4d50
SHA1faef7a6f7a1a77b349b7182f919ae38a2072d339
SHA256e62ba2906d06a4e8e1bbfa2b116f6ce612b9c0fc41ca28f51ca0dbb06dd1972e
SHA5125f7d7c043f0e976c72d6d6e8500cd3549d9def1ca2ac1fc43490d2457a5b2bd3f51920df687b8bfd7a5d5c09d7e5ce5034d7125ce5bf5473535486014bd2190d
-
Filesize
4.6MB
MD5d9b0178c2a140ff777a642231135e62d
SHA1b24b1b7530fd3815034b7491e507182832e259b6
SHA2563fe8603e8e55e76db32c8bafc0ee582bda6069d90d666fdecadea55e63cb74f6
SHA51234366132e9a5329fb47f18c216434128bd4f99aefccddc02686a54a06d7bb76a222f87fa01b1be93ec7639e7c364db41c1a4c5cb63e235c186538ad94379e0ea
-
Filesize
910KB
MD58db3bfa221b51655747b6064a4315f1e
SHA159233dc9a40c9c86d256edae282b5548c06f9b58
SHA2562d887ca37c799c5b512f6dbecc9e1e61122dafba346ffd8a0208af4a7d634c74
SHA5124e9a893906893216e62ab3f56212be8807cde413e2c9af3103501bc0f6c7d8a2082689ba10b0759bdffd9698e7af275db1babc01dd23f6341ec50944e373228b
-
Filesize
24.0MB
MD58a6f5101b5e49972293d8060b30b614d
SHA125635b9cab931bda89ea5da0bc105433715ba6ec
SHA2561334fa7a6c9267b387f3f9afa5f2e2a214f841020f21ae7873f812eea8adea44
SHA512fcef91c11fa9676f0ec070b5496823cb3ef40f39a527e39d76d81edd549161e85c0a41538d0c5b9dc6973bd84308000811ccd49fbd03a48375b78379f13cf244
-
Filesize
2.7MB
MD534dcb7b865b759a971b6261939687653
SHA1df61a4435f99a2209a336e0bb58beb87a30f6bcb
SHA256697a12f08da4a2ee2eb05cb24a06c87381efab3c8093afe8eae401df42b11162
SHA512426df87b933cb94182d9dce2e39f129556d9a57b83f9495333f1cbe79466fb0717d3b965d7b884f9038c9820c25295b68383318508e86d0069140f4de86f73d5
-
Filesize
1.1MB
MD5040dc588e024135f2d9a1e8ff3c3f42c
SHA1f2ca34dec7800112b76d5c63df4f34b2d84c1252
SHA256d3a9c2bf80ac9a2b99a3e921e3f72cb8295abdbcec23ca82c4339873355d69fb
SHA512c6338bc783438b0581f753dcebf5ac394fa3996d9ada444769c9c08f29f2c9aa2d3c757eae85478a9f04a205be8c9cb5e625d49b0ff692e6e9de84dd92e59dfe
-
Filesize
805KB
MD5a94d94cfebaa25e0a554a0d63432acc1
SHA1e104501ffb18d904e20174bfa53ccb90a149b664
SHA25661e43297f410c00944739d6df75f6035fb20b413713c7524b804b8e24e62a6ea
SHA512359d71bd594356777872e7e54ca2a572802d33a9ecc9c4edeb0af827275750b2f93ad2b0ae4cf3145e01e5d2d4a1badf1d0eb5f5f6f2d2c1c98111584522fb9e
-
Filesize
656KB
MD5663a329a5cfe380902f8ad1f58eef1e1
SHA1c84dc422782ec994e4ae1e588327a28a8026d8cb
SHA2561d9287652309c7776ea67413d3e7d510b6e8ace076050128b32f6d00b26294db
SHA5128c37629b49d5faac7ab099c6f1b429ed3bf79386d927ec8fa90701c529c1bb25176f0b5111e73a0dde5e1ab2fa64d78c20951e8b81a7f57e80c023ad61c0468e
-
Filesize
5.4MB
MD5a7dcb25b1d3d81677a2ed401436e1df7
SHA1838be24a95ac6052a48515127650f5fe34223519
SHA2565fdb2124136539bbceb592a327d8ed62bff10b91b9a8f027f4b229c0fe43e8d6
SHA512ce3f369a4f3a618da0e520c0840d6529c2602da45a5068e2fb022b94f6e8ba88fb1b7bf7ca2ff66a125414c8ebb7cf9a3fbecdacc25ffb7c099e08aa8b536134
-
Filesize
5.4MB
MD59d0c9d0c74afda9f2fdf7cfc5d2f78f9
SHA104765ef795a2fa42d8080690bbe9946d78c237ef
SHA256eacf2e8d4e9f26780668973d0cb9a170393e41186b9835333e76b667104f6368
SHA5127f588c9ff9f0a56f422f9e3c9b0ea0f7dd640a4013394fe5cb8f1ea2fd51e627a52027e0bad23209099c66dd0410cc8c1cdfbe5f33e73e957d59ff3464cfb297
-
Filesize
2.0MB
MD521febc2ce2747a1cebc9ecf2336e38d3
SHA1fe91f1f8a846626ce1d562e1e9e626765401ecaa
SHA256cdc495cc48a65bef2d3ee23bf76429fbbdac2d67df90c46ddb82e6a323e23f9b
SHA512d84f5d8b7e605d9217de8ada6ee980fcf1d08026553bb8e831bbfc7c0712e17484a57b83b14b924903323067b4a525c721369b2d24f183352726d814b2b93ca8
-
Filesize
2.2MB
MD5b10a54452de459ff6fe132908049c537
SHA18eab1a2f9f2b544ae22fd5024efc98498a13f836
SHA256fb82689c93da3648cdb3b41aa84331532631ee5cf230839eb9b3058c3a6a92aa
SHA5126b91fce7badacc0960dbf0592c03b7c711390d403820fd956f81ee8b128ebc005c32e62c83c2691e91c3c12a08e49226fc096fd814fa7feb06ee8dd5a2172e3a
-
Filesize
1.8MB
MD55a63255f538608188eec6f24418f5aac
SHA1edd743cac67eddc112395226d022e42e60c30676
SHA2560687023b8371e5244f25b6265c89aa065abb277109f1033b963cab354e4c961a
SHA5124ce5e7a3c513728a802c2d3cfb5f35b607493a1bf555db37928b73853214a9cadbd16c292729ed3ee5d03a8b0f1aca646a07d399c5370c4601a9f9dd80132d75
-
Filesize
1.7MB
MD5c53afa79bd919aa2db6b09db5b4e12c7
SHA125b17677c155ac3406b6635e39bb223a27d4049e
SHA256668a711716563d98aa84dc26a5bd7290fd09f03b39024cdde1e6b4ba95b81fc0
SHA5122330ecec3343a4f2f01df8f0aba1cfc2cb560208e5bdb25a408d5c4cf8854d3cd1fd0b63ad58464647e5e62e96f12c9fb8eeff059f845263a90ef741cfeb0026
-
Filesize
581KB
MD5975b91abc90b06843b7a3b5ce58a3062
SHA15a5cd178d70e778dbd87aeaaf4dd93fe20875f16
SHA25616e5c849ad855daa16d3e3f769517cd3fefeadcfc65e5f1622c2e82444802520
SHA5125c711ba1d167b5e9e654cdef80c900d4c0acfa8abd301131d4f48cd4c665c4251c0af76489ce07bb9888cc82ff94d95c04903a0e12c2cd64322e9b8a45e5e235
-
Filesize
581KB
MD5bf46a8d9d1770325f67bed9f3ea70bfc
SHA1b185e271d0c7bd3e6dba9d4373d773512140189e
SHA25666dcfb05a7ad46a0031fb2658f53208a87687f4114bd7a24252db197bd4f2431
SHA512a4e7c30fe3dca20181cc4f845ab52ebdf9311d84cdac7af0e2b047831a2182d638a390cc9ab6385409682849cd3ba35bb99834301d70840f2a00f979cbf02238
-
Filesize
581KB
MD554552c5dfe3550b131179d71bb772ee6
SHA16411e1f0287633c5bc75389600c46bc6a6e9fc34
SHA256dfb0179fea8baf9d12a33550d0ec427a0d3e590183047eca65ac0994e240b77d
SHA512734cfc4b30701885e1a322e6ce5584d97b947c01e80ebaad9ad875538a994ae04db8f14dc3e5bf4e5fe61642766efc5ab239271bf611e189e33ea81983cf6618
-
Filesize
601KB
MD5b25c9c8da90d9ab8b214411e5dc2c63a
SHA1b6afbfe7d7bb27535d87a7c524160a6e4f7a204a
SHA256051d0300ad384a7175d7f9bb0582fa8bfd5935322a219e2b3e939ad2822917a3
SHA512464475d4b73150a3bac28f21f85ba769bde343292cff41023eceeca72e54f47c685fd770208159ae4b45efd77f2e767d41f0a584c7b9d7ffc4cf0856dec257f5
-
Filesize
581KB
MD55094e69f04b79a7414ac96382ba8094a
SHA1f74167d3a5d465e02ff22760cb6856e102f0b4f0
SHA256111e47d948859e23e59fddfb180cc21de14006fe2849366b61dca593313e6f29
SHA5125eb297d5543c1acc2d0a3955b86931a87d700416ef14b2ffde81fd622f155931f17d2a25df87282a26a381480f8e5761a3a1f12984d294231517b76a84d07871
-
Filesize
581KB
MD50b0682e837b61de2a5699ec2bee2b0de
SHA1eca819ec7e4743c618f3ccddae16d3410fe480a9
SHA256e0d1e63d92377e809b60820161be8562ae030dd1d5578d18839d32602bcec2ad
SHA512e73e22c4f7faaa75f76a32259b7266d4c71c6cb7772914b3905814c2970e5c7e18607844b75f9f8406b04d5a1de8a1580ac88f3983fecc88637c998cf2c220c0
-
Filesize
581KB
MD5b9b986a9cd51326a7229fbcc1edf542c
SHA146cf1aacc20ff432dd1ac4f9e3bc6f309239f460
SHA256ed8da8738453509b3f47d3f654c8eb57ca14757d4fc1c716f4ebbb36892be7f6
SHA51253c633334721915039259b54b2e1cf4f41b2fb218de21feb4a72d79f89f3ed707b70f621ffc0d5085e86c40cc37e830fc2f20ac6d055235d1ca5468952357e34
-
Filesize
841KB
MD5b4e6ce607f397d17d13ee596fcb652fb
SHA13dad85b055c53d3699c7760a48b0e3ba76eb2cf9
SHA25602e65e869d3ca59fcb43fc01d7f2cd102e3cb7e6cfb72ae9e4f8bcee10610ff4
SHA5128ee6fc22b97e2c82a8a980cd4a34d879c9de333dab138ee1ac7dd0b488679b1692d569701ccd5d2984b63ad0b5fc020f8d8d027c065104312a3e61cff1190574
-
Filesize
581KB
MD59fce6659e3f5a2b7485ca83b8c39158d
SHA15524ecbbf8063499ce7a49555485a27057ffcc7a
SHA2569801fc9f0d06ba4857984450158c475090ed367f6b6394ba7f8c71591346626c
SHA5125ac88549985e62d7c58ee924ee293b17528f1249260dc153f68e995844740c45035b7da18eef40f5b2e27b87534037b017ce03c09ae37e623b0ed5f80f298dbf
-
Filesize
581KB
MD52399a84fa3443aa5dd353236def992f7
SHA152a0d6c49ce5ad4ecc516fe60078b206ba88a0a4
SHA25600e169324f090bb1c40d1a0aff8c1e4395dc1c7a090b8412269a67d92a50f3d7
SHA51205ac98eb85f499bf37356538c823d9a03e5737053f105c758951153b2f7c971a3f246781d2b0372276fa10831924fd56eb65d5c57a11f608b214b828efb868b8
-
Filesize
717KB
MD55215a8f599aa8ca0d67aa7227caed591
SHA16014dbd5ef58eb4349af3fc22823415a7c591d7f
SHA256d813a5b2cc86a452d814d70e60a2831409faac9f99d743897fe19487e80483de
SHA51207cac22e15e31d052908fd3c7149beec6140e78203dd84c2d05c18e8be59af799ccf2c61446229f9154d0a73f19d8c392091eb7d5c35486cf306448c37625e6d
-
Filesize
581KB
MD5dd1f71414cce7199d8882c60a85ef973
SHA184a28a01a8d89967ed1ff3b375fa093089e6c685
SHA2568988a801e6f47f5b5cbee9ff0ac057ba854b7029cd336672b7a5190668b8807c
SHA512e2422da3e85c0e91eb66a11cbe11a6629be1654c3ca48d78737e3854b9dc315f12ae7eb38188a3be8116ea49feaa1b1a88f57591e2e8e907887c0012cdd435fe
-
Filesize
581KB
MD5f2b5a129f122d9267098ba10afa34d78
SHA18dbe69578743a8022c67b32a0cd6cf1ba79ede9a
SHA256ab2db744e6fc946b7afd603822d76a6b4dcf0c3f9991d1e9443017a72d78ac43
SHA5121471dd4f976421a0b338371bfc3b63c511afcd3dfaba185988e5c18182f830ccb36c8ea30004326b90e23d6feaa58ddfd3577ef32acb1109f4e6973eaca90a00
-
Filesize
717KB
MD5d15580d92aac6b9dc5e06bce72d9eb4b
SHA1a390aa94298d474d8f62d5eadb058f0ce14dfa06
SHA256bb87437aa8fbd7f7df8a80e10f0f6112db3288cff34b3084a7d0ee0fb0a2506b
SHA5121959ef2fcfb8e711d09ab9fd4f9bbf8b4fca01685ddd3b78f734eac61bd1e4315259ccb09e5f9ec34aac944a1745e2ccd0c31fe3919f0622b98c67d1b2c74091
-
Filesize
841KB
MD5f352efee7d623a11bd9392c17c3b89e8
SHA1aa89ea18c89ca7164d01adb9d62378c0700a6fa8
SHA2569d688a99719a3a5824bbe1a8f1533ef5725f22b145fd483b6133182b37f78c11
SHA5129d04579ec90e7d06d04451ab750689a50ccdd807ba7cb9d3624140b1d8080281f944d91119d6501e35912842b4c94ee4759aeddc601c5b7e09ad6c4f02be9824
-
Filesize
1020KB
MD577133ed7cc1056127f023c82345cd4ff
SHA1cdd02c2d2f5b5f581c4f3778949a9df313aa38ad
SHA256b0be31a2f6acfe189492a984067c92796ede5bb317e5b2c9940f80271e9cea12
SHA5124017eaa23592586e5c35d3419caded99ef6d121e41d43f6c9dc6946b8114fbb64b9991a9d2426e580139d25976016f8a267d980c9a6a8003cda4eea879750d58
-
Filesize
1.5MB
MD5e11e2dbade9366d1587ec74ec1772234
SHA1e04ece526a7c17ee9c1315b46ca000a4b7a32942
SHA256c2780600c6629c7d0f0b116653880e7f5e3f5a3a222305c1856981ec5e32acf2
SHA512e7cfa7aa642ddae5aefdae98f4c8bd2204fdd1cb9c03840eec26342c7951254ac948b3bfd8148b62d0af4eaced2d447f227e630c414fc9acc1f524f61ea105b1
-
Filesize
701KB
MD5ccbd6cf06a7a7ece38997ade9adf8755
SHA17ddcb12de2f5e429a1637edcbb9e5e178b357777
SHA256e240549820b8581a5c0630850354553aa26e118c7aa0cb959c0526307c0f7127
SHA512f3048909f2b57f28bf5384d74c417bf388a2b7bec3aef84bb2199040fefb2aa78e30ca7cdea72a74f355e4fa0a6e6688ccc4feb8b23a2ddec7d4aecb5f7cee9b
-
Filesize
588KB
MD51fc72e591b63e14594011ffc7bcf169b
SHA1f7f78690de0beed405f1ec4ee1d8177af567289e
SHA256edfcf34278c18c12dffa24b6c61edb582aff78bcd6247771c97e93a61889213a
SHA512422a69d92a21f54f229d451081b6b7571ed3d8907aed57fe53ed7fa548fae23b768ca20bd88096bf95c955bd683dbce415fb5fe2b8798178beaad35da744148e
-
Filesize
1.7MB
MD5297dd129d638e604af9815acc5b66554
SHA1dbec086e35c5fdbb87c44e6206df3c0d49ecbee8
SHA2561af3db78a9c6ed6e47835fb488d1e5a781cd7a7b850969fc9c68b31a39c18179
SHA5123896c6cd0abfc877be3b3179105e8745bbb9c1e60bc105b0194f00bc62171f9fc567a98e066796be697e1aaae956dbec600a969910f645980a61d498156fcc7b
-
Filesize
659KB
MD5e391feec37fc432cfbe5737c4c19cb56
SHA1ef6964b739136968b09d8ead3420d478927f7182
SHA256c4f3fbfb8e813a2b35327a5d3e4ded25801ee1d25f6477156860e1ee694cd69a
SHA51228c30434c733e34423f20679224248b079b226e1b8fdf6131747b2f276ea8af4fe89d16251c9b9c35ada09d5c9705eac997a6cfc9a5cb3657ade426c17d44f2c
-
Filesize
1.2MB
MD578a86730d953f9af89c6d55d6b8def87
SHA1d444349fa31358d535a2247e9bf9dd5443de7923
SHA2561ce92bdbf7e20a32068f0db44dbb54d0814d38a671b9a9b607fc97d9e003f9ee
SHA51215d0a1156029d1e70018a6b0ae6e9a0511fa31eeb45351532811aa8ad1306878432c742fdd0d7f11d689751bdcadc0768861eb6d0c3f9c108b160d42cea2bcfd
-
Filesize
578KB
MD503c8e78742def565eb1135879cae51ec
SHA169b4d4f1cb97ecca403eda8ecb65ec7157b18902
SHA256d3957779144d361c9a32639d4a3cf691d5c488a586f8446418bc26ec603b865e
SHA51284f82baff0ea21b3d6a91f5dd944a313704313f162a52b3bcdaa13807ae97efcfb8f7f30cc6d63a7b3a7312a04178d58c95f2a8abaf4d196e1052bbb8ffd2754
-
Filesize
940KB
MD5c0f7fc10eb13c98f12d920acaf36f2b3
SHA1fc74393e61b0fb936e5df0c94aa7ece7b5235404
SHA2568f41739d27fa31aa374469de348da671539aa96e7a2b44a7177046eff2f3eb37
SHA512d7082aad4b559f1ad4f0d32805196ecb1956e91387367ac9b74f16211eea4d91708f5bfc411886d78cc85fc855c8fb1ad7bca316d5ac54731e71b7e7ed32bde1
-
Filesize
671KB
MD5fd3399af43fa1fa9603cf9ebcc701036
SHA1616d2dfdcbff181ff88f15cf1feac940e1e10598
SHA256e99756cc778ed7ae5e596f727a7b6a2d116ba6f4ea25b7044a954e52bc6d7bcb
SHA512729cf830415ccd4e474467c39ee3c537dcff45c77af52f0cf4567cd7a92bd68a014ffbc5c3c6e0880d8562cdd026884d3f45fd7e629cbe18b3ead2084e0f5329
-
Filesize
1.4MB
MD535edbad2fba52b77b994e041acb90e17
SHA1aca649f5d56232ed498ff4f94286b7f7cdb3edd9
SHA2567b50bf8879a104772eca56efb8f3308b85e0257008f65a64e41ef4d18c4efb3f
SHA512a18e5c847b9aba8b9a8d2cea57854ed7aaa12f169adc90c17ff776b59c631c8c7cac716d0635227be953a6a660facf9c2dc50f2fd010078d06291aac26394ce1
-
Filesize
1.8MB
MD560dd325749ddcfa8d373a4337cf31e98
SHA135976f9819a0194dec930abc5abbbe3b83411862
SHA2560eb33c2f307d0412b94a6c2b55dfb5717d14d0d6939b18b54f053e97b4676aaa
SHA51245a90336f020e2ec3bb424386af9cca0a88a985b5fd5f8ffd749c396fcfd90181f6d40d332c906ba3300ab9b0d02aaeaff782854db5743465549bd5701904fc0
-
Filesize
1.4MB
MD55208a98329cd23863f57769214ace524
SHA15dc042851530c95969310b16832c7a3404f7383f
SHA256b8d0a0a7224296c829379acc28c4572c952acd2d322064619a7c89ab30c645ab
SHA51242ef5a22f6b4b430b8f17de6e60186dc9efa417ac5a946932b9463d2277d1b998802e9494198f77ff5d1dab7fc29a8045d50fff5801501c19b893a95b6984aa6
-
Filesize
885KB
MD5d4ec3e7aa0c14399cb8d5888291f1677
SHA16b068f5f044e4068112527e73d2b8def3313c5f9
SHA25688d337f57c00e582e6b8ffd8e01f6b17862ccef4e9f05c30a94b141958ea841c
SHA512b60f20d09c324f25d3fd04e2a0fdabf9a844882d59402bd2618b9f57d2938ba22cb6a7dfab2c8ca11500773db4835778f126845cc171e43a74a189b2098a2f1b
-
Filesize
2.0MB
MD5cabba41d25fc650ca9f126ab9a56d10d
SHA174e9d80a05ac6f5d5bba395cc16bbc3eb754b778
SHA25614383c34c0aa5884d288da9977accb06c6c463dac8802f537b98e3bacb018e3e
SHA5120d1d46e6e6cd36ce1a6562620fc451b947e7be76d3ea492a81c3b16d276e448c3773103939e9d2ea0bdd1bbdca2c7423d700da107bbdace359debdddc8a76d95
-
Filesize
661KB
MD5607d941aeb446756a9a586ee3b916b89
SHA1056cb26e4a12d0344351c9414e0fa1dc395430a1
SHA256db3f496d343afb4c1d8216c119b357b0f60e3866a2d40f23893ecbf50693be13
SHA512443d4ec0c814fb1c4b1d484d906a962affac9cef127e1dab6514ced983c6bfbc0fb81db661e2b000885aefe1e7595c2d4567e90b9beb24eebca720ef38712c95
-
Filesize
712KB
MD558e146bd214fc96ffcccec3b22732166
SHA10206d272c56b05404242767057bbc26633d5ad6e
SHA256a28b32cc6dd6633b0d8b523004fbe2150b2b773b55bbc009eb2657d80469887e
SHA51225da84eaa69d75bcd8970ba0afc11718d3099c2decb55dd2261c552e2c0a632065877f0c3aeca6b05f1933d37853f22baacfc235338751059c6c3be1148ecb51
-
Filesize
584KB
MD57228593e02c655cbe47fd32a29573017
SHA126ead6ee32d860b3cc51a9a895d082e4408b3b84
SHA256515a8163f951685615d2bb7d37d19dbcdfcd12409c41ff6709ff6eb980b79ec6
SHA512920511c7d4a595e616c960f01c43312d8ea0e34aa94234d3cc8569d8e7053545c93a020c389dc3364424b12adcf11068f705c80771aad739ddaa4ff464eadda4
-
Filesize
1.3MB
MD5ff78fd9d4272e2d8c18d6318926cd7a8
SHA1abe3afd81581f95c09a5f25df9f5803f609ae220
SHA256c3432512ccfb04dcf1d7c2c9285e8f656c6b2dd9f2c2974ac62c47555b711ab1
SHA5121a28dd1b4a84a5fc24981aa4a7fa42def574105243865c287dbec07707ef0acaaaed9ca8025948c0a78e03f904c0ce01e6c0cea130e282a961eb702d44ec9f90
-
Filesize
772KB
MD50bf4c45ee1339bf31e0766c4ae86ae32
SHA179acf4fada72305043a10cd8755e1f2f3cdcd8c1
SHA2565b118b9c8f421149831e0bbea43a4ba581a51e85d7753d29b1b12ef03957accb
SHA512c747ad1e608c9966c2ff353052c4392e2212b02efe933cc0a1d188df33bbc17e663f5c7649e3ef19ecdab5c77c58eb0a0253c7d0fd0fe80ca64d0c02f6540cb3
-
Filesize
2.1MB
MD586ccf5c15d163073b5c24db54c32f691
SHA1405b58fed6a2cb7fd4740eedd04f9653d108f97b
SHA2563998448026432fdaeb4beca6eb084197889818f6693f2dfbdcbec9880298b37c
SHA51219f174d7c4be7474b33921103ce2dbdee098ca6fc2a4bb3fedf89b91ad250869e96fb0f33126b4d1107c07c28d107ed9c08f7ef1bc0766605d4d9a38c98c1440
-
Filesize
1.3MB
MD50dc6fab0ef238152abf4c96600b1b196
SHA11783027737be9625ae46fe516a0ad141d7f8bd8b
SHA256fd92e05c5d81d794272051ff1c43ddbb24b3ae21092ee750d7180b7c435331c3
SHA51276e6a49abd11bec9dc65f8b719c83848cf37a8557fa039f2b541e48105a1617f33471a0368dcc8cf26aecbc966f66b6a19d50acfd2d4d56bb61c6f6a7ebd0a2e
-
Filesize
877KB
MD531191daf6c88eed0419719590cf33add
SHA1d16613b126fe2ab51bb49079cf4ec0677124bd3f
SHA2567a51312c4e875a2b99ffc56f4b8836ad96c65f2757a92be9ccd304c0244ac590
SHA512d0d1c98bba704c007e7fbc5e0048bc6e272837b3e9bff51a796122dc368b5c46776bba1f7e8ff49717dc4cc6695f4f09274f25eb629fb927abad929009934e19
-
Filesize
635KB
MD536750438e25a3b3994e683215d6fadbb
SHA168d68c9a08241200c9c0ddbeb0fadcf2d543e8b5
SHA25691807b132f6405bde5479eee662b6855cb9e1a2f684a71ff5b69be330c423284
SHA5123e2211f6a622cb2478caab1061986ab6c6c1ac96b5a70e100503494a556f238913894e11e0441c6f6f5056239ca9e6543b51aa2ea84da89068315fb330e3132a