Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 19:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Resource
win7-20240419-en
General
-
Target
2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
-
Size
1.8MB
-
MD5
80fbc3b952b987db95f8be0c82633d1d
-
SHA1
a81d66d9afd57c8627ccfae77af5a9011e8c0767
-
SHA256
aefd3a1d99c445aa5978d3c9a7eb97b7118ea39df81d71267cfed74c720514be
-
SHA512
e4359354107aa858a3feba578151dc632c63997430f71fefddf0b13e3fc51da4a3e83ec85b55636f969441741637e4575d508fb81daec4a46fb87b0e56d21765
-
SSDEEP
49152:uE19+ApwXk1QE1RzsEQPaxHNH5UbU62FAQ228QKl:T93wXmoKBqj2FAQL
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1552 alg.exe 2728 DiagnosticsHub.StandardCollector.Service.exe 1900 fxssvc.exe 2132 elevation_service.exe 2872 elevation_service.exe 4468 maintenanceservice.exe 2540 msdtc.exe 4888 OSE.EXE 1772 PerceptionSimulationService.exe 4812 perfhost.exe 1744 locator.exe 1520 SensorDataService.exe 4800 snmptrap.exe 1860 spectrum.exe 856 ssh-agent.exe 1196 TieringEngineService.exe 2212 AgentService.exe 3188 vds.exe 3120 vssvc.exe 4584 wbengine.exe 1444 WmiApSrv.exe 1512 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bf6b29478beeeac9.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006903f67081b7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040faaf7181b7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb52047181b7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e322f26f81b7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075b4067181b7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab80f77181b7da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000baee017181b7da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeAuditPrivilege 1900 fxssvc.exe Token: SeRestorePrivilege 1196 TieringEngineService.exe Token: SeManageVolumePrivilege 1196 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2212 AgentService.exe Token: SeBackupPrivilege 3120 vssvc.exe Token: SeRestorePrivilege 3120 vssvc.exe Token: SeAuditPrivilege 3120 vssvc.exe Token: SeBackupPrivilege 4584 wbengine.exe Token: SeRestorePrivilege 4584 wbengine.exe Token: SeSecurityPrivilege 4584 wbengine.exe Token: 33 1512 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1512 SearchIndexer.exe Token: SeDebugPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeDebugPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeDebugPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeDebugPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeDebugPrivilege 2920 2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe Token: SeDebugPrivilege 1552 alg.exe Token: SeDebugPrivilege 1552 alg.exe Token: SeDebugPrivilege 1552 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1172 1512 SearchIndexer.exe 111 PID 1512 wrote to memory of 1172 1512 SearchIndexer.exe 111 PID 1512 wrote to memory of 2436 1512 SearchIndexer.exe 114 PID 1512 wrote to memory of 2436 1512 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4964
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2872
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4888
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4812
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1744
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1520
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4544
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1444
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1172
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53597017e53ade51fe6682a26577410bb
SHA1fa0bf33983b5595c2d57e53ee84bc5e04afd66ff
SHA2560d6bb1295580700cdf70826fa2bfb28cae0c30aaed71cf17fc307f2277ad1897
SHA512fcbf9bc519836e3f9d81c8ce9236a2e886ee08275aeb5cfe7c7b2ef8c9c6d519e5350207d9a31cace85d900b5bb8c21f5f4703855dae9929df820b615699de03
-
Filesize
1.4MB
MD595e777e1fac0254a92b0324c81a2d3ef
SHA1e103e68a4b3b5f33e0dfe2677c931eb3e39c2734
SHA25647e14c99b8f4e1635cd4d63b24e60b8a4c268943d95c296d9a31c909c5f17554
SHA512192752ed930bf7e79d5bc9b6b29c5d289cdaffb6d0dfb762128c8c4b4718eb9e3f94c5927070d9381686c2e04fed312e77462785aa360fe28a9293e154987b77
-
Filesize
1.7MB
MD5fb1d5fac3a4e59da2d16d1e6555e8190
SHA1c24ce1578f62bf584b23613db04ab525c2dcec63
SHA2568343474e2b760a813c1af1ea03d80578b6f4d3ddcde9bc1552f75c5cefcc9ed7
SHA5126a7d62c02e2d37dd8ee64066b6855a6978442a7da73cbe88002f726e72d3111c1a8687d4605b4c97657c46a17816b00fb8c2f7d10db4b51aa6834816c2da3ea0
-
Filesize
1.5MB
MD501bacb5d63130bf05f5d3447c64f50c9
SHA1a34134df73154f48bf37a2566e2c2001ba541d42
SHA256094ffc1506208567bdcf43ab1c753fda73e82c7e21b14a446d2120dcbfe30688
SHA5124c0b79609ccf255892f20feb9a2ef5805491722b12d80373a70f096b1cfb75b10e29a3ee43e63205359f8375d6aadf676ab1569c0d3a0d6788705fd7633d3391
-
Filesize
1.2MB
MD5782a9515230dc2fe064592216a2bf4fd
SHA16b28550d30c4d0f6e5c6f992476ab0628534902b
SHA256a922cadffde01224b0dedfe653b0007b92dcefe90f9a8555de034db37078b7f5
SHA512194105e2a6faa8084f7f53507a61487ffb58f69f8c5def14a641698f9147723353384f5ad96b949ec79cdefa3093397539f3c2a69281740f4467a38c00237bfd
-
Filesize
1.2MB
MD569df0b937101adaf3e9f4f9dd00660d1
SHA1526a9f42e560dc17a2b08e46ad1affcea71f4b4f
SHA2560d7658c75c4c7cc6f39ef022057586a5c05652a8e9da44298900bc4bbb48a232
SHA512e35a89e4af22e30ab33a1d484bdff8b85e487fdfb1b0dd5128d1db09b7671b1ecc5acf9e0118258d9480a7266c84f2c6dd37f78eaaeda30ab71759f177277d97
-
Filesize
1.4MB
MD5146814c54a4e1345a83d3223436691c4
SHA18b42e277ca2152f0192f022ca4d089e663712f55
SHA256072f874f016d7b1fda34cdac72d7e7064058f53cbf4c01fce727fe17a80ff192
SHA51247b283d633b9961a3644ad2e9b4a915e8ebb893b1cbbb0e1638b493480796dc44c5b6897c470618ed6cf0ddec96569780752ace9b8d8bd5ae5bde302a14bab51
-
Filesize
4.6MB
MD566cab11f68b5874a91559fb2981d4300
SHA15f5f35bc4f1d0645acb463d79d127a9ba879906c
SHA256a747b5d8ab3cca8543e9e018f7fd650308e4aab39c9d1414e18260e9cb390379
SHA5123ba8fb7eacb60ea20c2d901765e6673c85bfe6d33de7499885c413af911e0b69f8cd18dc65d724143722ee9ab4e0f6489b29f69a731e821097bf2244038fec7d
-
Filesize
1.5MB
MD5b9492b4242a099cbc1b0186c2a4cad94
SHA15fef90dc83522c5cc324c96c29535b826d2993b9
SHA2567d536f436ce38363d7408e92214985403b652646c2e796a6186d54b496dede27
SHA512885ba3453298912b5ffc9f8c57329f3dda7b931f8d36cf3a1b2c422c5fc68604addd39dd7797b7677dd145629d43bdeb632ebdeb88f8b5e3e27e9a567bf5d811
-
Filesize
24.0MB
MD5deaa9cf5c1f305f49d4c90b3ef2b01a9
SHA1aed5c6c65c4c3b1a2394c403e0735009221315a2
SHA256e9c27b2540b784fdc5c2e84ed2d69a4120e3a5e59dcb7cd6e79c10fc0d05c955
SHA5121596f7d91f54df24b4c2181bcbb4dd26cabffdc7249dc7b1cd4dc32897c1341206a01c4887a5b8ea4ff2ccf099b0d58f3da63200e541f57dffdd577da2086ec3
-
Filesize
2.7MB
MD5b27e7bb47c07b376ed678f40e7429bb5
SHA107c3c76a1398191efe1a85729ed6e3aae17bbdf8
SHA256c1eff588a0dea82593151a0d3711a9d4e6650142ca45b418401d0e2fb0f8ad81
SHA5125b1b0a18cdde2810ecfe3edf1a1c0ec15871ff14480f5103462d40914e7c1a5544bc25e449b52da04cc50050db29da57535ff543b4430eb6b6ffa3d34cd5ea8c
-
Filesize
1.1MB
MD5edbb356133bec34c25523e072db3c554
SHA1570b6bf6613b5d35221db3de7ce133822c6aeaa0
SHA25681dca7e774a83d5b86852a5d8058582f0bc8f3bb0f02c4b0db574f76d8a83c53
SHA51239e3d5e4e9430a5f55e5a389467fc62aba207272edd7ab5726c62896e8941d193b7a3407d374af0ec5e13086ae7fa31907e63683565c3e4a32e6be05b0853ffe
-
Filesize
1.4MB
MD5ce50ae72c8eedeacb577349df9775b2d
SHA1381cf6b415fa7933cc710e78bc2990a0404cb8e2
SHA25695c9a4a42c5016c8bc6e3050d54fd8492e256f4227e868ca5bcc3e0264b764d6
SHA5123a93ecd9c1eb98fe1139143ccfc7ba2b39a652de1728835c3f6d7de1f989929a8114733528c63761ba20b274b49b005af7bf343336e0c05e21da0bf627f322e4
-
Filesize
1.3MB
MD5dac9134a7770073ec72318fdabceced7
SHA130e3afb818955757edecf0f578faaae41bc5a4de
SHA256ae22787468d9efd9ce830885ed6a650dc7e011d8bbb707923d4e613f31f92522
SHA5126e4dfc5b26395f1511c5d0292eaaf02df9f7b246ec2dad1d287b02e199290daf7ac0134474fcdee6ce215d776c79e75197e69345292ccd3d9c6631f709d98869
-
Filesize
5.4MB
MD52dab0c059323c4159d258cf3f3e661dd
SHA14e0f945ed6228633dd59d73e845efa3c72a58fd9
SHA25694e995dda09654a63f85bb26f010ca50143a9d816274d5af74114d5f8e280b1a
SHA5120b04397abafc0bd340fe2bf64ec9b397467ec561ebaef84252394bda24e2127542a5ff7fb8cc148bf3a86068256d3766b389e54f1f7c789dee92f0a10b7b01cb
-
Filesize
5.4MB
MD5f209d88940df2ab63b8126d954c91625
SHA106833f403f374fbf213f18e9fbfe28cfd75824a7
SHA256f7de8a87c3229e1cf83f2b301906121e35cdce0dbf69bdb31d3112641b41650b
SHA512d19bb3432a8b712d824552156f01c564ff2cf0ac8edb0cf906e295029f68178d370faf7b913a2d446f893977850391ad5039d71c1187d158a4f38e9ba8d15c72
-
Filesize
2.0MB
MD59b9c48a4b12d4c73462029ba6c674bcc
SHA145d4e2c1f698f1d65b74ef5689ff475df284afde
SHA25674ba35b0dcde586e3072ab67b5b45db91a98cace12ec2e09713cd614f3ae3f21
SHA51213746a6bf08786fbd62e2664890d2118b6e65e26da3933dce11667fc2486294bde159513c4120ea42e345286b076d8f489771f18831d86b4b4bc27a0bef54e38
-
Filesize
2.2MB
MD5792b6221126451c873f2981d3c0f28b5
SHA15d9963d81193bac7223bb64d0f07c063cf9df57f
SHA256818ed12c4c962f9db91ca34615b6094734742e8513daf5fe8a996fd7b1318778
SHA51222b483b4b0e1d47108232d57a7daf56fc58524bdfaf061210ddfb32233d90099d09c198f6a5d14fc5aea8d05a290603546d8f8ec10288313dc7cf2505e2bf69d
-
Filesize
1.8MB
MD589185460a49d37cbe51890808982302f
SHA135799c6cb5369fb157e46a2b507f11927f99c2cb
SHA256c12be4f2ea580021d6aaea75082a2e7682381bf98de74ff86830dc2fef7ddc40
SHA512ce2fecef1c6e27a46fd5df257dd164aa964ed198a1f34de42e5ac5365289af70ef5a3af72acc16ccc0c9ac0d7424815ab11b52c97f8e7764072ca0c4e2f012fa
-
Filesize
1.7MB
MD5f3225c0cae0294bac9924239d75ddce5
SHA1f90757679e5412d9990030395a498816b0b6fa13
SHA256920a136cd3590100b1f62e988e5b735db86887d08179f707e47436e9ca7c4893
SHA512ef737f15ef5dc165e08a39b93ddae33f1f1767109ab82673196e36e8479b34f4d3ae79badfb5be39c06f83e361d4f721cc5cdcf7bf5521773244ea958289de63
-
Filesize
1.2MB
MD58af12b93f3136c335429c7758b5cc310
SHA1feb8109cb9c96a3f02af632f8e628d2245ec0cac
SHA256a339d94b0fba48ae0d00639a7e23416ab38eb6959c878a5a113f246ef22b5290
SHA5121d8ce9a6b919c408636da93568e58b3b1366a44a5f5191eb03dd046b1fb322374e41b3e6789ca640f04e6af3c4e78726effa6cca0cd152649a0ae80ff7cc1261
-
Filesize
1.2MB
MD547c934c1577e39cb4b3bf3f721778470
SHA103a51cc9f1f194e93d4c3fdb00bd031d4d5690ca
SHA256ada113f15739aa12f1e4f7bbd9815198442fa45eb81464f652cbfc10fbaf6499
SHA51257f022b8c2d4fab297d031f8855a8004d6e9852a0930bd2066fe277dd999c4f529c86de317a633bb8a64e95aafc6f1d8e6674ddc6f2d0dfd7e5dca867c8ee525
-
Filesize
1.2MB
MD556f9d738f557737ac02f39f311ae4734
SHA182ba7e53761335a9ca52ca77843e6d5f7580ab5e
SHA25696618480c152ae80a4f662bffabd0020ff7317e16ecfc39ff89cb9553c64eb3c
SHA5127bf0adb2f99a890c209e337005163555cdcc82c1ca955a6957438211c7ee894097bf5e4d1f6475adc551db15851ce3992dd140908a67f8b93f942a92e3e27482
-
Filesize
1.2MB
MD5007303ee0a29b1c909c6d961d74cd47b
SHA177e4b4141e2e00b2c2fbf894f9beefcf09a255f2
SHA256ca59ed6fa72b6cf598e839f1fa8f9cad5c67545f4f638eb0e2012275b4a2aca2
SHA5123112906c79d0abe1d00c806f84a603593bbfe7d789c87c5c05621b609aa1554ce523af45a727b400c00a49cda310315ee0428d0f1f1e197698480f25e33fe099
-
Filesize
1.2MB
MD56e2b423d168d210b5ce94d55bddf3039
SHA18201cf9561d8866dfd8ff526c4afec0799a2d9a4
SHA2568c0841350e54d266a275d899deca044a7efc3a0fc0dbf26b7896c6b15838a9ed
SHA512c4672fe2ade396942b513695baf69c5186e7e5bcf34834a77deab0c74fbcc548415c9b32c14a8dfe4523d7e2a16c1c55377cb292dcd0fc17c07994efa689c559
-
Filesize
1.2MB
MD52e5b13aa177d76d7a8e3133933f98252
SHA1427956e374b604e5eec44f16a882e45c121bcf54
SHA2566a9064be63a47dcdb4490aeb144d731c83664a54424f12552f8e04058c384d6e
SHA5123b2da0f97478d2419b3b669d609e15cc4be445c3e0f5ff90c6a148ffdc7f6431b5082763b6170c9cf23371cb70b34cedb053a30b2debb1537483c94639e0713d
-
Filesize
1.2MB
MD5b51c0ac2d87b954b96d71cc2f15b1a4d
SHA1ec2b15417f50f1bddd059447fc4ab6cdddaa4378
SHA256057606f7b48f5a6baf223f28703a418f863770f92426ff5be2be4595196c5ac2
SHA512f816f05610459825cd9f192ef10df933123c0a80a4b000c0b2d11d40fcf74d52ccabe9d397080af24606077593fb8523d0c465366b7c7e58a5da59061fd6c0d9
-
Filesize
1.5MB
MD5bb697a34df685178f664bf990d8d5df7
SHA1164ce4edcd4bb30f68bd7aadf57152d1187f0d35
SHA2566c901ef53875c7bf2a8d540cd46b76db93b869206d324c68d1adf138842b25df
SHA512bd1b0a478851c6e496223a8ccf542400005610febd37011ebaa2a1cc7a100d9952cc428a1f722f4dd8197ebbfd01be6aea49c210786feea5990185196b838965
-
Filesize
1.2MB
MD5b02978ec838160224991c8f8e28507b8
SHA13ab4b73538100b9ea61eb86e20fb1ef2e47736d3
SHA2563d6fc719844cd630a418b1227f378f04e67debb8020de68fc460f0c71352d3bc
SHA5124ab6e8e6234a6ba776bfd47ba2dc1b89ec39fa4d8b673b3a40b469f42bfcff1a620f1ff8c9d8e3c881bb6f03271ecd64806192be303b14e38135d7af238ed29c
-
Filesize
1.2MB
MD5aca25b6f64823ab69ec9b7c3256cc4b8
SHA182f589b91976c838c19a213749c88071bb8ca493
SHA256ebdc5c38c23feb4c8876567a3616e4dfc7e3359ff875c3a644faf6f98b7e3445
SHA512c17dbe6b91cd6be54e396384438ce4799e342a0c189f8bca7feec9f61e77558b8734f7fee4713cde3d38e043e6affa924b116afc03f42acdcddf54d13df8817c
-
Filesize
1.3MB
MD5faf9cd2778af8cbeb98904cdfc5b9e1f
SHA170d68b8dd32872c00abc46ccf43aa2883c7e6c76
SHA25656994f9b5a8d643e0e0b092013c7ef4df741a42b73afbc69f810916f4cdc1d9b
SHA512ab7048f82bb0766243d81c51be0df87142c6d988afd516ef4be56be390aeccabfddb2f92db5e83bd25da621698588af3c48f33d34a12f305d263e9587f725c54
-
Filesize
1.2MB
MD57564cae19848aafb17f857cd25238348
SHA1a70ca1089853ccf79838d0194f4c5d7d8b581355
SHA256292f803a93fd25dc103dec58ff0b5b2c809db16899e686bd896b4876de479801
SHA5124312642780811fd1718ebab13352872c0a90535a710b1bc19f8dd5e9fb006188cdd7ce1df3cd2afb3347bfc2ffe2df9863e4d8ce531a99a7291fed82a12af908
-
Filesize
1.2MB
MD573eabfab4edc4f05926aabf302560c35
SHA1b038598783b8072a4fbbad796492307c5e38661e
SHA2561b376f6102458674fb4c790c296a066c6e84282f23336b590d0f42cee3e7301b
SHA512a306ca369bd61edbabca9b7880e023fb0df0153d9e01dd621db92fef57040cfcc52dea0eca511bafd4331ebc1f8355ced1f7a2b95c6beb360f46f258e7017499
-
Filesize
1.3MB
MD5f4b2419cf8e4da812a10ada1306c5706
SHA1d60512092af9bbab45a1711143b9819c1cebe2a0
SHA256d1aa0939870fb64a97328716ab7480a999e83a3f9af8291d8d9e05963be0ca69
SHA512b27ebc7de4e326c81c25e800ab799900f51d4bdac22028aa49ec90b7736a97e60b242f4e0e7fd5653bbc5465997478f18fa604b2a27fa6088abecf1c210a3ff3
-
Filesize
1.5MB
MD5be3c9b995c10321a35b88321e3acec58
SHA1d6e93b0c71730e2237efa0615e14435da3108a42
SHA256b866553dc5ee5dcdd053975d14d98b64a4a4d4166ab9d75cbb885b8aa3f4bfd1
SHA51205b019e36ab3c3877a670eeebefbb8cacc66fc7d1c22cfdb9e236f8490d1cc8aa45e8e4854e7af93396c708dafa98e638731a2541e2b2837456317237c61d0af
-
Filesize
1.6MB
MD5df2be6932ed4b0458f3403218f5b3c66
SHA1108e76d80e1ce78c95ec6b23c66ba2d3d825b62e
SHA256e2f70fd4d953fa6d22ef702a17a59db4ce54d849bc7bcff19d240b9deafb8bca
SHA5124c5b79336b2bf4ceb81707f0dd2d1f147c09877b6d21f47409bba28ba6e097f9e86cb2cb9bca6b770e9ff3849b724bc5969443b592af1e332d988a12d8e873a5
-
Filesize
1.5MB
MD5c2d569a95727206b6420a14fa5a22b1b
SHA182ea68863fb0c4ad0a06fcaf4ed3ef9933f4470a
SHA256ef76075f2898f7ace6f5c17cee1cdea9cfc828aec0c4dd06676ae785832a00e3
SHA51215d4e7f2e9167cdd12c1d9809133d925d9c4109e9115dc1bdac4ead070d7bb4642c2a3570ff2847b7a5582d9a4eace7de73dd90d2a06568379b9f192a6b9dc14
-
Filesize
1.3MB
MD5d2c78be0a5a888cf9142d42eaf8bcb00
SHA1c2ecde3e80abf9e5990a23fc82b9cf8d4dad1488
SHA2562611bc3090bdfcaf196b3b1911bd862b4c8c84fe8a7585e229ad19b737f0f98f
SHA512a8004b4ba9f39210ab6a4ac03bd2095fe0ef4adfc1a62ffa089426e4362f3967acad7c39a36e61ceb3601dbde8a504bc0fec4047118055886c107facbf42fa06
-
Filesize
1.2MB
MD5fd6f4debbc553f4db07a93c7b6109004
SHA1b6afa4dd65714fc10cb6becd0bbbcaed0d91f8e2
SHA25644ecbe0d6a157dd67cbf9dcacd9cb0064befeb4a29ade647e18811ee08630f3f
SHA51201228b6f7a2a5b59489b98132bfe1d62eefefb1bfaf72586b298f7adeab8c2c032175955f5605d4cab1370e5e246ae8e2144a5676d28ee57f893aad7eefdb187
-
Filesize
1.7MB
MD57f54d59f7220a5cf5214379985b00546
SHA193d95d8066d8d13f3d4e331314a97f1b70d7a497
SHA2562d67827e350fabbab3fdc19dc3c44f59026371e2e8da4fbe51c153f95591498b
SHA512007f8e8c47a1b3175b32bc3cf52f753827051946010672dd64d31aba0c8d0a96d660e5e6ea59b8b2da03018ba5d5c3d16f902da8190c58d2da78ab0fc06aca9c
-
Filesize
1.3MB
MD538292ca004ee9c72fcaeea25d702167b
SHA19c647a18a3b008566a2185cc95534eeb39af134f
SHA256976b4a13b659131255a7e36763e2570d97b59ee997a74491a0accef97a63bcf9
SHA51293a1e4fe66c1ff1c1afc9659fac251ecac269abf1f3981966d35df41fca175190f6d391dcda15a6b20d3fa4d2c1e4635a0b2fd6d07cc770a1f2b3ee3c6cd5bf5
-
Filesize
1.2MB
MD5e1cbd8732ca37b318e6ce534e19f5eee
SHA103634e4009dee4ff2accf86b3b8b80b90983b97b
SHA256509e4c46725b43eb40c9a8e48d913462d3b5c15a600f0f4c902f8775156abafa
SHA5123a2dbcb82303cee72e06db6c1c4555a92c560255e3eb1dcaa7b8a2d6c20a71320fb9d620d86b91688cb2b62f46a380ad24f8da9f107b70e5283277c7c75087b0
-
Filesize
1.2MB
MD5e6aca990d1ff94e4c743d9e2b6d5cbfa
SHA11d892b9a413738986ebfc877e9a2ac6e0837b5d4
SHA2561c9d0b7013b541a60f02f2b128c9b8e49cf0e500066b2714f048f62cbc396f3b
SHA5126e9a121b8f8803faaf53de797e63b3c7466c2917585b614073a52a2663b010c030da55c102ec9833f171bc79c2cf7f837be39851c5e390235316af505faca122
-
Filesize
1.1MB
MD55f19b2d7c98c810bad3a66650d8fe623
SHA14f036d934428b8fffbcaaa7105624fdd5bd3d732
SHA2560f2d77e5deb70cc6f13e8cd91d6f46428f9065372eaa3a6e945fe174f592221d
SHA5123d82d05ca17d1b2d4d57f7f50d6dd658d19a254db7cea981e81552c6f15cd565407f287fbd0c961ce7f761366111fd3010e48be5e6674778c540598e8dde1239
-
Filesize
1.5MB
MD502d45b6536ca54336ec07162e5689166
SHA12daf4383f2a9999928b2623a0b27f3751d29fd50
SHA256d5d762eb3a5212b2092dc4c823e47765911da4f109ec394c71f8249de184906f
SHA512233234f2b6117b5c4b4e01bfc9944387e303d500b8f62eb55cd4903b7a455b7ab21f6f48721daf38ac652dfb786b87c0f98b9d14dfc400b7e4eef2fdb2840bc2
-
Filesize
1.3MB
MD5cc0a435ff1515ac8ffcfd11c12b163f6
SHA160de815ad12638e96fd032225cd21056caec1f3b
SHA256355f51ed60e7fa50189eacae82077c36a21f627907b62104f382a77c2836d65c
SHA5129446169d0d13d4abf61d54ba52b94afc2a7aab9a784f093adb94f34a1124baea34497bcf259c67bdbcbdda10607db46640548e90df750e514c8dd6640b075d04
-
Filesize
1.4MB
MD5f9a35807334333eb4c0a80cc73ebcd14
SHA191c8da4bc00c9d53fe0bcdbd46ecaa0fa16c4ca8
SHA2561d25b18d7f34009eb8e402f92f401eb6810b487eab83bc97ad6193f2a2cc6636
SHA512eaf010cc34e903281e549229b403aab1a96a8cbbd436d91fa978f8ab49c51b572b383bdedfa2a39ae4560a62c5f6c5d59045076e29f8abe821c9a1dcd17d7745
-
Filesize
1.8MB
MD5702c6b0a13b37e4c46716776b8133f85
SHA1eae9ad8438e5ab59976c45318c9f5d17be205c22
SHA256636a3faeb9f1d70eb0cbb48b2d16b117924365b104c22c9ac7ffbc79e56dd876
SHA512207e144a2580dcaec48777976ec596cd578a481d6f32f42323be006190550abba76551607724f3369cb7211a1ddf29667714a2872363ce4d28612458d96a939f
-
Filesize
1.4MB
MD5dc15730f8c42eb2463d3aad65ee7303e
SHA121e495f65f71076ba351301c311c7cda5045c789
SHA25610f48f005e86a936ff2d352ee00d50683a26d34313b17d5659a779539fe6e67a
SHA512716935817537e057d9d316d23560109bbc1ce05678fb10dd1a96407a91d8b6753296371e0f15bbe191d09ae7e53cb30bd32a728dcf4785e78cd732a9c74298c9
-
Filesize
1.5MB
MD564870fca138b212b16e0d50b9458a90e
SHA14a5c228938f401eef1a92bfccc059a2d0b0f0122
SHA256628a687b4c00fa90551fe7a4c77b82f352bd33c93e444166a3ebb3ac3dd97024
SHA512d2405922045210b92e0eee3a5a95defec53f95da35a461548eed7a7ce8552a4677faa84e57017485373ee624735e1ef9e4808a73e9e03b8470a9b51d486406e9
-
Filesize
2.0MB
MD502c1179c728089d4282edce621f83ae7
SHA12abb1d6bdb7b73f7b9bd61df88fd342b594db921
SHA25647de7e08c2faffd84ec990e4ac2c1264f431d588cdac819079cb60d4a5569f95
SHA5122ddf98a0a42275991f5689630841c3b1b30790162af3a76facd8ee76f34018f3d44ceb02ed35ad06c71e978fd51ee80772e7a463cf578f827ae0d735e91ced8e
-
Filesize
1.3MB
MD541a6afbae120be7318998b75c3be7525
SHA1928628b8c32f5f5576a28cc2d9bd1665ed72a9de
SHA25669f2f460afd635445205e81aa90c2ee9523620a84fa6ebcd6733538a3a1d2786
SHA512678c0c89259315f315a60f6cfb2dadc9c12619950bd4057f5a9136eac858904655d11d949c0620f93fbfae07d76a50eec7aa0a89452466dec4b18d3e95c5554a
-
Filesize
1.3MB
MD5cff5d771ee770a1305705f1e813cce2f
SHA1d9661ef1dda49ca476c7fe5f57300057e929ab2d
SHA256d74a836a36a2b8abb184ebeca71d3f49933e6a3a11fd1cc8262b113765aa59fa
SHA512f79b1bc5110c19d2ee3071f1c0135f40ad0e1e1ee72ad4bd7c08efc6135675f528a4c897f74ab7affad9298b42eb5361ea8bda9d9c712eef75b10d3bd75e327e
-
Filesize
1.2MB
MD5cc7a212a06f64ffcd7d44c57e0d3b565
SHA1bf46edf7e3a522a496c5f0df753aac1d626d0015
SHA256423329316b64f0885933789a5652c10f3fcc6b6dc142232164657d25998b503e
SHA512641800eb73e18a1ec149e82ec2c1a4dac7f83c9155737596482987d2e17af895ba5c3c2dbdb2163454196cb71bd0fb6b4d54145bb6a5f33e4b84294397cb6a78
-
Filesize
1.3MB
MD512d77e60efce13eb8f3bf4d6d02646f8
SHA13b74ad91dd25dabcff1dba88d8be3616d85bc5e0
SHA25666ea08e35f580539150b8129fb9fb1349da6ef3aaa5c0906e1c645d5d6af49c8
SHA512ce8c32b508aaf404144a8f158b4acb1210886db6eb5c7966c8850c05afc213e33d827e4a7466b0177046df68c019b5c4cd4aba5e4a4308a37b6ce941e39ea6a2
-
Filesize
1.4MB
MD51899fbe1f866cc0d1f0b81d6d891fa27
SHA153ae6d55a8df839c8a427399289bd9e9609ec754
SHA256a2bf8abebd3e6d6590a549a66f200c87990c0472591734b997396c3f880bba51
SHA512630f3ca6828b7a09fc4b5f20afe7e648b15f946d8a72c3a6465f1170cd85693cb052fea6b654acfe5977df92d7cb657b26fdfeb7bb7d4c162b40b3511f8e4980
-
Filesize
2.1MB
MD58b0f38bfc35016617aa740998ba9d810
SHA10019c1fb6aa06c55cf88b38b9a549f8c887b1b7e
SHA256203284b28f3c3a2af458c8422c2f7237c772ce03636d0bf965ec782335df76cd
SHA51206fa9a548f0123bb53cac3c0eb20701b578661076dc25056483635b13be0b57c8dda011dd05359dca0bbdf21309afd99cccc3a74bc53f591f6d3cba7d2c71705
-
Filesize
1.3MB
MD5b4eec9891374fc31fdb07aef536524c2
SHA19919a7218641364a06492425ab8161711bdab9b6
SHA256149fcf0994840d82f0307b57ff1892128b33bfcacb78d17ec3eb1a468c41486e
SHA51228b6897c9ec40fecad3204289ea3c656b111c0741d621cb6a092a2cc7beee7e11fd1e3da5625f5d51eef5489eecd711a947d5dbd08a4a63bf8ad323190fded93
-
Filesize
1.5MB
MD5d746220c1729aa80df886818fc3a52e4
SHA1af4d215e6bef454e8e3f992540f323a64c1100da
SHA2563da1d9038d4875d52d6c27388335db93a92f7448e98251675e1fd6ac7d695848
SHA5125b98f75e7978dc8f613444cda568f37d6ca3adea5ba00146ac1eaf82a49484fda1bfdc47105ba2b2fa76d55b788f99d130657eea353fcb79ace90aa74d604505
-
Filesize
1.2MB
MD594c0a2650bf992466d66296a9464d896
SHA173dda82fbe9f1063778172d02d18d79006daf087
SHA25657e52d60b42f9be98429e183488fb9e9e885d7f709f580b7198f9773516bc7e2
SHA512f0474f0d683da577a6f51aecbc7303f034abf01de2f7c37bb8f491b77d1f70999d841460975cc7a2edb7df04fffd32b2dff028766b0e8ff06989437ef5161dbc