Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe
Resource
win7-20240215-en
General
-
Target
2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe
-
Size
712KB
-
MD5
44ae50a879669b19fa40bf1cbf6ecb36
-
SHA1
560ff3d58e284480829d67699d333a78c33ea26e
-
SHA256
6496464ba57ac74acd38c10372829a00c9b93873921825ad5e2477e360f75ef7
-
SHA512
6e31d08015383282d0eabf60dcaa20ef28e9a42742403a5d81ce3dbeb14b1a418f5d2468c62874e87e370c846deeec27264a77a302d90b2f1624294c18dd25f8
-
SSDEEP
12288:4tOw6BaAKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCGNU:G6BbRVldlnXfH9gPwCn7vOb7HHcp/CGS
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 64 alg.exe 3980 DiagnosticsHub.StandardCollector.Service.exe 4732 fxssvc.exe 4160 elevation_service.exe 752 elevation_service.exe 2612 maintenanceservice.exe 3816 msdtc.exe 4524 OSE.EXE 3048 PerceptionSimulationService.exe 3584 perfhost.exe 1264 locator.exe 1692 SensorDataService.exe 4468 snmptrap.exe 4764 spectrum.exe 3420 ssh-agent.exe 4480 TieringEngineService.exe 1384 AgentService.exe 1248 vds.exe 1624 vssvc.exe 4776 wbengine.exe 1900 WmiApSrv.exe 3136 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\685adebe92be0f3e.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d8801d927bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd263ad727bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e005b7d627bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d628fcd627bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c91df4d727bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeAuditPrivilege 4732 fxssvc.exe Token: SeRestorePrivilege 4480 TieringEngineService.exe Token: SeManageVolumePrivilege 4480 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1384 AgentService.exe Token: SeBackupPrivilege 1624 vssvc.exe Token: SeRestorePrivilege 1624 vssvc.exe Token: SeAuditPrivilege 1624 vssvc.exe Token: SeBackupPrivilege 4776 wbengine.exe Token: SeRestorePrivilege 4776 wbengine.exe Token: SeSecurityPrivilege 4776 wbengine.exe Token: 33 3136 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3136 SearchIndexer.exe Token: SeDebugPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeDebugPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeDebugPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeDebugPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeDebugPrivilege 2584 2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe Token: SeDebugPrivilege 64 alg.exe Token: SeDebugPrivilege 64 alg.exe Token: SeDebugPrivilege 64 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2156 3136 SearchIndexer.exe 111 PID 3136 wrote to memory of 2156 3136 SearchIndexer.exe 111 PID 3136 wrote to memory of 4004 3136 SearchIndexer.exe 112 PID 3136 wrote to memory of 4004 3136 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_44ae50a879669b19fa40bf1cbf6ecb36_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:64
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2948
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4160
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:752
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3816
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4524
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3048
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3584
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1264
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1692
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4764
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2172
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1248
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2156
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:4004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5640a56bd7df53f1c30faf42d1068372c
SHA1581951a84ad061f7b6620e46a3d4ee73d1dc2a94
SHA256d6980977cd6c576867e73e9c98d81928df3e2cad5d246a833f750113603001b7
SHA5121bd3a0c69bbf873e79f2b4781a687732addf0dbbcb8092e891d8e85b96f5e750523f57c6964e77a6357e715e77063f7af2a6b5653288b05dfdb208e658b5dc6e
-
Filesize
797KB
MD5c367bc5e2d6eb5739a269526d994513b
SHA1f42cad5969bf1f750685f07db2728807286a7849
SHA256ab9b5ff05feae822908d2df975e9d13137806de46c635f9b621a35eccb59e030
SHA51293f309116da68637d0209190dcc3faa16f0f289bf50bda49958403bd597f61dff7259cb2844837b0d5b16ee1bd7685e75e70a248436f195646eaabd7e7815663
-
Filesize
1.1MB
MD53d9248d88d12cd564d3968393914891b
SHA1def85dcb2a3640f251568caa8d1783f9c82b68be
SHA2568a085458a5395f05970e0f3ef0afbcba06cf1440ad22cab305217be1c8e0ef98
SHA5127d262cca4af34ff9f76b8e1411a8c6bdb66e1d427f4052a52b57face2d947bb826de067080425daa2b2c7fe94cada6f6f66e478021e7ff62f408b1551b73d4bb
-
Filesize
1.5MB
MD5ad1a193127cf74776d6a2812226df349
SHA1eadcf5fffb410ef6aaafd29473b66e61459a0c03
SHA2569e8db5c900e1ab218154e5e6b800351ef5bac3696546f234f479ce766fce21a6
SHA512a4925f4ebae33f59781c05151f9209f14ce4f1ee08acc2c0dcc611815f8a5cda614be25881552b8e23fe80a8421847ae2e8324068b76e2e81fd129019328290a
-
Filesize
1.2MB
MD5d34c6dfb80e9d75ae629020b0b34074d
SHA1d3b5b104a3f80f2dba4829bd68ccecb10ca159c6
SHA2565172f97514f5d4998a2778e98bed0fdce1c74641d1495b3adc7500cc56d6fa57
SHA51242e2b980da1ce4300c12b1794ed1ad19e120e94dd5a60ac2c610ec1876da67a68859fe2ffea7a8da871a6ece12a65cc01aeb9d6681d4ae3c816651dcc406af61
-
Filesize
582KB
MD54e0f38a30d183b9fea1090c21f641e00
SHA152d9111f2b7672e4343467a8e990ec9c13957545
SHA25611b55cd3ed9f3433a9adf48060a8eb562d059de11af923ca39307766d11f2762
SHA512e6385e6c3b5573d46e317e610dee760735d7057daa1480dc915cc57e9bb3d5a365e083dde6d2055afa8a60e6879c41b6f1a1a0811080fefd74e21751569c2299
-
Filesize
840KB
MD52700379104708932315a118e3bfe27c6
SHA156d1eae7da72a9626568fccc32bba2df4fc97802
SHA2565736e8f37f10acf12fe9f86c0af858fc57a600a12e1a42f823ef93aa198df926
SHA512f7b77513cd94d49a7674e3103b276eaa31556e58079d6a43282ac88828cebf02f98e2650dcf479a928d2802c1f5da0b1021d2b2f2279275c29d3e7e2030eb08c
-
Filesize
4.6MB
MD54a51ad30e4d1eaf65b35c600ccd706a4
SHA1542deffa08aa50c1bede8707223322430465a21e
SHA256885552fae647bc5fc9457b417a22993f67d959d1bb99340140c70755156fdc9d
SHA5129371844f0086b136a784978c172392e87bf35bd4f715ded4150c1398b52eccee2d1914ad95baa0c6709c4bc28cd029cc4170d6d80a85d9b7ec15abbbec8af545
-
Filesize
910KB
MD5d5ded4589265e20983daf16a74fca149
SHA16fa6a5679ca4b707636fdb6e93f0bba76d2d3f8f
SHA2566e5167f46f4faa120e2025899765bb9895382f603d687a221171c7cee42b946d
SHA512f6112ee17e8a024452f7914379f4f8d0219cc1658897db762866fecd4683772135d59771aa6e5cc85b4332a81f3c1137ba20fcc20fc1ff0d3c10d409665a02b9
-
Filesize
24.0MB
MD52c24b7bb68f922ba6602a0ee2bb8b503
SHA18ff49ce377daf939824b01efc4d19d0476d3c67f
SHA25652d7708b7c67c3f44f3ec41252b5ea0dacdddd7f6b82be90b467ef7ae11db531
SHA512f87b5e066a91b9c2e3036fdb934ecdbaa993dc61561a60dd9bb2af081d77f30a6784aa4bb7b1861da12dd019294505e4f040c5b7b20354e5d1663225614c5915
-
Filesize
2.7MB
MD5f0268faaf24d70d61abccc7e9ed4b07c
SHA180bff6618d314540cfeed3d7a16f07cbedf19f63
SHA2561c0f1c353610dffbcdf0a6d258644944a054788d20c6fff21b43fd9994e9f5df
SHA51258473f6bfec285a24debec1da1d186e689ea807b9e4ce389e80b8ca5185592cd4e94fcf01441115f6b08b5eaad4dfb1fa81128435b507c578fccb7fd603df852
-
Filesize
1.1MB
MD57a46bfd103b007ec42270b12e32b109d
SHA1fae7aa2e5302630e5b88e2673bb67b28ca459c69
SHA25654a66c57420cb3e1b34c55d8ebcb9da3892da1b6d3254e310c6abedcd234c082
SHA512ddcdcb0b505b225eed09c854387540833fbe25931f4c2a530b60ca61b14cc14fa2f622b7717eb83c859aa44a1620694d8f9564027dceccd5d1d0cd627d6dc72a
-
Filesize
805KB
MD5b20138be70a780914b19727c9c91facb
SHA12fc67c68d9d26a9779e0750ce5d7717f24d94b68
SHA2569356ac3cec19822490e76e5b15a9b7fc18d2b30ffe6958ae11f9ab4b36610ff7
SHA512caa3e41f618b3c7a26f424e0cfe3bc5df2ff32b225090956a4bf85f88cbc682ab573ce5b43326f6053889731528c62fd6533166774a12b4b77196e4eb8cdc211
-
Filesize
656KB
MD5d895dad0989c9297e9354319a15ca6b7
SHA1edb8dd48ffe2cd03dc45a0c9dc9cd4cebbd671ac
SHA2567ec483ca5fc2887d9ae0496f5c8cb3755e095ec43521f3e01d9ace5820b292fb
SHA512562e2fb9a495ec3a774c6085605b24a310feccfeea2206e3db1edb46f13dea9f9a5425f53f6181b8fc5f6d5c279f3f2fa2ff40f96ea11f6f9aa5bbc7e754ad9d
-
Filesize
5.4MB
MD595ea94553b1bed203f70e50a4eaf2d9a
SHA152ddada5c327466757f9ba6082776b5d2929bbda
SHA256980dad3c1ee1cca959959bf1d807f9ab614427cb6100583b50dc7e580ab34f89
SHA5121c92a30ef0c50085bee6fbce6bd0335107370cdeff4f4aca4c3b9bb9732ddfb84eb5641a781ab30b95596fe4d3321e23f81967d4f89be00d21f3c09c7e970f10
-
Filesize
5.4MB
MD546dca510d7e2e84805cfc2096ed5176d
SHA1e0d5a8d1a98ddfe3927db506229f86f3fab6d578
SHA256081bee43c0fa04f022f1587ea5b280ff84e61f3e92564b5fc6d0c7136b8ff696
SHA51244e29ebee822d0cfcb1b0653d780223c2bf9ff12784798b339c90f1e7632fdffff1c9ec29c61c3da0a7590724b1a166913a24b96e58348481ae081992ea516d3
-
Filesize
2.0MB
MD55c483ffd7caacf4f8c89309d5e7370f8
SHA1cbc18c2a6452b84f641d81e44b0744ab9e6c4202
SHA2562ee6e40127271fc92213a6459240a6cb5f062c40232ba98077803c74c1bcbce6
SHA5124a9acde85d28128994d321c436319779fbff601c7c7a9f1c0f46166f05e7919a576701f5cf3be7ce85d9b51e1645e720babdc89870c946280b5a7e2e3c86fbd9
-
Filesize
2.2MB
MD57ac23a2c9e05b4ce36e1990a443947ae
SHA1e7b6880b29379b1347c2c4f4c2fdbf557cf74271
SHA256b4e256082cc3809c56c0cb84ea04a0a6dcb059054d4e8c155af839d100450435
SHA512f1ed20b7858d2ef7c3e770eb796066c30758c4839310c74932cf1970c4b148949dfc0a7b6a05966067ce9e9df9648e00303db46e84e0ca91f82e251ffd1dbedf
-
Filesize
1.8MB
MD58017bdbb71147470b195c27d629cd188
SHA143586bf475726b7798e378ef32d5dbb37fdbda6d
SHA256f5e241746b97d0dd929279ce1f16ddaf917c81c1df3a55d006c3b1f12567beb5
SHA5127143f2d22bc93bc1647d329107b2df8ece3921449259cdcee0d322bd60709a7c012a33b3e987ff9c56d911567ad686a9e6e7e0fcdc527f428b71361dd1a983da
-
Filesize
1.7MB
MD578b11107236aab6569b354e6e40cdc3d
SHA1b0bddbf3102198e1a040b208dfda693d9e631a32
SHA25649c1dcc6358a1db430b9e35d1d2980c9f3e818e481eb2ea6ad6e52bd792c1aa1
SHA51256e6c9386e6ae837e4898ca7a0efece75234da4ab52911ca8b7f78bea6263fff8b80842bad835d4b20724d18218158938a5bf2c5cae3b554c6d09bd3f119725c
-
Filesize
581KB
MD53fac5de5edbf96ed3bf62192b8d1d72a
SHA1510ddf643e0ee40ff3ce7a70448de7877cf7d80b
SHA2567f381c88d94b57bcde55b8828b81a2830aab13ac95baab1a53125f6acb52d5cf
SHA5127ecc492c201e4c1978df928e5034cd698eec9a95abcfb8b161f4efee21651a23ed9b76fb9058a246633af3b1f4b719c205c6c6d3c7fc65c4b62cd62e5b88feac
-
Filesize
581KB
MD5f88b8e3e58f954362d181e6c38e1292c
SHA12e8ee5eb4848f6707f065790f97d93f42b49190d
SHA2563ad9e05b8230f6399f1e910dece226b204b697e851e866bd2202539cedc60e02
SHA512dc86c686890487bda48ec15358161d2d12cc9a3ba114745b0118039c906a38607e50addeb3ab2c42e8934aa365d82750f7cbd0c41fe359ecbc6fb3347dd8caca
-
Filesize
581KB
MD58ccde54f3d0839f3fea14b7f6ebce86a
SHA1700bafae280aacffde75859a762d8366e18078ba
SHA2568d4c36e272b1b220ef6cb598005b86e1c6013a449a2b6acf6c9f1fad5738688b
SHA512bbdf699e497c21e8ec577e2a73f6b9173ba17b0a815034765ea6710380852117d66df9a834dd5667401a1251e2ddf84cb413e53b3851858b4e8d4d198bd15ca3
-
Filesize
601KB
MD5ff433601305e28fd1b6f46cb1a18a1bd
SHA1bcf757f5e595c8ae6bbbd4a4a984055a76be915b
SHA25606bf4aa8169dd9a70496c1dd7353857877b6778d54fdb295c91f61178760a4e9
SHA512f4e09a4285a2d0d9cef272db80319f4d0f9c7d28ae997d7db707eb9712d91439ecdf652bf06147b0d48718bdc3d78e819f17eb11c00d71a68cb284828b4a98ed
-
Filesize
581KB
MD50221e31996f25f7e2391aae1d5e98501
SHA1e7f98b84f785e35091fecd1d1594423d18692621
SHA256e83ef10b254af97ad2087aac082e284a74dd22662cbc234893a470c3675e57ab
SHA512bb07fa2f67db14146548ae15c10a95d41d38a3af9e2d43fba04694849fe0293f7dee1d57939da6c503370c6a0faac98ef3880de2ba6763ff1b15f3a85e0d1f35
-
Filesize
581KB
MD5e1a7c648b1a550a6b2f07e62cc801fb1
SHA14a4f45d704f9c9abfa848b44090fc8d34da631fa
SHA2569c9fc1302e7dcd7b027043d847cbd43f863e4026d9b3dce8dfef48dc2deb0aea
SHA512b9523f0e61fcc008e5ca9218d9d9ce8ff89f91764b885d884c5eca6531675238eb734d91ff8d1b4d297f6b412d40b49ac72dafadcb74206eabc4bd0673ab57e0
-
Filesize
581KB
MD5ad37e6c9ec0794d97c2a0dd672bab3fb
SHA12d1c1c889d737352cbf97c7bdaa38d35f617f59a
SHA2565c56a07164d44886e928163a83dd6134ea667b6d41192f41141e2bdb15edb401
SHA5124e1c4d17041aaff302bf23c63ab7c369eee813b9d23937c339da750cb83b912deb424b70fd89fe7cea7b6afa0f5f7915b72aa8bd29fa4895902dd159161a7cf1
-
Filesize
841KB
MD52c379be8e1132ecc0db4ca21b9a53b13
SHA1a49e29d432ffe8b45ca85ef9f231cd6dbb0f846e
SHA256071a349b2142a7133106df67a8753abe2a75d280d3bf736605659cad82c0f210
SHA512feba4a0a9da7434f4e7a0d39446c120ee116340483cd9582feca604a12ab5ec500d48982a78ad004578716abd684af65a988df928316b0e106e2cc862e9d5328
-
Filesize
581KB
MD565e755e32860c1e7199a9159e343a8d9
SHA17eeb12ce1e21288ef5229bb3d460ba055d97b156
SHA25670771e171185a15639883cd91c8ef3a94d7461a40913b6cc5798ba05d1582b27
SHA51219344ab235ef260ba85038a547255ab3be3729e1d3144c6eb2425118aa1b1cce37da7457f759d607024d23a7a7629a4fb4e1f6acc36ba4af2227b551fb280c3f
-
Filesize
581KB
MD5d05560661e6db69109311771b73a0174
SHA1fbfa44a5e006d3408e2626e087a9be479543f0a2
SHA25652fc75b253b0f4f7dbf335245f38a61888a0bc20056d7a6d50ea273c1d00bad9
SHA51265fe93363190903a0d45164b6c92080c1d87a44711acc98e9c94eb5d35ff2439c336ed6da163878f8a346040c344c8b17396ff508afe62a9e7810e6023ab8b79
-
Filesize
717KB
MD564f50b833dd50f4cb6bcce8ef4a9f141
SHA17b4e293658553ba5d0978853faf5301169821d5b
SHA256ba5d12956bfc30c13b9832d3e21e9cb2013b0363a8811228a314c4cc692abae2
SHA512448817dd1f1fea09a80e603dd21e2528f025832ea5207cc82ff60ca3df57de22012cf94ce35b9249f58387428923744ba927a305de23d79a4dd95bb6979700a6
-
Filesize
581KB
MD50b145f341a242e570228bb384e79be34
SHA14dfa07d99e2b58f5b13bf59098364d6b2ae2a524
SHA2563733bcd421fdf191e7e5cfe7004437ac5de178a1c2e3ba20bc1b62ee2630ce04
SHA512afa29924cc1480c318c5b1b0451ce8dde9735944819c6130f5dd90eb47b5704f9e07ad0d67d395f1374425096d3a6e38c59a5cdb55fd7dec5bf450aa7063c67d
-
Filesize
581KB
MD5cc27935e2dd5b46b2ebdf4ef477d283d
SHA196d0e8e090c9b31fc70d3b1422cbaeea2855b79a
SHA2568e3abb5898b79fc1f6418fac132ae492e1f6670e90206751764ab6aba426c0a3
SHA512a4f530118710fe78f98b1ea225d2cc1b4d73c094344a2b7471df99a68766275f54bdb01ceb3b2e59549213e523619439514b97eff2a5d489ecde11a53730b16e
-
Filesize
717KB
MD5035e5c762e0894901849b8bd8c981f8d
SHA1704070b97b9000bdffcbdcba5e3c4dbec1de08f4
SHA256395a409be800e34140d8b75c0d3d1f26f426169d532edb685f53e19b34eb4b31
SHA5126dd8129564122452fda890ecc13b844d94f421f13fcbdc65d87e5456ee0805a3185b331b4d0c27349fdcd6c64727da13712b52949a731b4f31191920760213ad
-
Filesize
841KB
MD5f997313a85776f2de9ff16e7906bde99
SHA1f161e95c9d4ef9c439e4a662ca2df31029322599
SHA256b75abe66244579226e3d96257bf82c7af80a212e7abc0e4ddf938cfe69e6614b
SHA5128da04e2a0cdc2c0f4ca99e75ef16a08c6b1876c0f5b25e7d37e04b43bdce3958f032cb79fa2d8c6fda4dcf03701348b1d6eaba61d4a91c6331dcc9c922bd89da
-
Filesize
1020KB
MD5e71067db2c0dc75e5f676378efa74926
SHA10575ee9d05300596f9f685b94337799c58a5d3e4
SHA2568125d2b7553b18af735b019278a7e97a7ab84fc76c1c0cbd0f251a3a27b5a905
SHA5123f30152bfd3025136ce394439c3f8203661ca4210f3b9b4ff7b0194ec11e64d310f3bbf5838b02842438c09a9c997c342f77b6862f75102fbd9c5f83fb07ab65
-
Filesize
1.5MB
MD57d54404197914a06705ac0331bd9f8fc
SHA1a62ec9a6b98c271635d067a6e4aeb4b275005a33
SHA2569686801ff97f8e9dd18f6afb662e78b81dc8c635572a47552e3a24e8e97b8c3a
SHA51255800e3b3173a12da7f4d589c33f94b11102b9d16dc333f0a7b8d521d4c5a4150d45ba829c15fca273839dd71a7443f0b8139a88a789cfe8a850d992271e3b2e
-
Filesize
701KB
MD5c1db790f0d83e1fe82deff2d6af437e0
SHA1511a2023bbfd744073dd026b6c7adbeb2ed6e120
SHA2560359d0ec25cfa6fe43d9ccb1f6954ec2eb8b16762e2cffb9b67cb0398abbb86f
SHA512670a36e7cc94f65d3c4143ea9ce6cc5ea98c4757ddd2e9ba52c569069bc4fe0152f7371dda4d30de7956342676db75b022d7cd32cfc4dfb2b312d2007a2a34f3
-
Filesize
588KB
MD5acb3e5d5dd6cc7912adc4f2c1aaf4e9d
SHA1580b3d8fba3b6666d7db3b264200d493966a95bb
SHA256aaf41718d38e354a7f8a3e80f3c1f0c92f38a41b925efb6547e1469c17ca1af8
SHA51256134b6380a9d1255d1633211773b838ea2097393d1f3a337063c05019ba52c6f81c517c72bf03e7c2a9cc85bd6808559a6aa81bc01492ef601047c05e680c97
-
Filesize
1.7MB
MD5607b8516d004139bbc4a021f4c9af2e5
SHA16260974966539ff5bbe5ea5063fce925295e62a1
SHA256168c0932aa5c995aa798be237571ac811d8b0e83e9a2fae4e5a615572ea617ea
SHA51276a634b4aba5533ed775b108e1ab92269853a492f6bb1940bac4dc7e337be3ffef81007fa6813998c1c4ee1c58fbd0b44a3252979d410f9ff5c23eec0a619859
-
Filesize
659KB
MD5dfbcfc1cb6b41b76cb75fc6de5fa15b2
SHA19b6417474711b3a8b777904aadd33cf5d0068d9c
SHA256fba33ea266f0c21362f180a23db268b528be7a5d9a9de04578e74c2c09c5fcba
SHA512f3a540d37f31969d07adb59aefa80fe0172cda72f10d14c760f6e68cc327876c15df2c3eef31eaf0d52b5328dc5eafa2030c6fc2ecdfd0cab0ee43e6579b9a7b
-
Filesize
1.2MB
MD5209ab870fff8bf107c659d3c6e4bb333
SHA12b23527099f4e9be3982a721fe5728c4d63e69d0
SHA25649d43033b4b7999d140b7178d6f0dee777afa881a20e265ed88fc393c3c7ff70
SHA5127c3b7d00e9eaedfc29c3dc632d8eca871c057721782ef715b2ba2a8560be5d15af1a69f1d7513f42eb71f19097e702f8bab7ab1551ff5447f6b38932c5ec0385
-
Filesize
578KB
MD50fa0b9a57e0d79cb981553d9fcd8486b
SHA11833a1546b0c9c57d05304e1451124f407b4ccaa
SHA256700cd8d6db7f667a88d67eb3934b198abcef4596563b6cdbcdbbee695ca999a5
SHA512851cc8a1174b923176bd8d660de35540d49231153a126ce35e4fa4aa703be25e0c10f0e66f6796b5a82bf19981918b11a6d79d587f146a7cf6aa9b397cd064bf
-
Filesize
940KB
MD56a2c71bea7c0a1ec965e11402ec8da34
SHA1c7808f38ce9d9a4e9038308d3d1574100dcc3f6c
SHA256d517b3854ed943cc741341498977b2bb7791c7c8e77f7af27cc80a0e7de2e133
SHA512d7a6dbcc2a60e22d247485264420f2101faaaf37f2ecfb28e1490933be9c3b441a0a8935665faac172681b1342ba9edd28d8ae11a02f49da5849fd51a55128f3
-
Filesize
671KB
MD509a8ba5b62ff95b5e53cdbaf8081330c
SHA1c811a7d32f8c8dc15fb0310e7bc4d322a3fc4f6c
SHA25611ee72d09df7f6ca28f65a5dc74446b4c3f7cbb1d6d8efa5815a002faa6d386e
SHA5126d258ce39ec81cde91c5705455b979f1cde6f165ccb5b6692d2b296429bde963d6508b677e0e052e6b236fe07cdbda4fd0eb8352e1a9a7b4cb6fa61ec70ddb66
-
Filesize
1.4MB
MD5439ec9ed8efd4a07ad210c7a04b65c0c
SHA19ce80d901012f7d2df811dc7f5dec230ead3f9e3
SHA2568881b51e19153f99032592aa9b77746ca8933bd23b4b880c9043c7d2b9395382
SHA5122f2c49dc8b06fc9d118ce719dd9e7f2b29f11cfe54f297cc74110bfdd9e06d89dc13e7854f5f85dae0e108d0293ed882c9b56deab541014cd93877386614d4da
-
Filesize
1.8MB
MD56335d7c181fc7c3296e32a105b745f92
SHA128fd4ba8cf24fe605084bd71dc0768ac6c4a7ceb
SHA256eef69e2265f2b36e7cc3899de8a6485f1fff09b98f7ba654b2308537f13d1922
SHA512634cc636b16eda1d39ebc62aa4c13c83410c60860433c7d51bfe6d6885dc8301342d69d7d61e035f1fe414e03b8fd6ba9c3e9c24f8ff6c4474291178fdaffac0
-
Filesize
1.4MB
MD5f90c139e965fb06176f589d35a9a7589
SHA18e02cff3a020685c1e13a24e148b843213db0f81
SHA25642444e1a8640280958f4587abd48e9083e782fee956c8cdf955f8954005b303c
SHA51284f1fe8d853c00cc0c15b551df6c3512a7462b646d69fced072eda6cad83d8ef3f4bb9b9c755f5d73aa695b4fd910a3a8de9b388fb213003f40741617dce54cc
-
Filesize
885KB
MD571518ae7e3c1a63ae424f5f72da00723
SHA1a0aebbcb6c53aaf690106f0bd8b67567a5126fd8
SHA2569cf65c7d68f95dd0eeed8aabc95638d4365b2ced5fb10acd774c3ae810d4d929
SHA512d4fb864d1ad2cb33784b4b1a414bb1fa76f283f178026fc9103b73cdeacf700d5af9bd3bf5e49e0cc784734cbf23552e8c51eb9724c6a086c9305d5f86a9b2ff
-
Filesize
2.0MB
MD5379fd44500a795ceb579a5be39ddcc6b
SHA1af1961bc0a6d81b38c4e53421f739f727dc05382
SHA256220f72bae53ad2cb69f8816b94d28e945e728038a3ad5b2f40762d246ad3dd5d
SHA512b196104908df87ae9f073ceccdf43f531e5b665d95f5bd0be209590876de7ee1456dbc8a3966c211e261f34ba0d6429003e3f82d6eb94fdc908590b65aff357b
-
Filesize
661KB
MD50c706c7c4be8a68a4600907b60e4fa07
SHA1a51aea9afb52679c3830b1ed09e6788859aae7f8
SHA256551faa1152d5db02b55d49349b58a27f48504902bac94fa6fc1cd013e537e68b
SHA512a566a995d1e9ef982f0ba8c796200b5b96ae0ec5e304955ef4714d731c8912455f690ecfb7f11c01da98fa34387a3c523e55fa5bb9284a19b2e5de580c5f4551
-
Filesize
712KB
MD5829af5cafb3b5ffa786ee5bd54ad12bd
SHA18936236e91943754a027ca15cdd96d54f16a9d4e
SHA256d6573e8ad7cf5286e3a8705633783e4dc2bc8646356c4b3164b06b8a18b09205
SHA512896a3bb458baf68b4fea2328312300179c5476f002447f510c12ced822f794c81ccddf9e600d83f23316fb1f0022bf22e32691ff60efef29bdf91fdf6b5c51d9
-
Filesize
584KB
MD51ecb4dacf4c55577d7fd284d63df3fc4
SHA1017d465eb7a9c4d11495d4fbfb6214de9114dcf9
SHA2568f6bf3ed8e95529ccd400a9fef031fe4e5b1f88824e7628bad510855fe964651
SHA51236fc09d4bf9b646b2d02641230672ecb0c740cb3806269d312746d9b2bdf72fab2b9b8c4b0722c636a29bb66aea64fc195e728095ad3e8d5093f402ff5472d82
-
Filesize
1.3MB
MD59d288fb3c581f2c42b9b217e13159d96
SHA1e8c51731775aa8b5b97c2f8412c3d7aca92c77eb
SHA2562edf8d454195f6f87aeddf45047169e9bf388923921c944c14ac6f010a46d127
SHA5122e2fa27ee1da55acea92d8655d8a9306cfb79063bae75683cc0cff71cfbf0872543f8debe008f7092f8cea93e31af5bfa6690db627ecdfac498de125500d15c8
-
Filesize
772KB
MD5a19b453f3f2a92a9d63fa74cd2662325
SHA18d13720b136106b4a178097a2454e7884c2c66b4
SHA256e54b860bc42e91aab7c669126f002d39680543d4ae7b948623f4a499a34b1610
SHA512ccf96fce6a827e0e0ce35905f3a4cfa9f2898a01993ea14e53a9a888fbfd5cdfbf5c103a6dc425b75334b4376d726bb875ad9004018271304ab68e23ce54afd7
-
Filesize
2.1MB
MD5b1500703c73b6815b9ee9aafdfd4e8d1
SHA1c8128c7ad94c458a4aa76af2ced6a2063bc1f6bd
SHA2565b9820b6504db540f809d79525f951db96b9a30c58bb8c78879dba080f7eb3f2
SHA51265d1b6e8fedaa45d2e2c28c54ddcd2680a9eb0256227d104c4ef3c5c836437584f5a588b696529a1d89966feb516b861947864ece07e2f2e5e3bf2df6b5b06af
-
Filesize
1.3MB
MD5969fbe10d16807cba3b44f7700971a19
SHA158c4d918b3edd70a5fda5e978656575c93a27902
SHA2564c3e9843e800dd3957e61555c7c0ec641cfc87a83f3b9aba9ccbe5a1d2958c66
SHA512bd707c2f83da7ca72ef07bcedf666923c058dc7b600a48e5ce18396de796680390046a175ab60349d3ad5329188d25855452b427a8825304a9f678f863c8f256
-
Filesize
877KB
MD52c026bd5bcd8c7751a71659f60023f2d
SHA183e483c5ef7e74f325621c07b3511813dd952eec
SHA2569438fb856fdf52cbaaa089763110538bcd7713e87c7af70a57beb62704803f80
SHA512edde1e118dbf13b0d06b8f512cd57f10f85dbb7f124afaeb2696791b74c32f6434d365c8a7ec3a37a9e03124946740cd6f025ef9e5df10720f07b95c0f15a3f1
-
Filesize
635KB
MD5896d250bfa35ac2cb209fac3a2d28911
SHA132acab6287efc0bb04aee1d3dfeb07def0c3c740
SHA256d57b3893148d28dc3e8ac16603118246cb20ae17c8a42aa75b82325aa0110d06
SHA5127c763b27917a006cc192be1a7253583c09f0851d51b4aa5c8214d254ea15bffd22d7b73b12037c01208451c9b5d721ae5bd926bfb5161084f7df3a494867757c