Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe
Resource
win7-20240419-en
General
-
Target
2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe
-
Size
1.8MB
-
MD5
5140afd2ce3baf58375b72ae4528814e
-
SHA1
b75feff7f17218969007baa041f7406eadae1a37
-
SHA256
4c822975f69376a66eb61839322f00bbf4fdae05f9a2bfb87b52b46dcfb88492
-
SHA512
58884f1352e4e996de9d622567b8ca8b72b7fb60715c205609b37c035644f1c3df9a04ff728ace32ec472df54e71466e81e7f3e9db8812473b2d190a49675193
-
SSDEEP
49152:5E19+ApwXk1QE1RzsEQPaxHNAaB0zj0yjoB2:K93wXmoK3B2Yyjl
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2948 alg.exe 1656 DiagnosticsHub.StandardCollector.Service.exe 1452 fxssvc.exe 1632 elevation_service.exe 4576 elevation_service.exe 3992 maintenanceservice.exe 4692 msdtc.exe 3164 OSE.EXE 952 PerceptionSimulationService.exe 968 perfhost.exe 2204 locator.exe 5068 SensorDataService.exe 4860 snmptrap.exe 1728 spectrum.exe 4796 ssh-agent.exe 3076 TieringEngineService.exe 4592 AgentService.exe 2800 vds.exe 1276 vssvc.exe 3480 wbengine.exe 2540 WmiApSrv.exe 2940 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bb461650c3136770.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b86f23428bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001173df3428bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dea103328bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cd21f3528bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f37e43428bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c05893228bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf2563228bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeAuditPrivilege 1452 fxssvc.exe Token: SeRestorePrivilege 3076 TieringEngineService.exe Token: SeManageVolumePrivilege 3076 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4592 AgentService.exe Token: SeBackupPrivilege 1276 vssvc.exe Token: SeRestorePrivilege 1276 vssvc.exe Token: SeAuditPrivilege 1276 vssvc.exe Token: SeBackupPrivilege 3480 wbengine.exe Token: SeRestorePrivilege 3480 wbengine.exe Token: SeSecurityPrivilege 3480 wbengine.exe Token: 33 2940 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2940 SearchIndexer.exe Token: SeDebugPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeDebugPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeDebugPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeDebugPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeDebugPrivilege 1544 2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe Token: SeDebugPrivilege 2948 alg.exe Token: SeDebugPrivilege 2948 alg.exe Token: SeDebugPrivilege 2948 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2596 2940 SearchIndexer.exe 111 PID 2940 wrote to memory of 2596 2940 SearchIndexer.exe 111 PID 2940 wrote to memory of 4168 2940 SearchIndexer.exe 112 PID 2940 wrote to memory of 4168 2940 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5140afd2ce3baf58375b72ae4528814e_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1324
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1632
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4576
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3992
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4692
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3164
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:952
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2204
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4860
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1728
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3304
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2540
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2596
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5a4ddb9100360d5143978879d5e39cb3c
SHA1a5916122aea5b01e87c927c7772c9b5c5b153cfb
SHA256d3c2d91c3bba9ff8003b7933b60c5afd95717f9725dcb4a36083676e1bbb0fc7
SHA5126951c53e84825b09e8518f7ce70334f29991a60ef1dc934a18e739e98dfa347c864506e3cd98ef3b00d2d5497c81f76fdd9f350f3dc61a560326c8b590ac5374
-
Filesize
797KB
MD5774ea33ad843544db1b97e89d2b3234b
SHA16c2db0aebf6573ea3c9061b7b8f5e8b175b91f1a
SHA256907ad0a383f361139815b06c8ae945147b898ce2641e434ae448c0ffb7140c40
SHA5126b1465d8f79398ace03036aeaf5ee91ff2f3af190a327bf1d4a03dcceccba1717d565d20c6583963949004e1ec780b15aed69eaac30743607c4323cd294f17e0
-
Filesize
1.1MB
MD57f3f68016a2e92702efd5e45d932fd12
SHA1023022fe337333c339483a7e7742bb1d46c8e1bb
SHA256dd6c31eadc4d8ba93510f67057451b2b647a8738076d3e8a7d2a1a66d79b6fe8
SHA512e0fb6ab2013592e4bd1a8a855ed29670b377656759da1e306a41264f90b0b25a0675f9f2eb5f4369cfe226a626ba747006cfdbf0954c46b551f3db4433703f23
-
Filesize
1.5MB
MD52a13e2252b5e6f8e59727d677bb87e34
SHA1e5245898778782158b3bac309648cdd0dc330e79
SHA256d13a6bd990fe27c0b112633ad2c6ef16b568304ffad678c58d8395f842c27dd9
SHA5124ed8232905a4dc55411e29275ea3b7b3920c564499ba6539ba2217f1a5a7b4a9581e7fd8e3445f1f2ccde4290dd268117a2dec5f0a424dae406f886724378cba
-
Filesize
1.2MB
MD54b8d37417f93a4492e6d2c1333d2103e
SHA1ca980ddfa7299ae4a5cff790de6f4cb7128e76f5
SHA256ff813cbbbdbcabd681a89d72163ccc2ac4ab6067edb930e70a80af07c4bde9d4
SHA512edf375915c81ac40d0789717808f059ff65feaacacc78ac40d651292fee8dc38354d9a7aa90a9c446bc27e364a87ab79f78e421532a75102869ebae908a38a67
-
Filesize
582KB
MD5e2a09dde5079ab6da8f785c589e8ac65
SHA15da81892a2374d592e7719a924172be0db1e4764
SHA256dca3ed51b78233d7f0ecd139f3396f3e3673c757da3b55e46d7f80fdc794ee44
SHA5128ff6f8d5b58fa6799def8db3cb3dc86b590bf13e3344d8bbfcfed35d9dfdfb4a33192c97f6d5421df2c3436b178ea82aac3da768365a419f58f2c655cf632272
-
Filesize
840KB
MD5fe2624adc19fe3ebdbe8cbc7183dc507
SHA1ee49f11daae7f5b77097bb9dfd4436bd6a0d0bf8
SHA2563c60dd63fcd017943cc138aba42accfc6695b725f88225ad0cd00adedff645c1
SHA512b46675c8bd31cde15a681f5def160ffb82ad2235a6d862503cf0293593ebfc8b4b1631ec85350c24dcfb761ff2787dcb5e97cf72ce51a2fae16d6087ec1d6d4f
-
Filesize
4.6MB
MD5cd5fab8364e6c5a3e2f0e2e49c393334
SHA17caf5449068e0c45f6f3f8036b779991d0af9a0a
SHA25600442480468020450db5bc8cb728f02e7f2254a99dc816e99f09fde0a9ca383e
SHA512d2083ee08feafa34d04355b01a9502bfda0297a5535030aea36b17b7b06409255ef738c82ce433f0b74ee944e871866df158762ac6cb9663e7d344127b0c71e5
-
Filesize
910KB
MD5e7defe078697a84c517537dac5bf25fd
SHA15dbaceeb0c8f801d900b1567a8070a7951e4cb72
SHA256b7d4598d6e9f0c903e14e58d2e6897a0947d75c73888a243263a3d7cf04d00bb
SHA512faa8bfe74e203c057aa457db8a7a0b8f3fed2339e93d50cb77204588a72e1eb9c15ae33cf97cff6251412ef9ea06f9a3d355e3ba1011592639533abafdd4848a
-
Filesize
24.0MB
MD55c8d28a1280aa9ed591d3689b3571369
SHA143b50482233d28c4fc8fd54cc141363f191217cf
SHA256c19c01975c0d27e12851d1a2ca13ac85e67985f65e89d74fad639ea4697a5ed7
SHA51262896a59dbcd4bb8356cc4f065978137e8c0ccc7dbe48523e6efa1bf2613142eda2302e3930d665e11a39e5a1489a6c50b71fb9a5cde4d3cb60889057b9909e2
-
Filesize
2.7MB
MD5dafc1e88d8eb4f56b23187d997d425f5
SHA1d98b518562b221f600912a1bca4961b34dff6a81
SHA256cede18aa9d41d8cf67befca9cb255ea902a7001da18f333f76d70174cb26a55c
SHA51215ec28eb98883696f62e94486e1cf3bb2b572079d8146e52adb7fbf8676c75292dc99fa00b39b444cafc8752361cbd175c6117ab6243972bdf7623ab929b1b38
-
Filesize
1.1MB
MD588220c01ef2e07a9f1bedf4d8f883a45
SHA1a9447ebc84717bbe452e16b53f5dd750c022e9f4
SHA2564d60f8e219adb6b67452ca98cb14fd22ee91e266c0369f2e1c5872edd7de75e3
SHA5124f5a0eb30cd129fb74bcd5281abfc4e31f796cb041cbc316d2610008f9dc8bd940a7ff7df7973f08b48840fb0e9776fd7f096642e68a498b9b4a96ff3df11d21
-
Filesize
805KB
MD55196380ec01bc7b7a070c4aeac8b5ab8
SHA1eb5f9633d5714426d0d09984f9aae451ccb2101c
SHA256430ba2c9bad208dbfe390266d7374fdc7f3ed95a76feef7d8bafdd7056174e72
SHA5128e1a753f9afe437d7228e94218a4f304ef55252be5f34ef252ce7204fd7219eb7ac447f1f9eb26f7007db5a7c5b1019eaffed14869241544fe244aadd1aa62f8
-
Filesize
656KB
MD5c4e67dd6a0512c495c7a56148aca067d
SHA1e17230f092d12c4499d4331f8018169d9c550d47
SHA256a75b3a6f4b7b24f5fbc3b10d82d020c40be2c9a6867c63258bfe1470d2ddc98e
SHA512cc1497ae743789d0207f09eb6d324ab52dbb5641a96a6a6eea040ac1a89c52ee5f02f4e5ca622357da351fe2ce58a048fbd3622514d7180eaf913cb552f5ab77
-
Filesize
5.4MB
MD5a20dd1ef887d193d9921d3056116e335
SHA12c1ff2f2f16aa6d805887f9fb36d8507004dae7a
SHA256a90d7b97bdb426f703c1e3260f776b460d9bdef48e8de01c37663c1d83cc0684
SHA512b2e6acf09fc17f195ba970d390aa37d46be04674214c7cbe2c09329c32b54d5bc02be364c2a0d02d2c1e0a2a9c04c11a6e541db89b7a4c63149db89e2ad4b819
-
Filesize
5.4MB
MD5b9378c208a2ee19a3188ca8ef85e49c0
SHA103566cf6926b056c61c386f4d2b31dd9baac2752
SHA256aef8a2c0012758533213f332ca94b9671937bc46e5e45670cd12ea56cf98da8e
SHA5122bba47a1bcd0319f832c438b3760b7819f597c8a36b1997a338e489e2f2c190d56e0ef9f513116ed2f005e85c82114ac67e49d2d13c035fd554c1cc411aec70a
-
Filesize
2.0MB
MD5729de9cae8c19b3ec686a9483dda0525
SHA1b41a322d59fa05008a19ba9cbc6f81bed1f257b2
SHA256e009f7e9956d18fbca71ff554a988aeb07b98e22ee00a3a28940612fe7d089de
SHA512256312ec8f1e17d254b3344a24e4fec2e57cfcb6fbb5809566e4f6273e04441ec5c14329ae82d41d519c696ab8b9f55ed538c4f9b092e3cca0d95dae31bd8e3d
-
Filesize
2.2MB
MD59ebc1c383d8a233f4c3fea0b57527176
SHA1b63f7d188a55d7cc5bcbb56ba42fdf6c27f7bb69
SHA2568b1bbcb45f5c976c86a9b8ec3d54899151c6a3c0660b77627a630ae1d60db2f3
SHA5120b39559a3ad06197bcaf5769d16521f97f0c22ac02415dbff0ea1519feec8d4b5e1e7180321d5f7864ce69c9f72585a4840b3a2f3fb55f288e6bb2eb477a3e2d
-
Filesize
1.8MB
MD5309e31bc83e302897ead00b1c3e0a1d1
SHA1b8846421e66b084469c5654eead1d95ecb11f002
SHA256fd29ebb1db045b156b7ba7b7f9f4a526c395ed17100dcdbf98e37fb37a97d450
SHA51299d2385730f9ec5dacbfe81571dede0670db4216ae555ece4bc2f8df6cb5fa54fc0f637abb4334507818429e1d421903fccf1fdc50b8436ce395508c9508a103
-
Filesize
1.7MB
MD53e9063e7aef1d44621cc859a24afa4e7
SHA108b95a522281618c0cdf722dc8872586ced6174a
SHA256f1def51e21ebd66c4adae54041cd4af9404ad69066babe1eb335e149010f3719
SHA512924ab4f13da5c22d3d624bb85e40db96accbae087ada10e779f7e25e2e93b2ffa652b7a8be1826215d3c5682d5ffd14eae6b3dc9d3f65f142afc1d1eef5dc4fb
-
Filesize
581KB
MD58b2a3d4518e416a5457f7f3d9f17beb4
SHA150ddef64c5b12351592f897db363840d27430c12
SHA2560d3f279027835df624ca5a39cca77de4dec6a764f97d98b5d0bb1f3454a33c43
SHA512a028e36a3a253fb994dbf64cd4d9f49b0fd3b84e55cbf6e0ff569e3ed02cd06989e1ffc4593af8685be1820f31551746b469c6aa8e02d94da5950b5a96632749
-
Filesize
581KB
MD5cc28cc752940edaaf10b1f3e1a05d514
SHA1894c0b474455333b057ca1a738031bd6bdbba6d0
SHA256c080028874202044f3eff7a8dda39e566b90f7aed2838c2cf083a11ade645dc2
SHA512ba447d191226c4a97adc965935cb85225a91f55f5f7bbaa2da23795a357f1270e87d01a74c4d42c451dc6a6e9c480d81d469cde35a3dbf55ae52d0decadb2ef6
-
Filesize
581KB
MD54c1008bb4e8bb96dd592cf4d71563dcf
SHA1c28c3a6a3978b90947331f6181d023ba9584b400
SHA2567a66cdc2e14087fd015f7d729c3565dc9078d454190ac60858415a70069f5856
SHA512f77d9eb5eb70e16f307c6c164bfe052a1d09e8ea02b25edcc2fee77ca76b8b4cda7e01847461390cafa1a9e5bb2aaa9d199cf79800500a00729fe3c519f6d398
-
Filesize
601KB
MD5ab354ca57cd2d47de96131cb1ebd60e0
SHA1569256b2e99ffbeeaa8251c02390611d82c43dfa
SHA256ef86734dd0b43a351b9a448cb07208f4450f9336f533278ca266503d3fac8445
SHA512c8bb2b80f53cf15a4eadbd8efea300f4fedbffee60bc9ba583f388b4213139a391773ffdd10eca2ee5910f9111ac5ceceadd2f4b557246fac79436e31923cbdb
-
Filesize
581KB
MD5bb4165cbbda250ca687c74707c6c1bfd
SHA19a80d852629b4cb856c83bf28ad22968e0600684
SHA2564695545537370b1a4d3b602cebdd65351f004490a0b89fe16ef37fdc8e07760d
SHA5120cf0466dfb607188c9cf54bdfebd3335dc9d9bc247128457e8cefd5fabc230d615e6aecc51ded0dc4d68a41efeb4aba384bb076d4fb4a661b8cdb49bc06f0a29
-
Filesize
581KB
MD538ce44b89a8f53d783a1056cfa1f3ba5
SHA131b916e09037fe48603d9349460c1b79127ffb7f
SHA25682b89ef8bad0079cc753b96041c6e82404d4e4dc88ca4da56116590db03abfc4
SHA5121a715c12317675d7db0fa8248ec272ff105818be5f367458d61b985e86dfdcf234f959fc04123cdba9c227817ab674cf35c079b947332d758a4cdfca714502ef
-
Filesize
581KB
MD5f0f4cad89a94b2fcd6e96cd3f7093361
SHA11f65268d23e452562fb41d555895f9e966432657
SHA25677d293c4b6cd1d2bd06b27c4ea37d829308b4a13709a8f0e22d254923953d6c2
SHA51234feb7d2c25d903b82fea2644710198538a0893476a1a909c2b9ac727e349a7b6330d997cf0d30f0c453dc230fcb38bd5efdc3ce448d6cb875799e2312e5df4b
-
Filesize
841KB
MD558c26cd512af4396d113bef4b89d127d
SHA102f0a3a3d98e2466b4a123a143016f1560165ae3
SHA256a0ae3ca505e1e767bbcfceb56437f7a9cc21b6cfac897a03a9d0d84a2ec223cc
SHA512de4691c30007c9b9c492058fc5b58d8c7fcedf347bbe4b7e0c93016224dd0a2f6e67466c9b47606018d6a57ac325d80636829e3f3b187234984ed5f1e74c09a8
-
Filesize
581KB
MD539b22b6ebc2422ada0626bc5150a8684
SHA10f6785823edc546135c9126736971211d3cf7af2
SHA2567aa24b07c27a31504816ce8d8b8d59f338c5b23d5ede9ae6f331b4911eba23c7
SHA5122d11f6c5b615d2fc45c1a0a8dbd1eff15bc1f033f1934412418af1d20726a6894d11b73c599651517f1a50a39fb80bf71c65e33ca8b7813e607a2122124a6c3d
-
Filesize
581KB
MD5472a3632801d1cd7ef8f5994bf82ee5b
SHA1f9f9f4c1f4af4d04770c74292e0a608955e955b9
SHA256eab921ec17a64bd11a7fa84e893f0d526e36c13f009f02720e66ab1a1da564ef
SHA512644a2eae702efe20549efb5f9dea94a8cd196947f9c55b9453aee669264707f99b6519c239a58caebd828cb02bd243aac4fd843ba3154774e75e5f9c733042b5
-
Filesize
717KB
MD50d3c5be98b81bce26869164133ce4619
SHA18ae68f59623bf612a8b27b7e48fa1f0cff8c774b
SHA256206540ff9a4018b07e5745bd58e55f845a29255fcc5b65f32679c2f3f8091b23
SHA512da8cf026f83c0af2b4c9f72e3d6a799e197fa961a7da99f5647cc98c4ad69b11bbd3248a7da65bebd1d42dbb4445ee3c7b1ab25060dcb683cef4df2752f79b01
-
Filesize
581KB
MD592731484eb4345cc3954a295a8ba9a14
SHA1fc16264501df0389152aec11770e816f4f23364e
SHA25604fa114082b4e8e27d21cfaac1ed6832765730ea25fd866d12d1cc4b52a41c24
SHA5127ee8aad01f8b84df981716730745870ab2999e17f6c83288761013953b421f92a7bd4e76c6320228d55de5f78ba8df6fbff0f3ca60de6e287fbc906799488f1d
-
Filesize
581KB
MD5a2c3de6de0766727b14cf72286ea1b20
SHA17c05719291d6e6f4a1a1a3553a9796ae992d12fc
SHA256964113c0f6d3be12593893270e6934d84dc4748e2e99111aa905377771f76fac
SHA512e551418cd33fbae37d945cf85556a0cf76473155c052b4ade81350d387d7c89c4c6d4be1a6c713983b962cd8db8e4e7abeef6a93d34379ad8eb4498fbddd3751
-
Filesize
717KB
MD5a85c4c55f57a5afa29a0c06699a4d9e1
SHA1a7c2634a4783d8a23845cc2c480b6a5990575109
SHA256f7915b5db49f039cab902f100294f843154319b16aaf6c5a03d3c87ce1fd1dd5
SHA512d58cd6a8b3711f0febdcf4732b589e1175917b07d89b2d790c709072b27dc1ff6cfde8a78dba0dab7f34ba90b57ce00ac32ece0cb90428b41cb8776ed296fa7a
-
Filesize
841KB
MD53a92b780e520caa1572d1b408ae4c526
SHA1ac71df89973727a56ecc2854c9c5dc55fc7f962f
SHA256d01b8d3c01572feddb172163f4eb2c4a2d08929591edd1c0c402dc70c517649e
SHA512ebae05d50ff7aff1b91f940a184ff12eed2307355b8424754a91ba6c107ae99dc03857fb674a8ff592ed4f00efa25ca21efa12bbd24a5a4490404c2383403c65
-
Filesize
1020KB
MD59afd7f22232ab579e76c1d5dc1304d21
SHA127e1aad03f6ffa157c7e37b87bc1406ec5321a71
SHA256fdb2f0545b0292a0b1682f19e286ca10ef3faac71922b168b4ebc10fd0306376
SHA512f1c9e1d3220966431e94e32525bd025aae7829fe6dbfbdfc7e1091ec38ad6b75d29bd3d2e97a6d08b8e47dd67dd9ef2466dda7188fe7b07a0483350d7a5b6ac5
-
Filesize
1.5MB
MD5870b1c73a8f69fff0749bc6d66db4d86
SHA146857b7df05cf3468a938b0ed7a5ac71e75310ab
SHA256606f02835ac88bf26626a7ce0f95356bed3eb446f2563a4eb8e6efa980800bbc
SHA512ab658284e10e60754cbd33eaa0f23685394d0b674f3dfdfde5dbaf629f4b3cab1d1cfcd060f0458dd70fff60896756ad3710ed53e49638d548bc846efd55197f
-
Filesize
701KB
MD54e698d32f982fa476cc78557ce4bc70e
SHA1f6b7111eced9b42d5033b0c2c657d30afbdea6f7
SHA2565a88b5d7d73a21818e3a4053c70191721a5767c8cc10a0fd761738e8570bf73d
SHA5129cd12e3510c4c9d3df21e552cd7e8a38e3b8d6382904fb6c7c1fb1aae6c2d9182cc4b94329552df09c68220b4e545b2fdc41bbb35f7173feab3d03acef22b644
-
Filesize
588KB
MD53b4a8fe744c1527b5d882ae5edf57d56
SHA105353192d48db3f6285cc8651281984ef4bd7f51
SHA25660ff394d865f09c61f8696c1d3a901558193ab471a5338be1607a366470b37e9
SHA512dd2dc190416466f47c140c4d652ef5212072dfae6066fb3f85ccb771a1aa59a02de3a1943e4f5a794f086c903490bf81f622de11aa5e92bf9442da7c88fe0e93
-
Filesize
1.7MB
MD5abb1d1691c1435253de91d078bdacf71
SHA1ef056a4a62566616f5a210d41e78ae00befb262a
SHA256ed2bf4f0497b1f829f38bdadc43b597df6ccb786ba0742c3e27ce9e2c298420c
SHA51277b25b23553b3863c3d2bdd26f47f43c910dd0e5083aa76b93bc6ed6812c23b29c9a55dd56597981d73b2400675fb91b98c0be3a4e1a016d4a0ad9a13e33072c
-
Filesize
659KB
MD5bdb300db514160ee1bb1f7beb543c5b7
SHA1a128091cb259409551a088be2f49e670801d3ee7
SHA256a601352284dddda870dee8f461d8a45e9c6bb3b4258508d58d665f186d49252d
SHA512a4dcdd5c9ab27c90962b2445c78ccd138933fa4b0ffa8caf9ae7bd8498028c65b206ab509d1e1c2d00396174bb3685cc89bf7f3c5634cc89645765825eff187a
-
Filesize
1.2MB
MD54efea07309d7bec615bd5e4e8883ff14
SHA1745118a861d24583c460dd7180c004497df0ec73
SHA25683de91ee678e7165882ee78cf3c8c2f242180de94279fe74a234c819e7753251
SHA5127c6c09c0faf9058f47b86a33954f9fbb9bd88279a797cc5fd3d0839ee4da22360c27207b9fbaca7cefc09027dcb53ad295712a28d2a8717b281387042161a157
-
Filesize
578KB
MD5b7d2869412e3e977050c5ed32b823be5
SHA1e3ff2d588e1c155d2b634a0475100a893c7a0697
SHA256bb891d5ba4d177e370a0478f136e20e3e908dd048003961c84be7b7a3f030aaf
SHA5129b99afbb4f61de1c960ad42896b72b571689066b235f78fb379d855459cbd003a5a1fbe7dd4f0f381db03c9e17097a65b6ae10b368d073302b56d76ebf513598
-
Filesize
940KB
MD56b9703df46b3116f1224aa1ca88d834f
SHA15eeadc02411b995c0e4aab7d8f591299edbf6946
SHA256fd44149727cec40ede087c461d2fc6f090740ed8d1b7559ca580bafee713eb28
SHA5121f57ebcaa1a0342e35fe39c7e8d70fdab03d7b26d06f054ab25375c8dc95fcf509ca0e01dc86902cf76a60491960b01750b137dac6dae57806005ef43bc5ba5c
-
Filesize
671KB
MD5428f978453de43346fcb04f5d4ddcc3d
SHA11703ec7711c8a08594f501775da6f90d5259862d
SHA256001b744e8642727a5e47421b82b2ed294bf3e0e0e54513159bacd0ced0c0c920
SHA51224e1cfc0f254597e42264132ec3116fed6ac235d1ddb6504412d2e60dcb3297e6309add5713d23e516f5aee17aed7b0bca9fb4ba255b646e3e2ebb183acb3590
-
Filesize
1.4MB
MD57c4e202336583e9a539f08dd190a23bc
SHA18f6e3d0462a002c997117dca7e37100d94ceee4b
SHA256c29aa9b9ca0db63900be5084f025b6cec54072cf6102a8c215becf51854a8c07
SHA5126cda87244b128809e61eb6a64aa79a3867f8e6843939faea351888e2ae37645c40b0a79d04ce0cd5f0d1eaeae75e8cf70b8e541063aaace0b525d4d39a933578
-
Filesize
1.8MB
MD54757971d6bf4fc553e3a96794969f535
SHA1df9f797c4db08a6b797527877e715526b75f0d5e
SHA2566a42d1dd25ebf197959a7aaccb0e66633f60d69c04aed3e9670cbf3c3f335085
SHA512dea2519f2a16d1d8f8cad258fdb7510680bf99a843a6f2f67ac7e47f3a5fa0e7f5ea7593dd1a5e4d05c988dd2ca7caee56334c89dc242dd4d11fe0f72d9bafbe
-
Filesize
1.4MB
MD576814fa8d4f62288ff27b7d93d56cf30
SHA1ceb1f4350c1193a42dc41c301461e3bdcb3dc6c9
SHA256c3b42c66d7a604d6b8b03c9e53474f467f63ea2c959714d3461a8970992e9f98
SHA512fa20f9378b53f1f65b3dd0c6c8aea759d33a9fa5bb11ff3083dcc384b6679a52e3df84aa6782abd8cbd1bd4c60471d9933f0cf8bc824122e5f13713e9ff866b9
-
Filesize
885KB
MD5f0c04f1d71d21605e9d0e356bd2de880
SHA187495c8343abb3351361c2d9d54504a8b740811f
SHA256430e40f12b5798f2951bc50efa4629f4433dd2f09d38383eb6fdd91169555279
SHA512aa6801b9f30a99ffceb75c5329c7ca6d61e1ed24f6e260b733873dcca90a3f07932e326c7e791a51f466b0c142d77f0d905a50c0c09d23db63e20d6774a84dae
-
Filesize
2.0MB
MD569050cd4bbf42910225bc8eb17c37c69
SHA14a74e3a5b5081eeec6e96e52310fc206171ff375
SHA256abd32f1540e0c9074e17674f7a7bb229ac8740253efd21ff56503df4053068bc
SHA5126f4761c40523659f79181468006a6898f6d932bcb12f04bb54c07c6b98332d77c89571b6d31a430584e9092918c0bef3dbe52c81d5f3130c0b982c6e6903d318
-
Filesize
661KB
MD5d4deb87cddba60ad16432ae8be251a7d
SHA183ae2ceff3a89ae5869122f48bc230fd2e8eb1c3
SHA256d8803453a7c28022fea16a3d3c459c3e3ed684d02e19b799e277f8d2e76d8876
SHA512a254b40d215cab0516a25b5b2e6e68e7eee53225bab9bfd4b0d18fe14894c08ed33ddf8d7ae7a732bc11923c92eec207de208d81e70790135715c070961996ad
-
Filesize
712KB
MD5bc7994403bba6ebe16f4bd89d2f8d628
SHA1855edf7671bb260eba6b9ecd826015ee7f87cd86
SHA256d7a6c67bfc48b610f9966f578bc457ee01c9c712622e438dbac4954d0bdcdbfe
SHA51274aa419dba7a6c8f22d1252c66bbba90365ff9ed9e650ce19bf2cfd5b005cd38bae20b446918ea6be6cead1e6e03de846bd82d7250accd009c1a46b020f581b3
-
Filesize
584KB
MD514b62d05b3896deefa2d58d1b52d911e
SHA10d67eb11cdfc2e0bc05540f9f3b67ff0d7053887
SHA256f41e3c4c0491afea2d5889e85bb555429a1351b41c315ba1815134f5bb73abef
SHA5125d92a979f442fb213250d94cae239a4c8c75e4cca31fe7f955b314ee03415b4ad231a2f8206acd0ce62a324f0af904cdba2a086171990ee68ad62bcaeb882a8f
-
Filesize
1.3MB
MD5184947d2796d8c35d8fe236a2de10e98
SHA1f3570bf365885a742644010ee3951987991260ac
SHA2564cb2a17e079aa028aeb3cdcfa5f48c3222218ba497da9c70cf1eb40a609b9aa3
SHA5129c7b683114c03dd571c294ffedce8d95378877591cb543b345ee100e0b0b275ec76c1a44441e05277de4774ea255543ee0795f0660ff6ffce9c6769d17ae79fc
-
Filesize
772KB
MD578862d657b1738ef8e1140b74e2af17b
SHA169eda13b5b547764db1324d182b00bfbcf079d08
SHA2566233ae060fb285d681e631df5d81bc5822d018c2c596d221016942768bcc1be3
SHA512316ab4b8e6bf40f53264caa4d8d0cf4dfa6e509d3855868c972218a88f51cf9286580399385fe804c0fa7f79d468bc86955f115eb3d46dadb679a86f901a370f
-
Filesize
2.1MB
MD54036cefe70b340e32e9d01de5c0dd9c1
SHA1fbdcb1dd2a55d500cd0edcc4f64f4c0b61f5fda5
SHA256a5a1deac6dc24089ab33181673aa3bdf94e51257b0df61b9d144273fa411d6c0
SHA512bf237fc2fe176004e73f701a1b819cf2214b2d33e8515df4499fa83d0dd727194e2e802f0622b6a37f2ff24a1a9a5a21a2fda07f482226742f84ef40bdb0ec2e
-
Filesize
1.3MB
MD50b7e417fe8e82b85754d17b773a5e1e7
SHA104247bf5d3f4f75e8082468fbb535f270bef4623
SHA2565a153354b45ffec347463c22869d8e766bfd24939d196ad05db7a10dde1e875a
SHA5122fe74576936743e2ec33db60624d2c2868498aafb4746439ee5320dc3a401b7eec1a9e1a811888edacd2d953d28003ecf1185dec6e87c043750a46c311155f22
-
Filesize
877KB
MD571ea9e2d5bce91b841dda4e5704028a4
SHA16f448488fc5a053b2f6b599a7813576f7a153734
SHA2568f34e7a9a78f089b93193cb5336ecccfb91ac0b3877562ded7ca1f9b29c4643d
SHA512568e2039438ae909f141e2d84f6e14574e910b283d50865311963b039a20daa5874f47db76406a64579cfcfeba52114d18183efd243c0e6a4766a798acfefdc2
-
Filesize
635KB
MD5d491fe02ea906558e3273360d5a08e9d
SHA185680b502e1e750ca483b11199cff7e29126976b
SHA2566668fd5a0d7d047da762209c90da2bf8e47ec63e8b1d1553396711bf251dca35
SHA51297bee122e28323659fb8450300727284b3cbe44b792b984a9b7d26bc9f6fd5c4bcac48dbcd8376eda93ea315d38b020cd26ea2df8f829986c095950b8122875d