Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe
-
Size
1.8MB
-
MD5
3a815d486f870d2adb71da4116b967d0
-
SHA1
8fe2028ec404feb7bcb10ad8b60bbc9013d6bd8d
-
SHA256
7acc00006902e43085db95db69bbe91a0659b65c53b22b2816b969286f886db9
-
SHA512
b1e480ac66a0f6addd39d2db182c5e02aa54a7b6c0050938d8d31eda61eafd5f6ac7d0c28543fa4d538052bcf44a64d141c2fa6bbb3878d7c0151de2360cf40d
-
SSDEEP
49152:0E19+ApwXk1QE1RzsEQPaxHNL65RjUV2Vo:Z93wXmoKj65tUV
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1292 alg.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 3064 fxssvc.exe 2956 elevation_service.exe 2872 elevation_service.exe 912 maintenanceservice.exe 2320 msdtc.exe 4320 OSE.EXE 3476 PerceptionSimulationService.exe 4268 perfhost.exe 4152 locator.exe 2416 SensorDataService.exe 216 snmptrap.exe 1720 spectrum.exe 832 ssh-agent.exe 1040 TieringEngineService.exe 4876 AgentService.exe 4520 vds.exe 3836 vssvc.exe 5072 wbengine.exe 1116 WmiApSrv.exe 4772 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b2d47cc2bb5459c0.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4beb3bf27bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039ddafbe27bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002d6a4bd27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9b09dbd27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000494636be27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a1b4be27bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe 2460 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeAuditPrivilege 3064 fxssvc.exe Token: SeRestorePrivilege 1040 TieringEngineService.exe Token: SeManageVolumePrivilege 1040 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4876 AgentService.exe Token: SeBackupPrivilege 3836 vssvc.exe Token: SeRestorePrivilege 3836 vssvc.exe Token: SeAuditPrivilege 3836 vssvc.exe Token: SeBackupPrivilege 5072 wbengine.exe Token: SeRestorePrivilege 5072 wbengine.exe Token: SeSecurityPrivilege 5072 wbengine.exe Token: 33 4772 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4772 SearchIndexer.exe Token: SeDebugPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeDebugPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeDebugPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeDebugPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeDebugPrivilege 3280 2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe Token: SeDebugPrivilege 2460 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4772 wrote to memory of 860 4772 SearchIndexer.exe 108 PID 4772 wrote to memory of 860 4772 SearchIndexer.exe 108 PID 4772 wrote to memory of 5020 4772 SearchIndexer.exe 109 PID 4772 wrote to memory of 5020 4772 SearchIndexer.exe 109 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3a815d486f870d2adb71da4116b967d0_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1292
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3936
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2872
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:912
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2320
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4320
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4152
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:216
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1720
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:392
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4520
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:860
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56ae83cfbee7aacb8ef4ca9ee1a9953b1
SHA175e1bc12603a715bc9e4b5030075f27e164178d7
SHA25682ad423637a027754c370cf73eda6ce98c4076f30ae59b718496645f25740cea
SHA512b9dd4618ab98b8bb7833ddfccae33a1b2e525e04ab83631b33961a525a81bbb05ad0c7f7e21662cc3d647473ce6fcd40c3104a112ac36eea62a9c988f04a4b34
-
Filesize
797KB
MD5c29f40073080741b603615a566077e46
SHA17d3264353d02650a5f8395381e55607b649a6cd1
SHA256af599a6e6b897177bdc89f2764ff5eaff616c425c5d6e3ec7ace373aee258d34
SHA512aa6a54f16366e0b429eb5a27eef1e35fd8bfa575a4a760f7c41f21e7bd85be996d56c0a46a1551652de68d5b34e6a403b953ea4a9175b8b034e0ddcd1193c21d
-
Filesize
1.1MB
MD57b0ae4f46e8bd438e8f9a476886e6f14
SHA19e1e4dbc5aa2922eb94f6a9997a1b17ed8f3b045
SHA25632ae1f6440c5cda641b7bce41e881fc53f15b2d010e707b3f3fc2ee69d934026
SHA5126ed254f678048bd853606b704d8fdb02a216ba0df3b7c4ec13ceac27211fd5369afa4917d0742539d45908827dcdf89ef7ed14b8ceed8c44e7f0d7129cad109c
-
Filesize
1.5MB
MD52136b32606ec02610dbe9812a11981da
SHA16cc71176c2443796a81b312e7431cedf102265e8
SHA2566e40a71bfd827a3d5905a3e370f5f9914e5b55452cdbb757bb0b15bfdb0ddb28
SHA512d7d74b8f51b6576c50d4dcdbe52a7dc495ad573d08cf2a935c06e363075316cd2b758b5686f482829c7fb69ec9f84543cf6b4e583f1e98e0cdfc53989e7d4925
-
Filesize
1.2MB
MD5129d92c429bfa6b3f5a8cdb81a991edb
SHA17f9f9af96307d8e06de6fa95d17822253877e3b9
SHA2564330509df5e557d2d87aef46102a23d8f53ef04123604d80532f4a175e1a8766
SHA512dd70a4fbf742b83ab2b44da6c8b2f03040a32fa1d5f5697af53244b80adc5120971909a965887a69ddeddafe1f914749882a0eea326502bf3f1f1bc78e980dfb
-
Filesize
582KB
MD521c4b04b50e21456a5c45335d96386f2
SHA1b68f4b3ff473a1052c7026c5d4671558f1401038
SHA25687f763b095869911c8d938ecfb83eb8f7f2f6f058259290ac5d7bb0eafa43dab
SHA512175c4376418395d9625d5d8ec542fb72e2a51ead69f09e170f8e405fd3bf6e24e0d5e9190deabba9ad439eb13a9bf68f1149bdf9d968ac3079d147831cbb1829
-
Filesize
840KB
MD53a13099f8eeef4a8790eaa782d0f80c9
SHA18a730dbc8814f422b438fe8b7e4a0e2b1d463926
SHA25608d0b1e005537fc6f5ef653cee9a1cf370f4217d28bafdae25ee7436e2dbe41f
SHA512abc5d5be253bfeed7399e4e7fed22ca1a6784651655382ce12479d1d176da5c2bef6e96e8c662f6d873c6718661ce3df854e2ff679e23b3c46acef19048a7fab
-
Filesize
4.6MB
MD59e5c1bded1ce471d393afcefc1b3f868
SHA14fb768c0ab6acb8e7d761abde6154fcd04e6dee3
SHA2563cea8b2df6e4ea4c1feb758a6718b01f290f92eaa84224a7c21fa58c832207bc
SHA5120583d8e25932436fd627b3d8942873f1813fa3cd761c0f046dc60dc025a4c759cfcdd0293f75c4426267c749bda8676c4b684d0f3de508e09506547de8abab8f
-
Filesize
910KB
MD5eef2bd64a650cb110f4dbe94635690ff
SHA1db268bc4e3bf61bbcd82dc4c39cea1b706673ada
SHA256079ca217eaf4f1930716fff80f896a4668fc3e210e9317dbfd8777ce43fa0724
SHA5123efee68bac093879c3c8998b06cd9b7249dda7a61237e7b5386d2cec82548cdcc1897584ad6099241d7b586748f50be78ee5ec7d32ad5bd1dd5c79e1815d8a9c
-
Filesize
24.0MB
MD54c347fc28450b0cda5a9fe0e1dbddf11
SHA1582bc957ca378d46b8a4cb9c04d7204db1e79384
SHA256a5d30271d36b97daa051ab17625b689af15805818f98b6a2b5f3731b31593093
SHA5122878ad1d29ab33d87d11f41ca922de2fc95e7675ca1ccb5622c9319a2088a182695622c3dc21da29199f276d224bcd5d7392684cf529e1e3a71642976a5f34e3
-
Filesize
2.7MB
MD5070fab9af6156ef812849d4cc5aa4bfc
SHA177daa0c572d05d7231a87ff9b0c33ecbbe631fd3
SHA25690ac12318bbafac27e3ad2c572bafe38d236386ee5e567daf4aacf8959788bd0
SHA512ffd1b4087f9d4afff8eb51a17145f775788f5bd21f82f1bbef82a0cbbb270455e656594aca0e627fefcb93671eb81e9e06122cf1fb1af800837e5e39dd17383a
-
Filesize
1.1MB
MD57fd5b06cc07ff321f7b2cacc6e4ed9aa
SHA192dc99857cc0dd408636fdb73f25f5743e065302
SHA2568043adc11c3b4363fdecaf488e138c47ad2083847725172080974e5cbf173a3c
SHA51259ffc1a168f31e12fe572fa7f1755c5006242a44eb248458a7a93ae75a47b761d0b3e17f9bd26c9877931c7186b38a1f906d8ac963b97f12c02d887ea81713dc
-
Filesize
805KB
MD592f52f11c9e235f8f8b4e3b8384a4254
SHA164f5e92417b94b2e5631f24e8bd0a140e2c0150d
SHA256b9c188d12a0b9afb660eda61e15aeac8773ab3acd0c2a89a3794ad05c12e5924
SHA51258c48f05504e0df531899496c8cf811c7c4c86cd34785db7ae1a949b295654ad88dcd57662d5b160a339a13c1131c62053b0724c7b84604e2136150377a942c2
-
Filesize
656KB
MD51f968f42c3f0a1b9727dc14c121025d9
SHA1e841d3837a4c3d3b1cad707fac1c644ef80d6edd
SHA256a7b503ce953691e5e5a42e288c6cd592ce78257690f9ec70734eebf3e3058f00
SHA512c199b466697acb454821de6209d5257c030451f7992375c7142fcfa0a9eaf70a5d1bce2c05a81c66a67496bb29a9fe1c1d4bfb385585fd10dcf15191afb7723e
-
Filesize
5.4MB
MD50aceb207d1b6f9f6ed4037b6488d8ecc
SHA11daffb2a28b1e1a75ed02967530e81949ba1c64a
SHA256b8de286a2bb3ab189c92a796dced3022463c5de4753ff27f055c13a249414b5f
SHA51274f5d2f3bbbdd8d617ed66bbe083b26b29ee5389833b747ac28763600d020644c78db23c2a2e6a7f3ec3f021a733d17844b6cbcda57b99a5d908217a21889286
-
Filesize
5.4MB
MD5b2d2e5d997fa27c41b1de085fdd368cf
SHA1f5c50867456a859b8258068c22179399adda5963
SHA256e2a15d9067afca627d7d26ea832ed2c36952443de7bd2bab8dbd5ab552e8af14
SHA512c74ec795fa974ef5fd351895fb73718669940092a079d22e9e847879e932fcff18789a68196b93fc1957c2cdc9f3b1d9564a823b3e6b75d96a1e11f32d2c9857
-
Filesize
2.0MB
MD5996dc41f70144deb4d68725178fc880e
SHA1d1802e605a1b703dc8e3cf2a3b76e6d8f50eb963
SHA2562025036433f066d52cb0ad14150d09512690bcf37a30fcd5e2a4f5f3a6293e7f
SHA512b065f959c484e96fe64937fc4495f0c146a04bdbef95b6840eb29fb0cc7ae7815703cc35628207716587962b04d687422199eb810a73230cb5f187e51d0e67f0
-
Filesize
2.2MB
MD53474ffc002ea859b7764f468ba7dd14b
SHA124df538961c8fc5b12ef035e8fabc8fd0e85e987
SHA256a641e5069d3fd9fedd9b0751a81c339f8a561ce872a5378ee95bfd95b2131add
SHA5123b30e6752d2900282ea80514ddd26d50794ed7141bc1925bfcfcfc09d71f28a4e111aa0a851c996eea1b5f99a59f39944e0a3f77fb463ef7a9790da6400fa2df
-
Filesize
1.8MB
MD548091bba273355b6ee76b22392ba5b03
SHA1926aa30f63329897b97918c6c712a7dc44099140
SHA2562d77b8d1d3fd2f8b32d67469c6873412091d96e106b79e68d7d9f7322b56ac41
SHA512bb3a7405b884725fa109291e5d499974ac9fc06119781b5961ac5cbe8542840c9f7d54691a435842a1a83f0f87dbbdf787968bdf3d919c6c6d9b947a18efb848
-
Filesize
1.7MB
MD5c61ec2243c65911362bded4bba241187
SHA1283702d7d2c4b47c414e80d066ae1f89a8904b11
SHA2569dc9d19bcbeee212ed8e73c1cb0fd33fa3de5ae397534304c69ae82cef3d95d1
SHA5123f33c0e980fc0f6c1daced6e9bc9aec2aa023019fc5ea74979da718c7abd0800eec5fbb7d0578f3970c9aa7addfbced95cc907e92c6cf19cb507403bfdb3db77
-
Filesize
581KB
MD568de9f592a2c27bc736222bae35500cd
SHA14d8064a5cf8a637fe69283dfffffa20767a016b0
SHA2560d1e38de83152d7d93926643166707810b6773ea455b96f8420b7b68c12c4379
SHA51245c5192646a29be595435093e82c0d741a260c3613ab8b252e39b72221b7ece8af6033635a130f8e0c13a4328e1b78acad03f92f369dea665c5b49d737a0bc58
-
Filesize
581KB
MD574c20a4b8bd70a3f2185451b64326898
SHA1d97657a24d9b0813f4a279e4aa0a6be00cb57fb9
SHA256923e1d2e361ce414cb4d8e9988e379cc84fe3280fae7fca1810a98e921ffe87f
SHA512672babf1f17535626fc12e0cbee4f7b0d61f7657c1d76a21ea01f52dd0a6e2d73066666d1cbb980a044c9c8c5e2733393a5cd799b39f9407cd52231fa255bf04
-
Filesize
581KB
MD55010e3b19d889d8d3bbcc8ffdfa547f0
SHA11776d2587f80eb18a0b05869eb3318c93d6bdafb
SHA25670014db46f4d94e149908a393a40d47ade86949334406d435819ee32c16d370c
SHA5124cd89b1ea4c34768fba7845c944c67be2ecbc9f7a7c8a2ece218c3f14815f224d5be2a3df6e8a288e39ce051b933409a61d974a68a39bc06887f94877435d18c
-
Filesize
601KB
MD5cbe4d2de87830cb26a6e27d40e473b6b
SHA1fbdb884fd6bd434724feac72a2ceac69e2fcca2b
SHA2569fc324c9d4663ae3dea1dde4a925b61fa176c68f3805eb10f7373f9ec95d3f1c
SHA512be40d30b9e1c88bd9b8bed47115e5ef36f4d219fd8aaea99a1d218d1a2bc1ad2ebabae54f5ac12a7aae9e105e798dc76c15fe3e4cdf59655ec42cb260bd8397d
-
Filesize
581KB
MD594eb116139f8614d2b0a757653dcdcba
SHA11e7c5d59ed2375fafe91ef11f2d54fbd5a071d11
SHA256eeee8e799e68f664efeadb785b4c6e585aa3ebbeb84d352eb9dd4974cc959105
SHA51291e96bb390e245302711f1ebed537d003753f402fd2b8419c0e96210212be5433f779a215b5b6c576a22ead877d3e46d2b26883c94ba5f3b456a6e0ddcf218be
-
Filesize
581KB
MD5b837d4b3225ba20a856dd1a69324571d
SHA13f1009795167f4f24bb5cb1bfb77e180e2784271
SHA2561be7f52d2e57be3d7d951becfd0a46a43d7d92776d0f94261299d422560e70ef
SHA512b082da8611623f9a95ca56a2256f9980e500420ac653f5270b59a1d6f9a4437810ce8c54279d69f505436b87651cbaf6d57c6086b0c61d7dd319079b88db1b7c
-
Filesize
581KB
MD5b4d7b74a9131178202eed1f28353b34d
SHA16adc6536e565b27e2e131bdbc28b6fe704656529
SHA2562d53644a7ac2177068afebf395f1ae5bbacf02ee686e01def3b84a2802ebee90
SHA512cf1c8a80b417ce871aa8df535e25e57755080ce7ef316456bcb406506ec89b306213aebe633e229cf113df6cf8a047acd2859e9c3fd104d4b6cc8df153305935
-
Filesize
841KB
MD5ec98593ab74887b6db4daf878c4c2301
SHA1111994403a678c3dfba31213f238e934f03242b1
SHA256a094d00f2ff446dc57003ad125926dc74cd1b96d2f894269194bb35b1b8a3d23
SHA512d4789991f7edd6cb5898b7f820ad656ff6e5a78be34677ac3cad9c5a8ea7493d00877c5b5bf4798712910c05010e68a0772222ef559a9d9cb0829e4378fbbcd7
-
Filesize
581KB
MD5d9f5779c19f19bface074f76c5c0f0a1
SHA1dfb415a12e67a67aef6a4a35e7a221f3ec2fe182
SHA2569fcb8d7da91fd130c967736bc7ef41d944dfc4641953828c183ba6fe3f99edae
SHA512de15f54971d148cea0362352a91692b65ef14b73c93f9682afcb02d61b36be5a34e90e2a1458e918cf96636b99a0fceb2e17ce6b33bd5e341aef00de3314f921
-
Filesize
581KB
MD5f7a45f4a63e1c99f7ead290a060b18b3
SHA1fe964e29665996ab195fc828364784fdc70fe168
SHA256797dc157707f8abd5ff4892db1ad9cc645ee840f77c144c7fc83474aa9642414
SHA512500407745688540fb65f1bf456d223e19688060e28e79caed80b94dccc2da9c7bb0f7587a284bef4f86984044b4a842db80b624f982e7cf07a9c7d49555402f7
-
Filesize
717KB
MD5aa70d933adff42a46173d78e8f368d7b
SHA1058770d49a89b2e63a5879236df7250a77755e65
SHA2567aa45c6a03c68c69e4600bab2359831d7eb8f55085d1828284b26e3661574185
SHA512f69c13f8f2149fbb19ed925840df5513b6f094db070d07861ae0124bfe84f80f1b9d3aedc76f0ec20ddd256a27e47899182db3d88acc583e04b7a0fb80146701
-
Filesize
581KB
MD5ac37d7ff030e53af2754c112a1b90866
SHA156013dcdad1d4ba7d4fbc5d4839cb0d8b093ad73
SHA2563ce1428cfee13f34a37f88ae3d1c1fdc1465dd8cac7a3ec1763e26162823772e
SHA5129b86b03e1382513b5559b451bd2e7f9e4510fc3f241b20535f1d90e5b9c1beb4b4a5ce14c8212a8ccbdb0ddac7f93f010d4ba0c7cfd237822aaf02b36e60f029
-
Filesize
581KB
MD59c15ffec25a647d98c36354dba6b4ce5
SHA17781086654c8d3a94fa4465f92d04c0b42aff91d
SHA2561bc075de05ab9e3150b5032f381529ef9f8428839a19fe8afd19aa8641c791bc
SHA51291291f239bfc065a61ee21a496456fa46fb4dd4e349deeece90f7cd55976ec4e3df87d91adfeb891a650bef37fdc525729e770aa8fa111ed8d5db5f06551c23e
-
Filesize
717KB
MD5f52ebaa06872be38db8ea9fdd5d42ed7
SHA1c4cb50adede50ad9613dcb290023dcc6f740b70d
SHA2560c5aed46edd8df1dfc44cdbe811cf7346e1a6d4e2ac8dcf651b75c55635b2c12
SHA51215764d51a4c10770d12c40836c124ded84902a2524fa5eaf7f371f8808dec70934f466a035be90b76efd7d6295b8bd49e2878283c0d9b618b6d9a8d8ce69a8b0
-
Filesize
841KB
MD53fd4d8eb858602dffbe1aa9523b1005d
SHA1dcc1851e904cdc27873149f295828502f40853a4
SHA2564be537ab86c7b4f88eb20924b45104444a5c8de1d56e38a94512d9c197725b1c
SHA51273345819b82c25868bd900cd72ab0dbe5e34e5c78b74920810df7332667098fad886c0db5fc98df87579579101b6b39b34acd1329eda609df22726c88f1292cc
-
Filesize
1020KB
MD5b8ac39a14e31b181c14827d5f2b0a806
SHA14431dcbfd7107b44dc8fb76a26e0fbc15b08dffb
SHA2561df9d4fdd2f8e416c92cdb01d97fb629e4437fd56049d476e5c969f7e587edca
SHA512d053d6cb39b1cda6252baeb7d7dd217b24b462ad8eceff6bdbcfe36565f2c5e06867d8da336160189a4062fbd02153b1d6f7c28b9bddb5211cf50b1dcf49ee92
-
Filesize
1.5MB
MD5ac0004edbb9cf20063bb46a16864f155
SHA160e5e997c8c4d8b12da5522c5a98fe32712ae4fa
SHA256bbe048eea6dda15b4d642d4cdbcba9328c905faee7d596df7db46c47812391d1
SHA51238d04f08da50c32e769f22e262ff886ee2910f819820f6fa9b58206a0507197d192b757c9b355b1bd1c5f29a02866618a1d49fa48641997807aa974d076e41f2
-
Filesize
701KB
MD5ec3637a40b1ab0e2c7d48d2852ba8b98
SHA169c87b92381f5d4a64d4be908777ba9285af9de7
SHA2561dd1b080acf33be96bff92d967073c3768bba7707fc4aad1d72870f4ec1ddbcb
SHA5125ed77ff40c9c4e8422001ff761f75bd6ab8c94c49c80209bd3f6285d25c05d33ac9278aee808ade343b1a97af795644bc1164dd8c278316bf03f8bb3a20e1d69
-
Filesize
588KB
MD53fb0a53fce37242f5ffdeb8d092d4497
SHA128ff9f3083a5b4b34247fbf546196f0d9c7cb7b5
SHA256f3af660f4172b00e6e3120cf7384f9f00cff3371110350dce9fde08728afcb10
SHA5128d7542959bde12457504bd267d0a62b28a24da1feae221cf3dbce36bda089e63490b1ea4eefe894a0f2d3facad4e5f057d4e75a95d6de5cc68ef8949082905e6
-
Filesize
1.7MB
MD57fb8a45d3439c575e169a353dd9f0d2f
SHA17031f43cf9d964c83b5b3c7a6997b3e98b574d8f
SHA256c0c75bd9dd48bd5a21678d089d309aba8f9c70fa1667e3050b57135a0281e1ab
SHA512bdacb9b80025f998184e49ee8cdd381483834d60c8b7e87174e07ab259ca4fbd0cd3d81e7934df0fb1f0db86794fa76fe9f76e2db5beddb8b7797cc0cfec5438
-
Filesize
659KB
MD57c0c6e356e1bf709542e95cd0a23c463
SHA1ce11b78a7eb04ec4f3dd71b2838c906930e9fd52
SHA2569cb0383c982679a0d6bf183f4aad4db735c0e76d90b3cec879e47a6715298e51
SHA5128040fe4ac9a07ef6aeab557d3c8359158e80f265f66c22dab415144f6d22c733f6bf7b13b67f241f99221a26858df555e2a5ae3325b69ff6699395e16f069ab2
-
Filesize
1.2MB
MD5d4a1becd3a4fde1cf29ce287d56952b3
SHA18175f5d0d5d56fdb2666098f54cae8bd3c54cf34
SHA2562cd0b5faa6eb276468afc22ce099937108f3787d7c5c8f1eb32d15b745d48668
SHA512f622eb0cdf34b4f641f04ef10f8e329f99aaca292208a0c440c675e77e8f40f7f201a4a3bbc0604fbbaab09fd9b08892275beeb182eee04992ebdfac0510f65f
-
Filesize
578KB
MD589d74d885d0920c0d723502d76410acd
SHA1f0c724ed64ed795ed8f5dee01be1d2bbae643e77
SHA2560fd420625da0a1c3807ce29cc51c653b55d9f458d04749603863ab5495e1f50d
SHA5126a51b14d41f5705f04262037c9ef06561367d37af29e41635b6f8800a8edf1156a27d6da1f4b8be85d4b14455ef65d8cdd796252db46d5e3c915fcd1f83ca78d
-
Filesize
940KB
MD5bf545e47f2faeb7e95905238bde26be5
SHA1324f50e6d8435ef9abb30c29dcc086d1143414bf
SHA2567043e79c2c1c5c45c65cca4d463990d1f17d36442819b70f433088f339d2ae0c
SHA512b851f2221c18de3f218d4e2a3c6806e57fd6079ca810f73cf6310fc3cb74cd9baf483663346c8374c09b48c20bd1d2fdf7b5facb5b038023756637c0d7dd23f3
-
Filesize
671KB
MD5d98e25af491f9f213934b33be80ef113
SHA11224fde919b9a4ff4bbe3a19485b4a0fc283b387
SHA2562274be6099aa1ea1921c95b49ff1802ee28288357094ad858f2b9028dc199370
SHA5125d3d6b7c2f92c1655b73fa7eda2c0406cef41330ce0c2d21b98ac25ba7778ce709a03ad85300fba0ed151fb89f875e3281129fd1a1f8aca77251b94aed357936
-
Filesize
1.4MB
MD5f29255833009dab19ca9bafde1eb6a39
SHA173f55b1d58072d016a24f5a071e6fd0a86767f0e
SHA256e2bcfa9251e389f4dc1b1d54124e9470d231c96077eaab725ad4447de20dab1b
SHA5124a0ba7e5b97a561a1acb66b90a87eab250ffba657b8c81b6ca5f5e29e56702913c753e175ea8b4fbde6664d8cd0333df6e027ee275a9d1556daab3512fcd80b6
-
Filesize
1.8MB
MD597861f0e58b1835822ab15a88e9aecf4
SHA1dee0a89b211081fe4b83bcb386dfbd324d0e27a8
SHA256072a9dbc24ec84381d5ea7b4634c0dee106843ac47254add6fb8d7c08918a077
SHA51282f8558ee491e2f32ec6b3d0890b694b16ba5a28d4eeea07007e0e6de5ff2c1314f09d83b16bf6a296e964a0b201aa064003110021e765ffeeeb119f82d9de27
-
Filesize
1.4MB
MD5c59acca557acb578c35e1c8b98cd0627
SHA1ce86fa52b0d23dd09f6708b9c33c5ce2957e2643
SHA256beb3e329e26a0bdee99116e3ada2146b897a216009e2fbe3281a146f48cc714a
SHA512af053cb2ee29af5e21f43bbe1d0a372d286760c0bd26854a2d1ff338dcdbcd2c4fe4879c116f1fb61237ef23a5903b7541dacd27ba8178652dd6da219467fbf1
-
Filesize
885KB
MD5e47f088d27a95ef17cf0da5b3ee5051a
SHA18d0f4ad21090f70f77fa0683ec8823e8c21d3359
SHA2561e9482504b2458ab33c3ac3c442598ba8bc2fe189e00ab5b447df1f7ebf0efd1
SHA512fa3fcc89803d4db6eceb358fcca0bbef40754616a1e41e0a6216697ce89960926779ef502f3921882b6b059db4d4f5f3ed355749ca4a0bcd87ecd7e60c09f7e2
-
Filesize
2.0MB
MD5c3ec01dd8caf63764b31c020cbe32962
SHA12418e125a9f5d230eda574cf112efe751a0e83b6
SHA256265b3e1b2275c394fa27daeb8a3400ac9d28d521813962850d31172550c77c17
SHA5126f0b29b55a2bfb7c683b312dbdbb8475ff74e413ed786dddb51ccf2f856e3555dbe77ae9241f255f045ae58b0bda0bb1e433b239d016df14160e81c5956bac2e
-
Filesize
661KB
MD50d0d33ca3afe4f70d29d7d2549649278
SHA1cc4b5af4f35ec5d9ba4fe2eaf4d46748a9d5a4bf
SHA256289283da802efccf9ce069b6a2f6eb66b32047b6c20f4e46a1741bde6e202196
SHA5123f940f6b91a67c3131854696c78f46c1fe69a36ff97ccb8f0447f60f8aa9136b6968179b689ad6ea5b5b8d59f3a3f3f43946a589619b598d2dd8ae0debc6295c
-
Filesize
712KB
MD5cbad434c18aea7da24251667c9ff8501
SHA146f26b0655200db638c51e5ec83c10116cf618d1
SHA256ed82756eee0780764390375fdf7f2c5a4efde3d748853de151f6580acaddd893
SHA512cd73bfe34fec67186de4272c0927ac162a0c04bc7574d33122b7d8de223b7cf281b34e2d1ff1f25b04c2245b2ac8ddf4e0bf7ced3b33b6c421b7776f190e4c90
-
Filesize
584KB
MD51911bff4432cfe2fcfb7a4525e842a7a
SHA1ed8d9a0bcc604fdcdeee0e2e21975bd926018a46
SHA256caf60ad362f52733aa5a509684143726b20ac20242a265241dd31b7aacbf15d1
SHA5122bdbe27f0a8c9662ee0b1298ab190721c2a3d9ab1ee88065e7dbd62a53245f96169d54a5ceead19abf48dc8ce6f07400f9e4c1b0aed27494f99642b63496bea9
-
Filesize
1.3MB
MD5f0e27c092ed1c3a4bae5f238173217dc
SHA10606623e271d302390fe91f8ebc5e161e3548477
SHA256d8cf0511154a73fbbd3a0ba8b886516fdd65890c267fbfbace27598c490219b8
SHA512e3111e63de1b72c61d8724aad86853db5645516baa3c976c059ea1564cd64aa97310b76fd95bea4cbf061018b2ce968e4dba36b8bde722abacbdf6cb285fcd69
-
Filesize
772KB
MD5e9e22c98e4bb6ef1e3244ab675e779e7
SHA1982b0abd777520a2fde1d2a3cf1f36d97539e61b
SHA25681539b68aeb98d208a4e34c970e03bfc00014824981fd6be75e329f05676c1c3
SHA512962927f49f24410f17a1ea982ca9247df2b814e34c22b284e466b1807a0879caad084231dad375a7243d2c8fb34f8ce4d7ee2edc90bbb4df03b1142e810423c1
-
Filesize
2.1MB
MD5231ca329f0def6d096048a1414f33139
SHA1eb316c0fbf329a80b4daa71118cceaafa171b188
SHA256e22841b33c0d8d8f8fb2a593da8ffbcb16fd8811c0cebc81f64ec84083a255d7
SHA512f3f20d9f3f3fbe52e5d6a1334f53b9c1743cce87a77f60e73268dde13171cfd207eccd60e7d6873fd465efe69816f1bb24a753c3d5a1fa3f909e400581c7c8b4
-
Filesize
1.3MB
MD505bea004a77d445aa0738dacdd236ba2
SHA1812c49dc9a3e501b85f1ad5307f4dbdd8ae684f0
SHA2564ff448e2cadc22897995b7966e2f57509516584a600ff363f99c544383f20c04
SHA5129f4462670484e5deb82b4c6f9c2acb51a9f35352ec8947c888445d12a63c9b18dd4ddd39954f56bb3292b5ceb499625f9d07276aaf044a3313fc8f52aa60dff7
-
Filesize
877KB
MD57e82b7aefc47e74b618ae1cd66868b02
SHA113cb7587e9f9fee6f8eb509b864621be6686d80a
SHA2562562cc93486f1d7a095cc3b3e41759404bf4ee229180dcd57a46f812e068522b
SHA512a16c1cf8cdaee7f3c9bc889a40cf2e05cfe345e593e4d3dcee65a607180c4827130a371f1e3c0ab3e2a362d45a947897421165ee06a0686404fc6a16240a1692
-
Filesize
635KB
MD584da1f345f0bc3925d3c3185071c37f0
SHA17fc8eb2eff42800a2ef2bb720176904e765e8eb0
SHA2566adeff895539f2cf19a21fee611cddc6966c2f9c1b3c831a68283e1a0fa4a01a
SHA512385ca48d467041d3fb8c180648d98943b6b7cc1e0b7662c8cd5835b0bc83694eadac6c4d904469807fa5c82433b5828ca5897f1feef7251c891ebacbf1ada023