Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 20:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe
-
Size
1.8MB
-
MD5
555f04f222fcc83cf3c49baf2bab24ec
-
SHA1
81fd64b82850d1f6e555a0c8b0c246a3120f58fd
-
SHA256
02399dcf2e2f4493d6299131c005017e253662b5f42484a9ea68be827f65f717
-
SHA512
a36f61f72e89308c5b87f82037b62390299f3c64baa46e5f7407f17df033fc39ab73d4b2698d1f97df4993de52abb0c58ff54a94656e14e8bb693f1fa8b545e2
-
SSDEEP
24576:/30wJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNni6J17W8CX32+KJNA80T:/E19+ApwXk1QE1RzsEQPaxHNbcW+S8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4136 alg.exe 2756 DiagnosticsHub.StandardCollector.Service.exe 2004 fxssvc.exe 4860 elevation_service.exe 2284 elevation_service.exe 5108 maintenanceservice.exe 4696 msdtc.exe 2228 OSE.EXE 4524 PerceptionSimulationService.exe 3652 perfhost.exe 4292 locator.exe 1604 SensorDataService.exe 2136 snmptrap.exe 4028 spectrum.exe 4116 ssh-agent.exe 3912 TieringEngineService.exe 2052 AgentService.exe 1364 vds.exe 4768 vssvc.exe 4512 wbengine.exe 2640 WmiApSrv.exe 536 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\564ea7754a48edc7.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d31d583e3b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080751683e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c8f3484e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b228483e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008335d281e3b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeAuditPrivilege 2004 fxssvc.exe Token: SeRestorePrivilege 3912 TieringEngineService.exe Token: SeManageVolumePrivilege 3912 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2052 AgentService.exe Token: SeBackupPrivilege 4768 vssvc.exe Token: SeRestorePrivilege 4768 vssvc.exe Token: SeAuditPrivilege 4768 vssvc.exe Token: SeBackupPrivilege 4512 wbengine.exe Token: SeRestorePrivilege 4512 wbengine.exe Token: SeSecurityPrivilege 4512 wbengine.exe Token: 33 536 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 536 SearchIndexer.exe Token: SeDebugPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeDebugPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeDebugPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeDebugPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeDebugPrivilege 3696 2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe Token: SeDebugPrivilege 4136 alg.exe Token: SeDebugPrivilege 4136 alg.exe Token: SeDebugPrivilege 4136 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 536 wrote to memory of 1516 536 SearchIndexer.exe 113 PID 536 wrote to memory of 1516 536 SearchIndexer.exe 113 PID 536 wrote to memory of 2772 536 SearchIndexer.exe 114 PID 536 wrote to memory of 2772 536 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_555f04f222fcc83cf3c49baf2bab24ec_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1632
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4696
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2228
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4524
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4292
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1604
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4028
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4336
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2640
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1516
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5865517a3782486932429ca55fbf5ec79
SHA15d53783ec0c7da7f756fb702e0259ffcdcd06cde
SHA2563756a67944bd5fbe9d3af2a33aa4d204065e7e1321d290add1cc40282717d894
SHA512ca4bc404331241cf0e5f90c725a46740a562af41594b77e35087e16556efa73ec91846f83027083f042a487e54d04af377159f8f214ce8367b515b6970232afc
-
Filesize
797KB
MD5de032528b5448791ec97dd6228128408
SHA127e218a31dab9a53352f89e0a1389a5132057a91
SHA25615ab8088f9e58496a9ee80c3249e22e6a6dd5ee4bb182000a95111b057c65f9a
SHA5123842232c02ddd31502929b94f1e6d3deae2ee5e3f87fdc67aac33fddedf4c4480dbbd05dbd7c7b2e85dad7b409b3ed79c88fbd108e9553836780ca36ba09c119
-
Filesize
1.1MB
MD5ba6ea56fca20bb039105a39af6a4e7ba
SHA1547f431d18356dfc9181d6dd75de486bab8f4b5d
SHA256397cae07597506c37362002441ecb76df1ca6bdd3588cbf055d3189fdc8757a6
SHA51255f11840bfea31ababad4995843b302b49d3d19eff05eee5a369c1ae714d16de3c4db4201681ef5c3fdb39d2a7f650529cffbfb2ab8df3fbc90a8ce9d64cfc91
-
Filesize
1.5MB
MD521a1da745057c8198733af843eca708b
SHA1f5163ded9634b23828e306e7b7854995cd05a124
SHA25649ed02caad74f930325be39e2af5a5cc9b29c512a9e3767934fb0a2c5ae51255
SHA51252df8ca96589d1011804633b287d04df699373b34413adb34cf13121c2b04e9bf412bd8faead0673a8dc450014e3ab42c7342493a38edb7762ccb8e029a6c095
-
Filesize
1.2MB
MD58d6ebcf3629acaa11f321c56d62053df
SHA11dc387f861e17a24ddd4286b3867295ed94a377b
SHA2563f28f3c44d197fff9007b27566bd0ae123e5e710f212e33478f2e680f8220463
SHA512cef9b33b1e2b7175129b06ff84c145c87da88b7030eacab41a4faa385ec2a0e551d686dfb70fe4bed31a956b172fe3d87f30c0acf5f43771d52f12a7055af245
-
Filesize
582KB
MD5fa8d0b8f12a106940ab7183f3e25550c
SHA1732f63d715fd8c9a9d92ee08112bcd4034aa8203
SHA256db511bb88da699eac1fd0dd73ae803a65e0f56530e6e70818721927ac90daca2
SHA512bb3452f5637e4571a0e903c847d6b678d0a33afa8cb10a8efd75a7b9dd5f3806daf76498ad1a25d33f8631ef9ee60fec09d2efb28661fc13419a19081241ea8e
-
Filesize
840KB
MD525bb9f15f4932b9442bfa060d9642b21
SHA1befb9e7fc65362875655b42e47d70184a06458a3
SHA256f5bc4331f053fafdcf643f118dd14f22c8f2a01c3d07613c77a30b66e049a7b3
SHA5128d811dec07d12956deec136f985695b379009450f076382ac093d552291c91baa5729371d5a50a596f01561b6ad7b16f2ed92a1e3086eb418d5629770d19c1d0
-
Filesize
4.6MB
MD57e368b124e2032c2590b3e939537fd33
SHA1fc2ab1216bf97961103e4c1c5230978ffc3776c0
SHA256866f5789730d08ec200a0393dc45f91fec89f35420c6f381435696779ff5c282
SHA5123b43c7c3efd95700efd42d17b181e62ae50ec8636c2db3ce2f9305ad79bd78177fa91087292396b45f87160ad87a60abed1b0d114b2b77a816662ce18cec9acc
-
Filesize
910KB
MD5e89e2263b22e6407ee5041c02d2be405
SHA17f342b10524a2278ef8176e0935c15810175ddf1
SHA256a05f2fe53f85a2282341eac947a34fa2fd7be7625ab9fda18f560eb2e4950bf4
SHA512251391a74fe0dd0c35b2b9f27114451d053b8cdd3ce899b0641a663b5a5da724ac2f290909c8d69a4ef274c31785582a0b7062a92d4b3786b1ebddb4d25c2520
-
Filesize
24.0MB
MD51e17d795d45d09c27a2a4ee0f18fb81d
SHA1f72f260fcee12e9005b1255487f267fcddeeeb10
SHA2567e3397c19b1891f65a738fb11aa665e3cb18074080b4661cf3dbe59955dcd335
SHA512938559cc8f8110e1cda1d898c37e0f73368eb535754e249f206921fd9c5df0db78a6f56ac741cbe101ff06955ae42bbc59db7eebe2e699306344371b3aa1bef5
-
Filesize
2.7MB
MD52dbe81feb388b1c6f253f0af04644863
SHA10afcf7b9741dea891c86193e710d455941e3b0a0
SHA256b32f2c6414f78dd31dac1f19bc12512d6609d77501ba0a9b947fe4e03d3434e9
SHA512c4bc7a18bf07c11bb7b9d53bc266ca9f0a263171b7b5ad1987ff771b73bca755851f3234af831380867ef1226b07cd245c75df91eef4793ef03bdc78617be8e4
-
Filesize
1.1MB
MD5a0b5ac8baedd426e56f5cd2715374cbd
SHA16fda05e77655f11c2975e116c114b8e2d9f8e420
SHA2560b2a979d708980f5dec477da65e989c3f439071308fca94ab07dd84a2285f192
SHA51281b3553013e283e1486ab0b643fc9ce3e7715e5bd2b3921d540ed812eaf10c0d86db0bf8f553d35943a6f7abc6e91b7d48d03b79092aa9cc6a1dbe22686bb029
-
Filesize
805KB
MD5cd214ee5bd238d59ac8d85482d027197
SHA139e517f3d93b4ff22be5b086e0bf7ab71e8d6107
SHA256c13ed8a21e7ae8c77dabf1d251401119244ab45648b4f19cbc5f64e92c9068fb
SHA5126d8e90856b15a952de857d6c36316b18b560143bd7ab749afaa28649200154b1c02ed24f9b630f9965ebf24e44fa5298e62b7211e5029266a098c052fd1c8a65
-
Filesize
656KB
MD5924bea222d069c82e3a419a3aea3f33d
SHA13ec0a91d28e9fedef58c66661f2244e909f657d1
SHA25697a0a4b09dc0c923f0a57dda9183c6b15cbc9d4a93d91c1ca898c80f923bf5bb
SHA512994ccf80bf9480075dc61e26b6ded0a27324bd7141faf9dc61fe6e1285a8c2f999673e26c6324c9237ed17dc553be38808f43a8b1bd38830961bd22b19bc1293
-
Filesize
5.4MB
MD565246f275033bcc61cd98b13ce97cc14
SHA1b9b3efee89871d11fdcd4477a586884695df3d3e
SHA256a85531380b0225bd6e5fa5c048a5eee225558061698ca811076431fc1244d118
SHA5125680e587132fcf77275763d3fca9f1298d28686c5a5f63d68f0042c66dd62b2c97637808a78d5468c9824027e7d616e727cd7d2caeda49bcb0a1e6131cdabd4f
-
Filesize
5.4MB
MD5f5ce9b55b4c8d51cc8e0705ab6d95999
SHA11744cc9d46cc3c59c7f303ad7b1dc3c0d0d42cad
SHA256870b3dfd87bb7f19adc5211ae23b312173e7b206ceda1a0b3d00ef01396a7914
SHA5129ebb856bd7acdde399da37852438e4bccff98c5ea942f0a0882f323fa92e98bd6af3f6621ee4e1a4d1d5e37379820057fac0587b624af73fbf11191f5d35af89
-
Filesize
2.0MB
MD5b52c495b14e0b43db36746ed666ae7c1
SHA1ea7fa9493b06f255b5b6a9163b15a953f5b319d0
SHA256b88a563f0d2c625f9effd011d24bc9bfdb9570f3e066995efb2ef61745bb7a6e
SHA5120958f20372e666270129dd12633fb680f2730ef148b147f53cc8acc88505f0587482908d9bc4b66e7cd8f104ba59fdf04b40f27b39c746225ba276199c90df3c
-
Filesize
2.2MB
MD5c6b177e6e375889293e30dc95c669034
SHA17657e00e000333f1a2cef70843c8e2897639e82d
SHA2562ad24f2b4b2b79913e36d8907e9f5e77d8cc9498a52f91990dc56e8284c5bbff
SHA5129bfae2fa9ea86d2951d4e789a1ffdfaebbb07d147a592f1288779981a5c7a5c78f4e547c296d089dd0dccb1c5df0a6d2a506b3706fa4e888d95431b559d4a5cd
-
Filesize
1.8MB
MD53a33bf31d82293c179cf377af425ea33
SHA1b66008e08d637181c462526a8d65e2055766f040
SHA25668b39e9c3e9752dafa9ce7aa06f52348d1209ab3f6a466116a831db38ffe0f6b
SHA5123d16fbf592fdda25a2caab9bdcec2fbdf8cf7e3553c3c10d7738902fc8423da176a30e1c29dc5a22c2dbbb2848257c25346059f910cc27ac453f75fddb24f43f
-
Filesize
1.7MB
MD56727fb7099e591e8b8fffb0b84ca8315
SHA1c762a028bc54fbe5eeeb9028aec33dc0e2e3aeb6
SHA2560f83d4fa913a7378cd94b709be6ee96aa46baef2ff4dd84c7d567ad721afcc6d
SHA51242d878b9c17167d49f54e9ed642b990f6dce6375ee01ab9b6ed70b42f972c23665757350b2adce69d0ac73eee02ad8e7ade7da27252581141accf9da4a7bf3db
-
Filesize
581KB
MD5423c49d6785e9f948430b83237c50297
SHA1791b29c439a9c8783d7b2e8501e4a715a51254b2
SHA2569299ccae4614b8ca3e8267cc25f45186d390e08a455024c000b67a188ab3870b
SHA51258598d41a65370a5026a1fd9fba289c273639d4cc1e2db115b3fb0d3ebc6c02c6b10094a32a453191194570a306b848e11cdf0971ce3dd0f781ab06a820bf615
-
Filesize
581KB
MD515f27301ce4196a3946e9c8473d11b18
SHA1d949732cb4838ef0d6cd0e82c3ab1b4aa9e10447
SHA25685ac81e543a08b236d98c1f48f9ff3e0034a75a783535e8ad8fe2fcc6d17f56d
SHA512687a65078d166620cb1542cb2e95e28f780f461546d84fa9ea22c8b0d1d5c6a6e0efb7ccba1a37be8f1fad2263c575da1b4d00ddf246f18451934c2628a97311
-
Filesize
581KB
MD51aff51aefe8f254cf71dff29e231cc16
SHA1c96e8cb6b4079f14b8905c005f76b3ac06cde8bb
SHA25629bbcbf43e5dbbc5476c277449cb56c66f5828239ef50d6c2316250b5331656b
SHA51240496d505d5ae80cd0174059a0cfb4f0bd28aedcadc8fa5a29a77373411144ba74fa1dae711d0ce65558950e679ef58202d8b44d62f1f3f32c48f12bb9b29e43
-
Filesize
601KB
MD5c130236fb594cd83fecc4321b36e1da0
SHA14b09b96dacf3b4245a2666ec3bfa7a2ec30c98f4
SHA2562d70062f4bfb0ec86f13fa4e68d1c9c6bde918f42987bcd5567ecdefa8fbb40f
SHA5124e701b86265c466a704ddc7bb73497f13802e814a55991a8cc89c856b1d20370daae163af48fbe0cf2a166c0eb08027ca68a29a8775afc9b77d97595f2ef184a
-
Filesize
581KB
MD5167b2290c07d9c6d1beb61a2a8583807
SHA10cd4deafa00eecb3acc34841cfaf14201ac291ef
SHA2569dcdc6b4b5ee3a20edf27a359cd6c1ac5a128a1af0764c13daca467353dd9b78
SHA512b8fc05ed088a459d03251e7693150d7db5c218b1b3bbc1d4f448805574b61db455829ab657221bf318505577b6bc8fbf4b1aa9a915cbdb4a17081abf694a6ead
-
Filesize
581KB
MD5ed85504d10bb8ed5854eca9989e4b4df
SHA1c9adc93e3107b696df4b80a6e55239488f80f12c
SHA25625e62328f6f82e7524171a4ae43c88abad8a251b6d2d2a5db133480fed229238
SHA5121eb8af8ddb7cc4f1dedab580b8b32b2e77de43c1044b6022d19eb41ca6e7c4f1eea5572d38f9d0c2326094d89628e7072f02a508c06eafff462a8bcb323b7ba8
-
Filesize
581KB
MD5b771babf163b78fe7338ff1c5e47aff9
SHA1bf5d203fc10f2f7a83f9b86d5869676df9adaafd
SHA2564cf9aba43fda81a539493c1ce5acbd3ef5caebda928b3a4c38179a62a29fe8bc
SHA5128dd288f5f3f06971d294145ecb9cdb858e50dab32a2e55f1c3ece9c548ff81a1debca5278277d27f3357cbe2cecb5e2f75efe6be8c1fac3605fc3e461fecb1bf
-
Filesize
841KB
MD54a82b05012f6cf7e2481ddfd52924a8b
SHA17054c638e36817235099b5f348b8731adf9b3115
SHA2569a1ca8db76a765ead1436a6f693432e6dc4a1b4fc169728e7ba9562f87aef0f4
SHA512a113d75365a8290ed4fcf20e7d675e0c92f3bc3c051d552c117a8bbcd56f784e8adea280fe92134b3dc10abed006668d8bff47b20ca4f50962df1c61e1de6122
-
Filesize
581KB
MD5689d94536f3be16606beebae0bdfe835
SHA1d6f0a9c802acebfe7bd8cab2336a849f376956ea
SHA2567b513628db5c72e737c1c0a5e4f3e5f00fdda82e7901f732a2c9556b4c3ce577
SHA51299d6cd38c2ee91b42586c05972e40d43d6d3da54b080b48ab28e29c875facca5532446f6c8700d65fc51f44a5a98245f299c6273d695340130bf07a88480cee2
-
Filesize
581KB
MD535a8460176feb1cdc39ad759dc8ad637
SHA1ff269f17dc00acad9d296eebf3ca5d112b2901c6
SHA256ad715cae4d8ac42cb7c20a790f0c30c155041220af4628107f537ed6031e6476
SHA51273e6d8ecff70670999556d416f2a14adfc883150b114b2d6402c1f79bdc8e63313726e0685382160002b1ea9f85e4cf2a10224d07b749c5e09f388e0f1fbddbc
-
Filesize
717KB
MD53e1964efd82d6a90593e4bb39c893e1d
SHA1b57a9f42aa28d021fb5532b362a902c857e2b280
SHA256562161d30f77149c72453b8f3074c1781cf162071ac91af303762af04b2f77a4
SHA5126f0e7f1c2d456a5596cfa0e4ccf3a172ec752424b9bb02a6dbed5c525460bfd3579072c0417ddfbc7800004b33f4cb7794ec621bcd185f45829d4c3bb2af7dc8
-
Filesize
581KB
MD5b3fdd9f99b57fe850075d2dcbcb7a429
SHA141e2f9d6d24a5f6649c4e16b1237493f3a79e8c8
SHA256bb0a1345c63579371fa02d03f17ad6a4ad28ea53f9dd482cc0fc287e2f9bd1a5
SHA5127da06335fe6cda3e964aa208a69d3e48ed6267aacd1534e4ac7fda5f8402ccc93e24428fbf49365d2494cc8453586f25abb50e37d3d8a00bfb34f9c0bccd612b
-
Filesize
581KB
MD5da75ff4b4e71474a13ab3125d6a02352
SHA135bc2222e159ba60ee2d46aeb0bcdc8c334be062
SHA25653902922a5e05eb567856c2df3e38ab6e4cbc676d9c71ac53051f50c8b338f38
SHA512a233d43ab1b43578596344a9b3d8069b749d8bdc7772dad49df7e55508395beb7e728a015522692fbe7f20ea881066d03b0c96949e9899f483267fcbcd7ddfa2
-
Filesize
717KB
MD528703affa056967403621ee2ed7545cb
SHA1bcd86e521d0c38a3e6be7a95de573d98a0a337ee
SHA2565a735d1443e328d174c8bf95ec88a8483ed920cb0dccdf84f6cf3db42a44690c
SHA5123a00362d8147f4ab4340e56197d01e2f9e734ce230506144a93178ef86bf5fd13faa2b2fa9da7d44b96583290db8a36ddf9faad610ddf3a745877cf536dfa702
-
Filesize
841KB
MD5920e6adb3c00f5cabdb4dd154beaabf2
SHA1e4d48272fde1bbe155a17b358930bcb4a6c97db0
SHA2562ab61609faebf1db8bcc51c4315aba7da5cc5643d6c8e786929b4cf94b69e0b5
SHA51232c1d95c253cae667246f1ec7e0dd8630e85aeac47f499bf492e9b9ed1c13fb75b11f4e8e92104b42ab4eec3b1d88d77e2ddf10b9f0e8801dd475326315ff715
-
Filesize
1020KB
MD52ef6e2d37064c5d0f638d076f821bd50
SHA1f120851c8274f0d4d7ac31b5afd8d9106f046b15
SHA256057f7209a98435c48e3cec8050a20b358ccbfd2f6919a11e830fae0139178a27
SHA512138db70640b8070931e8fcb595daec0c4326b0c1196c554603f6219a0d393c215f8280dc46ab0da886378c93f853d0b6f83edfdbe51d2144cf428478e0195ed0
-
Filesize
1.5MB
MD59aa9fd525f5decf5b421b8e5eb304348
SHA11d27f75286b337d26a4dd9b67f238a7079ea1fb6
SHA2565d0166503a06d87ac3475f446ab55fe47bd6f218abdb018138466eac8823a62d
SHA512e0a0eb1db8c3bc40af5e050fc8eccf1fb8457cb4f24f1d522c0904feb28a0da9376948bf539acc2dc736900b2e1d6d63bf3a28f2c518534d300bd3402e18d509
-
Filesize
701KB
MD52e8dac6e1dfea903f74539016a728f05
SHA141e89265ff2566a4b0d608d983b91da23c813148
SHA2564c9dcdcfd166251e456e2f67da4d86d560417cef7e8e1e5be32d4544085e8fe6
SHA512d64694ea7fa2ba6039082f6c1fd55f272fc4b1c57d2439fd660556438ac0ddc2416288444c7ace71b7f138018335ebfd62bd5e70d0db34afcf54f004cdfb4919
-
Filesize
588KB
MD54df999f74f12aad9668a8e03daa3c47d
SHA1ddecd6678f75086db4a2c6c185853f0a3e4dcb42
SHA256daac79416a4cb5ca1f7d0648280700428ddf4e1b3077be269bb4330af2718fcb
SHA512202cd40dc2209677b19581df3c7d4148d430a0c9d54d2bae227d508e54b7f1c78d059846dd55fbdbb4afdc3bf29ee6a66a12dff91876d637e51c192c16241c12
-
Filesize
1.7MB
MD58b430e0b6c292595ac7462157a9d5904
SHA1ab8988a2129537e27106b5bac9bce9cfe60ea482
SHA2561160242f7d2ebd89edbff09af6508f9ff11ea8b7ec74fc8b2bd4b3765d5ed166
SHA5127b34ff9520b58e3ac94e39c64d304b6d7e9a205b3677e264d54fc4bc093b072f02288a8227743d5399d9fe313af341df788ddedb8fb3dd8e50b3efc45bf97cfa
-
Filesize
659KB
MD52b834290f8bd5939178164ebaa960c85
SHA14b5c96d443cfba39f87376671c15cc56bc66d5f4
SHA256ed33e0d727227b01cadebb1e271595074ab24f9f8936a399b2d9b278de30290c
SHA5121da13f73bbcc3289962f845fe5d2eb5e6c74f179bfe101d41426ed64f1b70fa2a30be1fee29a770ca89b3c346bb39b66327ad0eb6b1a1220a8b0df9b03cbb76b
-
Filesize
1.2MB
MD58c89d0ac3b9931acfbd2cd2ea2f05483
SHA186628f3b74818936f2fc8db723d1a45edef67a9f
SHA256357b0df02a003423aa247575206cbcd8c176991231fbcdd581298ebf25b1e465
SHA5123aa066cf79cf40e2a616d83c335bb96328108f5b519562dad9d740991dc948fa1a440377ae71a20e3011655e20c655be07a14dd538c50e9dd886447dcca0cc39
-
Filesize
578KB
MD5a185f38dc6833a3806ca17adcd389f6e
SHA1a10e8f77ca751bc71e7f30aeea91dfaf92146b55
SHA256e5638b0b99ba2ca09668f54b791db7b60f5016abfa1d492ccf3bbb397fced447
SHA512daabc271b5d72f1671432f032331cbea5e18df2408f7ef87ebec763aaa77423c87b4445cdd6c2add1694e6f96beadb4efff06b9bcb489adb5d9714495a1d0b09
-
Filesize
940KB
MD5be63e89e6d2fc10350120acb53b07067
SHA1ca99f3cbd529a0741dad1d84c1a60d7e0ba8213d
SHA2568cace3dde581cf43ff2c1aaecda42f5a4d920a90926745802f44ef7c5e66ab93
SHA512200ef653beacbd12d3d45c501f5b298b405f5bb7a7d8ecb9437d97ae9213cc3f2a6ade2b9d8e111d133efa228302ed962eecb11ea0e04cb3f5c4aa49404421d7
-
Filesize
671KB
MD5e9c5be4dae11d6b492431352f61a027a
SHA1ef196f3849f0975f2c4f5405207c2fc4eaa8eca1
SHA25672f77df8552da40ae1dd5b71b5f530a9e60c8d4a073042141e39c4d546076462
SHA51273a5e206d8e40cd4191c5eb1a56e658b48ca0dd1f46485a19a2a26621c00c1e890556f297ee2d4075b337b2172df0ac22079997c9581ba26c3dfb5f3b8c3f223
-
Filesize
1.4MB
MD5164b452bb819860e38cb151a8736905f
SHA1be9eec116ad8d49701fccea85f21978ddae800ba
SHA25683a4022219efa4cdc7d84c711479c9ae225707a2bf687283ef1a9a07b5995e86
SHA512b81bd8c377abdf186df3b16c23cbbd19f413a4209bdf09462f326ae9046965b7f074ea22d1ea6182ca9d8b12ca4ab4a2de78aaaf93d98280bd20790ff395b1fb
-
Filesize
1.8MB
MD55a6b372b57c9ea1c3fb91c5f35045415
SHA1ea0dc3a5981dd9573290a79bbdcc6a2f9540fb9e
SHA2561ee655d5f5c5e1333e3ca3c5fb9ea814b836fbb20696f5d7aa41dadd83cfb5a1
SHA5124644f9d05a9325344271d7f5ba0091fddd65f56acc0661c1a5139feeb1f42ad6e91f61aae73a870150ee85cc7c7aa9eaf88cf592921d53dee9820ffb84beadf9
-
Filesize
1.4MB
MD51f34875ec5c0b68f93319ad2ec4b00bf
SHA1ee093d5d16d385193d9b5231d2b2ac027f8e2229
SHA256bba852e0844a78d46f9e49a4fa56254d6e56d59504ceca01cd4f12d02b44a192
SHA512239e2c6ea010d4628d30f1c2dc3e41a765ad8da0a5412ff61f7221c94ee1460707252d82e0d80a6ed2b13f8543a67058ea2fd5f63714e00b4e02e6bed355718c
-
Filesize
885KB
MD5754c80853536871e7ebc75be99b527f9
SHA1882b450ee2265f51fc5c1e8310945fcbb854a6b8
SHA256987ea9f103f6448aae3ea016809a49b7751b307fbfee155a8ba52eb107c03a7b
SHA512d0276e53a7aabde9a6fcb9c788be120915843d43721c82f23bb706b621c2477dea8e113e07f8f630355f7f2998702bfcfef96b42f8c2e2b607b1d3744e5773b5
-
Filesize
2.0MB
MD5a628d411f034cb865f5a094bb8485714
SHA160e8c5855ceaecca53f539dbac3f6fb47bf6792d
SHA256de91c37dc892d8fed2250797fecc9500551a2e15c069f9b518941c27e59582cc
SHA512c8b079b1dd669799d7463bd8c123c26f8a716a0992e381be2beda918a3fd44a188487b7d18761a13a8de7f5f34f7698216d324c364af99652e877954d82d9e99
-
Filesize
661KB
MD59057a29cce8bf7ef31c621ee48b63607
SHA1140e674226844f8f013d9e09a35dd04fac6bddc8
SHA256e190dc93327d6849efced4c6e76832c13e4975c4f4f1a19edd7b2d391fb8ad3b
SHA512641da8e896dc4150c5a928d3cdf23bcebcec1282e6ad13f024a23c8458aea534df64ee7f75d5b4b79e84c5f1ef4db9f9a256b9a6aeee420b4278ff307f48629e
-
Filesize
712KB
MD502e63e076415f6710d75941fdec8f2f3
SHA13a905188ace9492c0202e57e9c0f4cf35005454b
SHA256b41f990819a6ca2d176491f541645002cafbd459409c75bbd4ac4e6e626d973e
SHA51220bc4d7415b9baaef0a7d65af2b6c4c6fa67f6bebbcf6de4f5e0b4036a1c5fcf4a325a78401380abedb10a974ddfee1a0531a9ae7c929d5617ee495900f97c3f
-
Filesize
584KB
MD563a688a4882535d13b5c19ea5679d264
SHA1236bbf49328125ed4710435986c01870aafec39c
SHA256f57774636d866a66dc1f91e376980bf69d99f7e655f4c8649191770421c5ab74
SHA512569335b924f2ec694520067140516c1f02c81bc2a658c9f1b7578e45a1a84c05671df8ef77ed2d212e32fbcec98e4466f402e24ac8c900d059f144d749044ff9
-
Filesize
1.3MB
MD578af6b6b68fd5c0201b92bcdc03ba9d7
SHA172217fa4b49c11cf74c3f20572f6d024b031e7e6
SHA256310ec886e5a8fd926a6efa0575415f8a72edd84c63645b2b6af32091a5664697
SHA5121ac2cb6ab762c5318592dadf0a35daba72dc02f768595731394ff989d10f14634b2efb02586bcc8ae5021a7b04cb735388bd7f9965dbbbe1f808a85425739adf
-
Filesize
772KB
MD56879d7853eae7580162ba896efe7ff5c
SHA1255eb0c6abbc49220ec5b3ab1818979a800099bd
SHA256fe8961361dfd746f48710783768dbcd1930186155e1b6826bfddc5488bc83f6e
SHA5129b44b2ff675937f28fea29ac536d66ce9f5ad0d9b1d4fd82ff30c2c828972650a73e842b2e9751f7e02b6fbbc3f91f92e4abd5f737e40cf47a08e0298de7368b
-
Filesize
2.1MB
MD5c092eeb73895930b4258cbd16fff3370
SHA161eb0435c9632e6295e5594f6e0800c019e67cf6
SHA25692547bf4700010bcce326d20c81dbb05f604864f0d8d2e453666c63320868dbd
SHA5120e29ab34c66039ded1b21a1213c55f1a166a49e3f914304e483afdf0a833b2d3453ed82b3fa052091c86f61e37c5712f02893d556cd1b813b5ced62877a9ad49
-
Filesize
1.3MB
MD540ee671aa7012f1d646739770ba7df10
SHA1049bf18e436bf737f25f78d246b450b891d0b5b6
SHA2568b113b25e70203367a30590c42972a0739df6eadbad4550af7b699d8483717ed
SHA51278fcdc0b3674593d6e827886f4b67cbd56c1a0a414925e46c69a82d578118769149223ad356946bccb19cb85199545f8097752a96ed3a1f023513a5420a14112
-
Filesize
877KB
MD5942ade68972daf8c15d8dac831e7a7cc
SHA10a4f6475b39d7b4b4837aba144586e00a5c44103
SHA256001b762e732b29ad5daec750127a156c67f498c56ca6b624dddabf32e4d14392
SHA512628c70f7f0ea8573d4a935612ae555b3f69012f1a466d8e1a01860c728e640eedbc306099b1c73f992ed22a17b6f34f1dc8b3e020d76934145a53ca3e19c0513
-
Filesize
635KB
MD50b89e461e4d1e6bdea1cd9dd06569976
SHA1e7d9c67092ab5e8f24684cab5523f315c34ef235
SHA256d8ee2d6aac3d40622b75a6791e39466b1aef2c23fb66fe3864f4f846981f2b26
SHA51269a30c52f64f6f21abe4beafa5f02b20f191c495ac1833cee67bb843156a848f3408e4c3f77d042361341b3a3d6fc2664529de7d2a97f6ec43d5b26d40eb789a