Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe
-
Size
1.8MB
-
MD5
fccaf83565e779c83da236f7a44faf53
-
SHA1
e2349578da14b89504ee879f9417af6310dc0da7
-
SHA256
844f89b2e912a2697c85bbb20129599114341c7187118d7a0488a8f4ae092f0f
-
SHA512
917994aff35e00fe6ddb94d05e5757239e3f4b5dbf870264da4f4359a96622b41d9682b03598eb9c247719ff4883af8229af423ba86e755535b77bda51546ad4
-
SSDEEP
49152:QE19+ApwXk1QE1RzsEQPaxHNWdPGM7nmoOl:193wXmoKOxB7nmoO
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2268 alg.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 3840 fxssvc.exe 2284 elevation_service.exe 780 elevation_service.exe 1700 maintenanceservice.exe 2564 msdtc.exe 260 OSE.EXE 1328 PerceptionSimulationService.exe 1088 perfhost.exe 1224 locator.exe 4588 SensorDataService.exe 4532 snmptrap.exe 1944 spectrum.exe 2140 ssh-agent.exe 4656 TieringEngineService.exe 2240 AgentService.exe 3652 vds.exe 3000 vssvc.exe 4540 wbengine.exe 3880 WmiApSrv.exe 4264 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\36addd02b3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea4d4cc52fb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64e14d12fb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002854d0c42fb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aba973c92fb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000389a8aca2fb9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006963d8cb2fb9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b997ce2fb9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe 2320 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeAuditPrivilege 3840 fxssvc.exe Token: SeRestorePrivilege 4656 TieringEngineService.exe Token: SeManageVolumePrivilege 4656 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2240 AgentService.exe Token: SeBackupPrivilege 3000 vssvc.exe Token: SeRestorePrivilege 3000 vssvc.exe Token: SeAuditPrivilege 3000 vssvc.exe Token: SeBackupPrivilege 4540 wbengine.exe Token: SeRestorePrivilege 4540 wbengine.exe Token: SeSecurityPrivilege 4540 wbengine.exe Token: 33 4264 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4264 SearchIndexer.exe Token: SeDebugPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeDebugPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeDebugPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeDebugPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeDebugPrivilege 2548 2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe Token: SeDebugPrivilege 2320 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3944 4264 SearchIndexer.exe 114 PID 4264 wrote to memory of 3944 4264 SearchIndexer.exe 114 PID 4264 wrote to memory of 5092 4264 SearchIndexer.exe 115 PID 4264 wrote to memory of 5092 4264 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_fccaf83565e779c83da236f7a44faf53_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4148
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:780
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1700
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2564
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:260
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1088
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1224
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4532
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4440
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3880
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3944
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3584 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:5216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5d36c3f4a6c2f13cd8686f6a0a92c5b12
SHA15d480948e38a5d2687c45ab7038addc1de76e323
SHA2568193af4a749c9dd6ba13eb8ff827ff4ed90c11c5a409699131c4a1a95c856083
SHA5129d86fd616cc0caa4b86b3e95e6acd64e6e8baddbff32e47a069defaba1b5930ef2d538417c2a2af6899c443a7f04f6a1f700ab98393c83d7d1cb3f54c2e3aeae
-
Filesize
781KB
MD593bde3c9bdf6a749a6a1edc49efc2813
SHA133f3f758c15d26a3c89c5780938a0d42672b181b
SHA2561fc9b583896d14fb69150456fd8cde17e1ffc526e99fb6d18a7efc213eb5829b
SHA512780f706cd4888c52eeb96801699741e27f67be0901c0cc6097fface2d378832d4bf58b814c5e49aa7f8de97d27deefe8f9864db93a66bc14c85ffce1aaed696c
-
Filesize
1.1MB
MD557a4101c122db3278acafab3d81ef508
SHA1d752cbcfa4380d25827304488ffac6303a1ee44b
SHA25673b3b396c5ec44431d094b40194b1604407ab77aaa35d2c285f10abd5af03ee3
SHA512d301e18c1fd927b6d112256e4f9105adfdfb1dc3967f155b950ccf1b117319692b110f44c841688dcb7a154a13e622fb87a69e73609ebfb6ddf56097729dc5a2
-
Filesize
1.5MB
MD5741950b15b176904b75ca510b2b6352a
SHA1b0a9008758113c23ac983841c37298b10a6f1ac3
SHA2568562c6bdcf557d90ffdac74bb81c480ec6ef3a6182b26daa8eb13a644315af3e
SHA512a865844c988256071e1508514a8cb9c00caf962a9faa20ef86fe5f90248f4ef451f634adf73724ea147cb6cd257b9e414e587e7a096cde3edbd31359683d5e9b
-
Filesize
1.2MB
MD5cfce9f479a154d42b5c32911abb7264f
SHA10f0afc6bd8c6c04a634969e7d7c1729109b9b5d2
SHA25614e9bf408eebcaeea750d0ddd518a0bfa23b37afd75eb7c9527ea3be13ad852d
SHA51293d003576fdf2e5e4d70347a81b35bcea2a22745705666fea722c0139b74471c4195d0a3a0a05b3df210cf75b5c687fa18efddd8278485abc50322fd9ebcc67d
-
Filesize
582KB
MD5ed936daf0ddccf802bae0262e917614b
SHA162e27d4a177b6792ede448bd8028c240c08a5263
SHA2560ccbf577aa30540aaa87c9e6588c14fdda4a04966fe67dd557a80ce75feac558
SHA5122f1270ebc9fa07a667d585201360a75a55a574f6faab2ddf78b8267a947039b029ceb4d70bc3191f3dd76bcb9e3e7f5cd83101227a20e3bbcf1b076ec1a3c542
-
Filesize
840KB
MD58215ff48bb7192151fa63b1c7cdfed27
SHA19bcca58e9ee0263853b82231f627eb6aed8eede1
SHA256e7542cf2a2cf61090fd31b78aab0e9e2cb8664c473bc050b2cdfd5d71497e71e
SHA512a52e0c41a6894a5ebe317b4573b385088e6153f18f0bc967aba5ad58c5ccf97f3ba59570f1b72413f7f8fe5b270d90e7db24f1b5f4817b3a54d679f5e2ec2400
-
Filesize
4.6MB
MD5a0c037ac4c627962de5b0fbc8157ca04
SHA1ca4cff8d2c71167e3babac9a032f889559777892
SHA25690f9d2e764d017c8774d95c722993f837623b94f5cafb8f05a6e61410ebc7629
SHA512f87be33fe56e51a296ef94d4f726bdb482d855a75cc677bb9215b3bc94c076546628bf5d1c903c5cd561eaf9c40d8c41902ae12d2890361c103ca22b7c59afa8
-
Filesize
910KB
MD5f87a5b54871d0aa49165d35389006b45
SHA1ebc1bed617d9c0c7120437b4c2c9cce150dd318f
SHA2562cc7585835eb62396b15c195d11d376d6719ef7f193fa4fa90c104bb23d6f173
SHA512a564106078d590b8318f054e5e23171e1ddea626d84442e417173b3f2f3371785d36f380a08cf87a282081d7b44e2ad81bb5e77417af3aee9dd4718b68a3d5c5
-
Filesize
24.0MB
MD5512adaed8a2d370d5a26b15e7a3865ea
SHA166d4b93dbc0c6baf8a75693817e17b2d96cc7ec5
SHA2569aec8ce15047d79f0c208f30964e9437e68e9083223962c7a3136aa44d7a1093
SHA512fa53981a14e2ad6f59ea1f82e48dbec35c181d1869f527ac17df922cf2353134332d687a599be21e726be5b3747bdac333e3de296f7dcc798eaafb81f240a5e3
-
Filesize
2.7MB
MD5fa54f8e0989a58af819e33e25f808878
SHA16a904e0ef8c3041aec3cf7f66afaaaf42ab0d4d9
SHA2562928cb25004061ee9458ea6bc1a936c62a93757d0788efb006476042ab4db1c2
SHA5120e6d44b7214f0fd8f8dffd68ad1e45afaa5b340dfffb5126a12595af2843f06849924bc42d6232abf575c6004b58af5ff9997ac3012db8e80ba19e33525905aa
-
Filesize
1.1MB
MD53350429072ba3260eae90d3f97a85617
SHA110426bfaf6e7d8676d229118b615712edf9d037d
SHA256e52ce6502ffad408b7fdc59e0d1930e31c1f8f5c18eb9db4b6f950d20ae6a965
SHA5121d2c461cff30a0a464046852fc8c2e06efd446dac49f124c53a12985666aaa66bc7b96f76f7e4dc83380229c6baa7ce51b9f57886ab55beeac929e60ccb7f69f
-
Filesize
805KB
MD570ff61ff2abdbbaa29020f1b792e1d5f
SHA1fd80f28ec239da154ff33e95e433ab00231b807f
SHA2562318a9ffeb791870df84d521875be4bf4ffcbefa1ae4ca22c2a6a39550087505
SHA51254b32852377162bf8e465f72c46344e118cd742cb4f26b7852763fd9767a30bbfb8d0cd52da2314c32646cd89c1f950a344421b4cd51108a3922b60570065b53
-
Filesize
656KB
MD51ea0193302f9f5500bb21280454627d5
SHA1e8ad10296c19e12c99331f9865f08629a5eb47ae
SHA256a31672e8502754d249739dab790fbf1a5e73b095df74676593b5593ab8cdb485
SHA512ad70b76b8a5e919c4b53f5092976d45d0bfaf6d1237b49a4fa6f08931c4d891298068cb8d5abed0f073d1005658172441cf5a261a5553ec848c075f0530010ba
-
Filesize
4.8MB
MD50a9ab25dd7b7aed8c6b5b15dfc1dc01a
SHA144fbdaadd300c0e47989a488c96cd2b3875a3315
SHA256886a10cfdcada9abaebfb096fb4503bb3f516735a511d5d4f502b30b1ed4d2f5
SHA512c843b2f60110bd36a3ab50970641ae4bb70463d5287ae94b862d69d3d584f3db2ef94ab5f39d22cc149651eaf2dcb3821bb15d711d660d069b642acd65b85f08
-
Filesize
4.8MB
MD55db3020c1faf595b2d01676fac184888
SHA1913c990bda7fb83832bbc10bed25f3caa1912f5b
SHA256752feb9df1700620b9f65e9dcc84bdcf5b20f8c6a2a371fbc400aa9750078bcf
SHA5122deea0415e1a6c913b69edbb2df600aca01fdef8d7c7ca0b1de6562717394afd7ba43ec890b878a005d8c2ba18564dd622edea83300de30db21739f03c67babe
-
Filesize
2.2MB
MD5ec99433b7b430d404b823ac98edd0673
SHA1cb9c371eb2af552fdb03c0b65c8ae588fbdc8d2f
SHA256802328a883b34033a81a088681d8333d430dea21aedf65ee08872e8edd0d5851
SHA5123b8844c91d48862dc06712635b36effc064b3ab0f12ed35eaa44128cd70a82a7b430888edf56d68af1bc064394f1929b963a37ca1fe9cef3a0a17db0a28fdc73
-
Filesize
2.1MB
MD5b4d113bd2767a7ef1511010a3665085f
SHA1efc8f859c4d72ec40c68f50b5b4eb57b6165b685
SHA256dba05f99f1118eb43b641238b856c9c14cdcd50018b26c3840a6a96b0b39fc93
SHA5125f89c6ded0cbd8abbf3cd6ec2ec822c3e4eef0abda644799bf68582bb93dee6ffbaeec4ff17636185fb6b277671ed290800c11cf21c5629571d12d1296b006e2
-
Filesize
1.8MB
MD59212b92e63e818279156d8253d26b14a
SHA164f8c69b49bc4c021c5fb2d4095623e6183daa55
SHA25666d878072dcacf49884ce5f84b4b123b5ab9a921260c57afd20238116063c227
SHA512b6ffbaa7a8eb527c830fcfa6e087216e90ac19e16c7b3f76bcf08ed7d7e9319f054d923733fbe94b93b88ade69cc1673fdc80b0b0ce882c8dd64748e8d2b0bdf
-
Filesize
1.5MB
MD52d079da3837fdcadf11efbccf18ad772
SHA12edc3292578d585da295e4c41b03c24d3a9000d3
SHA256b4489d039fbf84e56f1ed19a4ed450984ae40a03ae4681fe13bea4133a32c9a8
SHA512b26f52f93a3c8bbad9e5729df59748fbdc68e1528a862edb6554805e18d02efae789ddcbe400e79cb3b46ba066b5a3e4097813696ea04c8d410db61778203dad
-
Filesize
581KB
MD5ed877d82304d51cfc099e3af6689f9c6
SHA1a443c2f67dd845ba260be403c4bd2a1f3cf9ad9a
SHA2567f3e16ffb8bf1f77d74a17cdb03ddc8e6684df9263cb8b9d69f542214fb8d090
SHA512817f8cc1c9386662bf1e2e0c8246154ed897bce38f957480dd768aacc9ad2769664f122166b38c8fb97e93e32ec4827ff06c172b372f0146d7a6b95ab6e96787
-
Filesize
581KB
MD5136ec6040b0f5d598c51247bedeff4e3
SHA1ddb4d700c330986424594115d049f73872a5addb
SHA25691a9097415e29bedde9d106a4edf99ac0cc106c5d98e5de2f17cce1e1014b84b
SHA51261e5786cf7b974569ffd36df1a33a24d7e4e594b7bef4c6eba80615f31776351cb5aaa38bf607d6fb94dd9ca769533efb5773260e0a3a16ac8b653bc8ef2e863
-
Filesize
581KB
MD53cacb525fd8e17ce409ead5b26261903
SHA13f89c812aa0562e037decb82ca7b8c82cb178721
SHA256bc957f5538d586cd9c8eacd4d3406b1c3e10990364f787348867aee15f249edb
SHA512f07fb290d88f9c113775c19e53f953fcd79e7663bd80b3af588e9017b37f0d3cd2e0d69a2e2b278e058a935eeb4ad3158f9a23df40c47ef2f1a5d987b593b7dc
-
Filesize
601KB
MD5f84f91328e748870b7cf3b4c53a1d028
SHA193ae5f2104ec721b7b62a6542bf6a28042c00905
SHA256ffbfcaa5fdb64f7ee66db49878b78c3570cdf1e60d50b208d448acda4ebb92f5
SHA51296b773f12574b879d18344e83780c4738269db08a59d4a2326b781c4231a9311aa4b2e3d4518b1ab406e58f21eaf5a803dfcf646f43ff6ce95a8c1cc4ae5797b
-
Filesize
581KB
MD54bc08c9efc229b818061dcb116ae6edf
SHA1d8e0d95d00f4735ad3bd6a3f26f14af95da9cf96
SHA256730223556f021dadec718a633b59f1a8164a4836d4a61f4c17e0fe0ea3b6de3c
SHA51272d287c0d516697d8d58b217d12da39f14392271e96065bb88f1c5b5d81f07d01deeae4182bea5f7474836668b79077438d8abf8e1936252420136e2ef246901
-
Filesize
581KB
MD526779f6547f113f656310b6b4be0500d
SHA14150b8e648e89efb2ac2a6d990384d6a9f38c7b5
SHA256301f15dd617d174d2c025bfb58496af0a2d08a0cf2894bd35086a08b9b1dbfad
SHA512315cdc940d1592d58fae627d58a3267a9c2a95fc3e7614da87d6d8f3089f0b3a6895dc658efeb656f98e8c2b38daa0baba7f73f30816dce49c24f3fe70c90597
-
Filesize
581KB
MD50c0b102f69cf09e90c877be50d632fd1
SHA1cd2842acc9ab3c43cebed4b3b376b435fef254d2
SHA2560db33656e1d78b5698d20af529d0182a2ee297d166ea84f133908d75d55de9ca
SHA5127ab14e625dae018655ecea8dca16575dc48e3c6cb3ecc21d565ae11847d454bc247a9645867bbd78724a10ffd3cfce34102781501157dbf56fbc3be503bb7cf8
-
Filesize
841KB
MD509acfeabdd04b03b361041cb567636c7
SHA1a47a69ddd9ea17c6f054a654f02f5fe14d60df23
SHA256a23661407e4c62b325af43a4a6596300b33db50f6fcfaf28f1d32d5a135f0fb1
SHA512991a8f5cf4aa9e927e92de1c9f6749d2efc38b685b6874e8566acc80bca0c133bc99661f3d4c7f6e98cd9b0f4d9358b03654d26078c504c231c62c1b8f99e530
-
Filesize
581KB
MD54a44ce77b9100fdec7343b32d182f23f
SHA11d056ae9dac20bf5af85ff2900ad1d337bfeec6b
SHA25607a35f78f79d108abb3fe3ce95719dc1b8fd387b4d03242c7236d51755d198fa
SHA512e7597de6667b2b97adc493583da799845413d536ae6ae11d986869d8e7a0c6d9735feb2a9bd1941beb176a0675714ffe73f01f2c5315d7d1f7b68f4ab9dfdb2c
-
Filesize
581KB
MD54b26019129e5adf3eb28ae6de705f6b9
SHA143780320d81199b36ac60c2d7e224810c8668322
SHA256794c52adccefaf87e8ff9ab9fe6cd89767ae9b0e31a612560e993b3fb0ed5ffd
SHA512a22e817ac92f70cdce11cb92ddd210210151b7b153c47f79cdaddf3944ffdb5e3509a747bf3944578b2fd109ca242270ee566bb3e28ead6d73e538a31bb88e84
-
Filesize
717KB
MD58fbab53a538399434c9f318736f3c12a
SHA19e37a8a676916a668116738b113d242dbcd5f7ff
SHA25605dc0475ea03aac7dcfcf86a3897aff5216e26f201e6a024b96349f0070fce8b
SHA51217ef69a531aaf95be8a0ad990849b31df6c000b6791a054b57d6f0d115fe4006865fb0f9934203241aa5809c9a065c7192545950484134e20ee7e8c2fa214373
-
Filesize
581KB
MD5bba82bfdb5f26bbb42b0d03aa74b7d5d
SHA18557313bb31674b2bc1b035104a164d2a5491e5c
SHA25655658b0d76d25fd2a9f3ec16464bfbd47d494819c220887380a214bebfb3e1b1
SHA5123804ad58cefaa1c5ed74b2f4f4af3992f1db76c5d3f3c359dd3cc454a9ed222b428d061496dac8a3e6a0e92c5cbafa55105e22072fdf1aa297082fee38c7f96e
-
Filesize
581KB
MD59f23736c006c4f4c508dfe3893506e06
SHA1931c65b788b12e2d4456a474b64627393398ca76
SHA25647c4770ce4d3c565ad1af1073161c46e6e3ec229329da4eaab045e5519854ce5
SHA5128f548e983583968404eabe3070650c519d7a4324fa8bd857bb4ee0cfbb402b8a5e4063ec675df2955be376c4c6c3685f0d684a9404ceee0b9acc16c6b16a0efe
-
Filesize
717KB
MD5e97b8fd5c514ac3880cd13813dd39dd9
SHA1a412f7dc9313d4c39a39118c86221015eabd31a3
SHA2566fd9daa73ea0812c9b738b27e82e3ef7050e77008403d404abf7c3a761884b64
SHA512c55e807bc76c80c2e20cc0ce8efe1da58ded0155438dc7934c81dc0158766056b3c6755184521b9d0ef3396d14022ec9ced5650ec74f2a5d7b237b92e26be31e
-
Filesize
841KB
MD5bc83b95585b29dbd7f29ba872432386d
SHA1c69c8c651ceab3aec5e55d0944cd824c8f68ce75
SHA256e9dfb447329f15b16fa067ce6fcd6e45345b417263c9018c8c6248f0cd76e45a
SHA512d331830adffa98f7f80143f58392916de81d67c1088e482d6f50d72e2eda76eeda21e8590466a2e0eb2bd37af8208167f928ed247580c6120b211ae631694e6f
-
Filesize
1.5MB
MD5e49ee37b13b6b945170b4d99c60ae5ea
SHA1272ee1a8b8f6e4d0f1b36c462343d46ecfb070f0
SHA256530817e18879047b8dab48b92e8e16132a3fe49cbe38b27402ed17ff02fcce88
SHA51286cd794daaa9da49b5d459ed227b1519c559bae8e1e6f9ee088eb522651bebbda3c934d7e8504a492329cfe2bd89c74076cbd570de1df0e56a2b5d0da1f6f35a
-
Filesize
696KB
MD56134ee9e2a953481ec1b34e1f1cfd091
SHA1504022e8189c1f4e548a3a16e524e4fd867f4cc9
SHA25685076670417083dd4695682439f0dcd6534c166c0938b61cc2aaf5e7e767256b
SHA5127dcd8679d05d7f12219161b6cd360b5306ebcf12a3d1c371642d77ce94b4af0e626d02e2635c393166bd12052671732542843e6a7c3caf38d408ef82dec4670b
-
Filesize
588KB
MD5f5d8a1c66c024315ea8a1b2b7253cd1b
SHA1890769db2d0f28a6c8ad66507e6e9497f830dc0d
SHA256728d6381dd8c7c1ce4acc386954ab88a6715848b689830f18803d307a451f540
SHA512944a02bc49387259e32236bef57c10e68568ecdfe8eaa30ea5fc7258dc14058f48f9e0662d4dc823dfceeef8aff95c719ba532fb7ba856435a0fb38ad65b0a92
-
Filesize
1.7MB
MD50860fe09987d5d1dd05f1f3fdd5b5db7
SHA1e67a25c4189bc71d8b37e25f230db5c1d6aec52a
SHA256d736c9f3ab3138cbfa7a49fad020e177410b4b66b3e1279a10d3b8f166b8030e
SHA5121d0035d6e25660494cb164591526306c990ea87ef14970d6b2f7d24d2e9454344296ac85592fae386ccaa9367f4252561a29d60d2ad2eb6cde2f6a5a119fad9b
-
Filesize
659KB
MD5109ca12fdd838675b7fee7c4bec72536
SHA18e2d3e0d1f2d9b282418e3a39170c60d3ace21c3
SHA256bdfbc52ebe001801a21243b3dec20e73504be3184e6f8154e37d528459ae4c96
SHA512e80d4d8f4fb74febd0d158c5e715058dfa5d79de4cf1962e692583dbc03ed1a805f6c8233850bd68b68528fe6df2207c93c57fa196fc10c7cd07d2481293dd24
-
Filesize
1.2MB
MD52a52ca7a1dbf1f7604b2d9c52eec817e
SHA137840a231e7f3cb8cc1f45076e10178043822f8d
SHA256147ae481f5db6f6f8e8b055752d6b4c1f52530912db9a446915c0ff788d341d1
SHA512320b2542d452909ec68d12e04e697e01ad4a1ba33f0a8b7c8d6d6e6fcaa45f19b7d63cb9c845fddae0595b657d2872feaf085dc7beb0ef5b5ce55efcf74c66c2
-
Filesize
578KB
MD58d1e5064c43f2e706423678d05b7d2eb
SHA1f156b587500814145bc405593c23f82205b8c10e
SHA256a43213c9c0b9d911b6d1bf9817cbcedc55cd99fe5c9c580929e7064d4a1fb3dd
SHA51219138135374d9386927bd09ca979a7eabefd3042605abfd10e963a386f708c90ce9ee038ee283a995d90ba80a2d1c10078465f9e2db12d6167feaabab036acc7
-
Filesize
940KB
MD5f55179f9b052e01b03da9cd5a86229d1
SHA1c1d0ce9b6c393cf5075476d8dc33d2344bc57d6d
SHA25698103efcd3dfa7c0365d8b93f360f89518e6b74694a407a2fb8e1034f99beb9a
SHA5129b637bc444b6edf5c1380b5cf060bfc41d096d88865e0bff4826735aa6152cbd2d5e8443fedf1e9587aedb46ee634a958001a3b966cdd30dffc06cc979f40abf
-
Filesize
671KB
MD516bad9f75a8e3e2f8123796bf1a71cdc
SHA147d7352682845339dcedd2f7a9927b10a27be4bb
SHA256698604cf7ac32e13a75c9ab5e08b2843c3d4064b7f75a73e8ef5815f31fff0e5
SHA5124e1fc81441fa7cbeb070dac3b8148f0c57b946f024ed4b334756f8ad2167e7d6548d678fc483b09ddafa2955607f4d07fb8c5cd38fa9509f442586c78c955491
-
Filesize
1.4MB
MD59c016fd6612495983aa0dadc235ac4a4
SHA1e18146d53a1d31ec53a1e2940226561e44c4738e
SHA256dfa96733e0cddaafdb9a0d985536c574dbe6e241e6771be9491d5d1a99a897dd
SHA512f1562af89e4f64d2809a8188194d564d9ee54154446ea13c9fa0b05e933bed38846ec6428845ae8820a50b23c79cfc05ac5f072a8cf81475f04af14946c8c714
-
Filesize
1.8MB
MD5e2ce9fb417948f0deca39b06df49eef9
SHA159f25a9e744d44a4261849de6e292595ca322010
SHA2560906de76790fe532f9ff8a08333bb03f4ee914286d6ca7ad5fb1bb1db7039b8d
SHA512c0683fb9200b451bd3ee6e778121573537e5dc69e0e8ca63a9772dddc638916659316cf688776a3dd6400df1069a7e46f0812daef2354f5b5d0559dc39404b14
-
Filesize
1.4MB
MD5b6c62e959b641b0cad6abfe8eac702a3
SHA1c50ae2017619ee8ada7896328bff82f1df604a96
SHA256c82031c82cf27041493447ac3d9318461e17ad30d76f29b05eed768b3d67773f
SHA512a98614f77e5c021c4e127dbdd216ac76a9c280f31bba17e5b8618488c0fd216ff3d7e288955a36c5a4ea5339f06c064aabba54e55721c6cd2c1c3325771da56b
-
Filesize
885KB
MD5376496eb09bcb040ac77c12d86ebf987
SHA1c461ab9c9357c7f9cd89df311c0c021065a6e04d
SHA25672466edc03cfb212a590b692a79f4f79d2d4554685596ac6f4fea9867dd4028a
SHA512d3cb61e32b67fd7029777bd6c2f603f28dd2ad2b6ca41a791627c9ced88abc1e5a8804bca58896b7bf835a13a4a334ed7d444b7ed1931c43120a7a45435c35a8
-
Filesize
2.0MB
MD58bf1b58faa14185f9814bc8955626921
SHA16d7c1dee22f022b53f6711607ab5de0859af420f
SHA256d25a9907d976ca02a1cacdd81cddfc96d3d2acc381cacad1277744ff0b3d8bc2
SHA512dc42cdc516df9081398c9d977511eff412a9aadc3383de43760111f2b6c6217345b6650a9a871e86ab30f77b7bc56ef488f84337b48a58891afa6823290f5c1c
-
Filesize
661KB
MD5e613d47ab6bd918ebb11c9946be6d4d6
SHA17bdabd7ddfe7cce42ec4b3d3eb3721b3b9d61a4d
SHA2567627c19005efbef8d0b5dd801b32e50334a18a0477b2d79baee7cbc0f29f2541
SHA512b004e2689e285445c8d06edaa5629996ce3dbaff59cbc3e0e44fa7d89af8613ea298ee13a7ecf58510769a1533be3284699710fa1cb4e74b23edcfc543d8f98a
-
Filesize
712KB
MD508ca04ce73c2f23ff92dcbacd1ff1496
SHA1f61a4b924f5361353a262635a3b290609319737a
SHA25681b2bcb03f4253bce0485bf1de7f38657804ba319869e31b5e81555cccec0e26
SHA51267b582e320987c7801482f92c3021a96d77cf5572bd697ab7d25f49ea49e2df6eb29d622559ec91accaecd022a630bdecd6d13c67363147bed067025dc3e9c72
-
Filesize
584KB
MD597b18d5a2fc31fc9a19d29f88fe36964
SHA1b9bc87e38c0c33849987054875515db3fd4306dd
SHA256503a37d1543f82a69f1d34780118c6b84c96e6a84d520535cb685096b52008f2
SHA5123d15777fc6f9eea230ce25bafe44293c5478e0ce4042cae3652892d526980032a47ead4f32bebed636c5b1efc2b2f48e75ffa039ae4c82424f8d2d7d3cf195c2
-
Filesize
1.3MB
MD573fc7bf146c10ace935df0558f463329
SHA1b33f7ba8454140a82bf849f47890373885f68ae9
SHA256cda2934eac62be42580e77b8e95acdacd5583bb3f5eec3195f9990d4f8b086da
SHA51292c266cbe1ed2d623d65485702e04edc672fd6dbf79d33bdc7e2be1622b416003b98f134dd7aec3685755a9f1c881c3017079e52e72a33681b421c315ddeca0f
-
Filesize
772KB
MD584c9551fed1b0022f993d2c8b3c55a45
SHA1be022243d20a9ed6314bc227d8817a138583bdd1
SHA2567d6f24e3e333d83e6ea49e20a07db58337f40025dcaa4d09890baaf2cc40e79b
SHA512ac70a211d2aaf8f67f4c2f28f085cb1dad5a026e317b54e7c4a3d0f26d8fa1448319c40853a26b8e2253651fabab56390d0c09bfdf46d8e77cc5ab7d2ff4e7f2
-
Filesize
2.1MB
MD57b5d8604f847d571ae0a24d9a5148f48
SHA136549d7c50136bc2cf4d72a5cf4dd56608911828
SHA256ae06f990c7401b7cfe6f4491ea1946f5dfdf4409be05a639bfe5d94eaee65059
SHA512b2ffb5b98f87b58b3545444fa1a5ab9f8a8b471329900ddfbc8eaf264fbef22caa92edf4e27b19570729f963a99e16cee2d2e8cd5a25f1bba7e99caf5cca84e0
-
Filesize
1.3MB
MD53b1317deedaaeec6636bffc33becf78b
SHA136a4098969a76ea312097d603fa3410745363f11
SHA256a3df4f3f65f1540fd0d583e65dc9eb4cb22c075eba73f7bf67a6bf7d908d89b6
SHA512591d27bc63da972954b8ee74c31938d48ca7a83a3339186c0fcaf143f72b8909eb41d397c1ccd23eff84eddd9b45f7ccca6cf555ce34f51da1c9a140ad676a18
-
Filesize
877KB
MD5bed3efc4144297e434056e25b16ea33c
SHA125c40644b7790f90772a6490e3347e05713ad115
SHA2562b0e940bb05b60cfff4b15b1ecb2912508e59744720e1d857a9c1394c17b4b90
SHA5124f39a6318145770c4d8d72c88b2ae078326a52e2aeeb80a97a8ea7906673654e4ce92fbfbf30252caf7f85d65f6b7ca4d53d6d84574add731dc12300c2a452ca
-
Filesize
635KB
MD5607ccefc6d1ec3d9b9c633f878ee94c4
SHA1b98a033b0b722b5dd3ce7747923519cbc2180937
SHA2569bfb5ffe51caf52f9201c96b5251ef78d24db6b02c3b18423dfbbaae66043773
SHA5126b3ed311af27b260882f7cafeaaa2cf08700c8db803433c6a6701474f3422bd020b626972fe43414886d18326793349a612e3679783369bdc3f85b6be2258a87
-
Filesize
5.6MB
MD57e7ec331e42a61d92cc67760fd51f54a
SHA1a8106a52bf60c5086d8886d8d0865be36054cc51
SHA2561b9f87a8172162779d068a3c435d985a62221b2663283d37a906fc6c3a7319a2
SHA512055878cb192325c8d2ece6931943b823b2712bcef8f103142ae6ef93cf1aba773d51ef039fdc5771683ba6e0470927caf73cef7b2a894d80762943bbb18c7a6b