Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe
-
Size
712KB
-
MD5
9116bbc10f16d5e63bceacc7b95f10b5
-
SHA1
9a0fe5f0858f7896e556357663cba948901ecdda
-
SHA256
e68cc700df362dafe89ab449c1d08f5d5730704259dd059b85a1eea2caa11725
-
SHA512
4a675d6ab7fd8fbc072396e839bbdb142d9cb567e36c2fb2d2fd9d7b99d2e8c64767ad81ba63c9ff9c29d66e4939fed159bf016b61844d8104b2a4788f08da3b
-
SSDEEP
12288:qtOw6BaUUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8J:k6B7atr0zAiX90z/F0jsFB3SQkO
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3428 alg.exe 1420 DiagnosticsHub.StandardCollector.Service.exe 224 fxssvc.exe 4836 elevation_service.exe 1348 elevation_service.exe 2372 maintenanceservice.exe 4936 msdtc.exe 4276 OSE.EXE 3056 PerceptionSimulationService.exe 5084 perfhost.exe 3540 locator.exe 844 SensorDataService.exe 728 snmptrap.exe 1696 spectrum.exe 2716 ssh-agent.exe 664 TieringEngineService.exe 3228 AgentService.exe 4592 vds.exe 4368 vssvc.exe 4348 wbengine.exe 2200 WmiApSrv.exe 2500 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\76cfd3dbe703f493.bin alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004856434e29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f886714d29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba4fde4e29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3e9544d29bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ba1355029bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5c54d4d29bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9da4f5029bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000e8384f29bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeAuditPrivilege 224 fxssvc.exe Token: SeRestorePrivilege 664 TieringEngineService.exe Token: SeManageVolumePrivilege 664 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3228 AgentService.exe Token: SeBackupPrivilege 4368 vssvc.exe Token: SeRestorePrivilege 4368 vssvc.exe Token: SeAuditPrivilege 4368 vssvc.exe Token: SeBackupPrivilege 4348 wbengine.exe Token: SeRestorePrivilege 4348 wbengine.exe Token: SeSecurityPrivilege 4348 wbengine.exe Token: 33 2500 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2500 SearchIndexer.exe Token: SeDebugPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeDebugPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeDebugPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeDebugPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeDebugPrivilege 2912 2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe Token: SeDebugPrivilege 3428 alg.exe Token: SeDebugPrivilege 3428 alg.exe Token: SeDebugPrivilege 3428 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1824 2500 SearchIndexer.exe 107 PID 2500 wrote to memory of 1824 2500 SearchIndexer.exe 107 PID 2500 wrote to memory of 2788 2500 SearchIndexer.exe 108 PID 2500 wrote to memory of 2788 2500 SearchIndexer.exe 108 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_9116bbc10f16d5e63bceacc7b95f10b5_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2636
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1348
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2372
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4936
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4276
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3056
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3540
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:844
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:728
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1696
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2264
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:664
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2200
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1824
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52a89a6b35a51875760730e28c84fbdca
SHA156db2f1216001677f2c27744505c79d336af3541
SHA2560a7eeffac518cbac8cb5d017f7f6dce75091ee0a8a68eec6f0cc774626f5bc5c
SHA5120cac8660686eba328dfa41d1a6be6e9c9371a3330059bb43449ccab51c6673898ec7807635292fe6495724b9dc37e685c3ce76acaffaa86338e2751628e5e95b
-
Filesize
797KB
MD5eae540f2fc84e77d1f7f99a60893dff9
SHA11a2823af529c34396c43521b83f36b02325cf8ca
SHA2561c38e4b96e83aa27401bf95dd52f828ae719904b49da50b2130c07ec65b6f17f
SHA51297452a9ecdee82acc720f90a712e2591efa16082b822f2aa70feaffee0c8f9271fd9bac7d16d83efa7ef180f929b75cb9cb073fdac1186f3a6da2cd57ffeecdf
-
Filesize
1.1MB
MD51e3431a5c23817a9d52f0fbe27482408
SHA1f94276c67bdf90625dbf115abb0c1919205c1bda
SHA2563f1ca50e4f809d121e696068c042f63af52043685e8ac1b1b61f4ed0f2ad53b1
SHA512bf665d9aa7315383dd9890d3aa700ef33e6931d5f3744acf3ed127a9953dcecf32a2ab3835e2d4aed99e29aedaeb5c0460457258e047b5982350963106895986
-
Filesize
1.5MB
MD535331d4e6e933698307700adebcb608a
SHA1eadf3c37191189777f6d44a55eb8b98c61c2dfd3
SHA256cf1f5f2dfcb584c89456ee31ae5fe3ba95504fd615ae1d0242c7d623bdf13844
SHA51255621cf4b5e535d7a04a5e0260f34f8ad448a248075aaccb60c0b0bb96b42407c3ab47adbb7d2ebf305288c237a1336dc6719c31d7666969c62189bf11c66481
-
Filesize
1.2MB
MD5246ea661e5f9210a31f2106af0535b0d
SHA10a76d5b5c97648c686f8e58827a9fd9c17e05cb2
SHA256608bb6ec0931f0df9d27c16bd317ec1404e8bda0abe98aefa2dc80437e6f2d16
SHA5125f247a6100250b8bad14b2ddc227a20830953e71504626aad573a6ea3653193fbdb0be8b8a4a3c8ed1e96e035851751793c855a45a8e781b3e7d01e50ab4640e
-
Filesize
582KB
MD53429eecadfd951e7d005d06cb6a97125
SHA1ce4b6e5427bfb9e4e69ed27be63bee7ca5e6632c
SHA256111f39bb9ed3d19b399ced031e74447c3695db1b211b12f7f2eac210234fd33e
SHA512341d781d748c7136c63ac936af8ad9a66fc4c4905f7613785ff1cb512301d7a061ba64fdd8b32e2883a8f81c94fc401bc469b0976a0309fa1de7fe13a9c5f0f5
-
Filesize
840KB
MD59ab165454787f346118d20d25143fd46
SHA1ce43738ad4522315a9debddc638363b5fe080025
SHA2569de6329c2a8975ab477cb0f02dca778c25a3daec8646b6f48fe4b7d6c1ba1b0e
SHA512b99cefa20b7701be8dc48cde89e11e1382417abe615ae21b05222664b79d41a557f5131566325017a89c7af0bb639c530f081011a0b81084908128e3de911b76
-
Filesize
4.6MB
MD5bf8b8018bc5e45dca297a81599ded9be
SHA11d2672a75139613531e38e1d221cd5fa9c695dbe
SHA2569c9e4a9cd9ad30397bea71821e731e5d54cf70f22f19eb06ab2ea75aabb18e55
SHA51215afc6946f24b6e6c57f47e9609331745128603dea0f3dba3f32d0888f45effbed1c18fb2c5fd00dc34b6b62ea4613080347cc84a6218eb37c345b272d3ea18b
-
Filesize
910KB
MD53badb9b040a7f8badea863d4088266df
SHA14c6558882b4da570c6cd959a1578257cd6591cf5
SHA25685d755a1db14d3768a84e36e1ab85fd62bfe2e9f18cf3050b624cdad2a3d9b01
SHA512fedca4770c54d6fae1bdd4f4dd978f688ee8398cd74ec959ede0247ed22eb62d67149026e7fa1a81b400c480123f4265052e217c464cc1515264094eb971aab2
-
Filesize
24.0MB
MD5c5ecbdf28f15b48be815b63c0847f74c
SHA1d784f99ef07f081c7791b73c25b5fbda089f3265
SHA2563be504f987767c4a7a6bc3971b56e7a9e742ab22fb8ac05c4bd73711c6672caf
SHA5122dbaa9c2ffd18e2a672a6a1fdcf5d222e477d35b7e673fb4992231c14ec08f556214da8b1a857da1dfa14235707dad82f7250dae9e0aacbd0a7f66aedb0df929
-
Filesize
2.7MB
MD5d2e1ac087b925011a876fe0cf96352dd
SHA1bbab4c6ac32825b492aa7d25423448c2307c70c6
SHA256bb7803f740edcce908264a30c7604b345dcc2c8872effe5b89f98447e45b4ee8
SHA5126d2b8a5b54ce024fe77cf57605d35daf372f2827ec7c96587c1791f82a8cb85fa3ac87bf36e3c5703b4e8d2d0723055f2ad0e2fea493d284dcd63f8f1735ba8d
-
Filesize
1.1MB
MD55ba42c892d8ad343a9a1797a6ceba1b1
SHA14e333161c5cd2ec7b7d1f773e3e0dc06b374c1a6
SHA2560070987a4caf0c33860c8571a73928a023299c27ba37e8cc5b25d305014094d7
SHA5129fa6113a3df37e64400e9c047a5543a0580210e27f280f1fadabb7285ac07649a867fb1da4d2a2e4c348469698243706ad5f8d10c554423c76feba07a30a19ab
-
Filesize
805KB
MD509e8e46be87832e1cdb493883df1d19c
SHA1574a9276488e44ca8f1ed8f07e98307ae6891e1f
SHA25620d4fe9acbe2c717cdb971122b72f260c95c5ac33dc781c7e4851ed89dca8687
SHA512a3f36f3da8b170d0fba7d5cb68acc9af984f7236a949f24be39d918ef31a22ef23db39c112c8c89f1f2e75f2f8a3f850b701c6b3ca84ffc784a92169bfa441a9
-
Filesize
656KB
MD5180ae4180078766f993ec99b08a09624
SHA170e75923ee11ccf8c5d3b7af5403020962b9bfa5
SHA256d6c1bb926771511fac61afef95b58126e74031e7dd587cd75f44b7ffe1ebb926
SHA512bad58577ef04b464cec4075abf8e255ab8de56f8ac62bb526c8502760375e8a6f768daa24129eb36642ab3a1f0ca548c5281541301f784ba9805d4e8704acf7a
-
Filesize
5.4MB
MD59aa6fedcdccecc4644a305d674315572
SHA13fb3d2ad6c46c9842cbb276b528003b7303a47a0
SHA2564e2731eedc80af8bf0f3cd8734955d1e65375637a792e80c7c67749905de32ab
SHA51238c30b66636fa59fdcb3ecc447523469d300ea04cf2bb6897c2233be66349e34133ef15fbfd0dffd74f97ef6ed24a44d748ad031548de39b57f5cfafbd9d61ef
-
Filesize
5.4MB
MD59704d70d2e09a851fe8caa5c0820a0c3
SHA1ebc7508bbe4e4bb8b6ebf657b7e5ede68c918ca1
SHA2566ea5501bbf0108e68894ae5984982239c558cda2b9f44192aa3287afca896e9f
SHA51278da05d2096f8cb9ded67ef91a0203e0354e96138562ce5b371681360fb2bbf7f8d02192ae06cb05e84976c83be2465fe4112f1faff37ed73a643df81ddf21f3
-
Filesize
2.0MB
MD5de5e95d0269d159903548fa15a826afd
SHA1101ebaded91c70270abfb54ff890afe8e68fa9ef
SHA256c45ce6f0ef88dad20379ae5f6614b4aaf636676b0b775d35b614bcff9998df95
SHA5122a7dda2e22df22c1d880753afef6ac870a1ab679d45de69616c7c75e827182d07b64a815b0fd6a566e264f48a47111ca67e60cb2190cbff8f896f806dd254542
-
Filesize
2.2MB
MD5db64341a98846926a46504f229cd754d
SHA13c70dacad20393ef619f391058313de460187bbf
SHA256e9f38eb42ede5263ad020ca3d1a64941c758ca03a49583cf0e5abf152ba23412
SHA512d5e0b8d501f798b1e90ae4a45d3a3c84130f005c95080f541a819299733f092ce830516703e3b0232066f9fcd1f3806f92f91b479109afaa38286e687ac042c5
-
Filesize
1.8MB
MD5ab547aee672cf0199a0d6dce2ba5c9eb
SHA1af0a7f9cbe0ff0ea64f53d04b76cdc0ac49535f8
SHA256a1a3bb77ecfd1efee92540d6357746820bafb432d9fc73dc3fe77a9b7b299ecf
SHA5124599569eadeb9d24db311a7f391d24c7843e4ae9d34a42d978f0ef859ddc4040c41eae2762d336cb505708b55dacbc133b4564ef26277c12214f4c0d6dede618
-
Filesize
1.7MB
MD514b5a431119dd4253749cef3fd653352
SHA1b507273710ce2209cfd94060fa24487b0f2ae30e
SHA2560b912ed6d28b988d8f70b83876b596afd4e765c9a5e0b305aa1c1fce4742eaeb
SHA512ecdb5f529e0f7d6ced0004154daa29107eff7082681da11d42c8fabbe16c0c595942bba815363ffa98890d304c625d4b662f4176a061895f615691fa71d82af0
-
Filesize
581KB
MD5200e5895804b67e502025c8ee6d65c87
SHA10fb38d47c6af631f65b66024066b240d690b9b62
SHA25649d73ab916104e4229c703792034db7ab7edf660672a98394711d884c9e4b113
SHA5120a459c06f5e1e8042840eabfa84354fa8fddf8c43de08bb9b3a29414a70ee088b229314f0f7277fd605f9b2fb2d7ee7bcba513e37096a3e571d9b67c73ae7836
-
Filesize
581KB
MD5841f361728d1bbe1e5887725a0e0432b
SHA1e0c4bf9e4463d138bffff6e27e2113819285f1fd
SHA2564e4ca843f4f2123de3538a844052f2983de535414740b4080bea9222ecf9413b
SHA5121d0226a28168d9ee90888860e8443a38fe92f5324ffafba487b0a830bf42f15efec2d4feff5a2d5efb38174804f9a368631c9c587019d6d1c1311feb69e8ecef
-
Filesize
581KB
MD50a6e1921d15b2c6088ccd4d0ca95d4c7
SHA132617711415e07f39f8f0c37e935a2eff7748cb6
SHA256e9f12da700bbbef61a0498d6b61191cea26d81b5c89f03c610592712396bb8ee
SHA512826fefe043b2a7414915c7ecdc28789d0a70bd2ed4ced7977d64a6a51c91ee9e513926e88db98338862d42582353caffff1bfa67aeaaeaa40525f2a8fb5e7fa2
-
Filesize
601KB
MD5f63d554a625bd19a2423edb7ec52961f
SHA14fb1fa5d192920c1c194267ea9a7ee2da2e723c0
SHA25690aaf345f95cc7ba7d38c0079df248ff4ff40cd15470c656d6670892f2815667
SHA5128c00ae2959f5e111eeb9b95ede06027ad0cd76b8fee044120c09e7fab5a6bf178c3da2a25586d5efc0aa19cfea4c994c5aae3cd83a44874d0cbe5cc83f901c8f
-
Filesize
581KB
MD598a16998c0f2cf6ca842c7a189f2cd9e
SHA135523178b10046ef2e360e89a8114a82bedaa4ee
SHA256cbc3e9e4c72020aa0dd8f7f1651f4888092387b04f32c49825aa94e0b3daecd1
SHA5123172031f98fba4a1b03fd4ff21c18e41026854db457a910a1ee7ea1e9b18fee253c47b6f940140932d0a4626e3fbe36e692447826aaffff267458cb45c6d30fa
-
Filesize
581KB
MD5649ad264d86c8d78d80cb5970578eeb8
SHA12256ffc3154666dfd4da1af91eb0346653bed13b
SHA256490ee97bc4968b08e51b8a4af49a3db95f94d80fa464e1ce7b7e496b83a8f661
SHA512c45ca89dfa41ff596d8dc090a74d89ccaef3cb675ece37db6f62980216f60bdf9641475f76b063e15cb6f11f886f564dd68662eab2f66c2cbdf73a1daf9ff784
-
Filesize
581KB
MD5863afde11b39550ead7acbbd7202c4bc
SHA1183b5d111c1d9b3d7a15b7ca4d9e47d667db2c36
SHA25605b4d54c2a01e4eeb0f7a42757ca81f1275bde532f3818a19ecaa538301d4956
SHA512c442c62c6b94818b13d3258333f91da849d687aa33c8eadb72e62a1a0b26b7599827f012dc4dc0fff801eb2f0037f608b62d004daa6b41109a5453dbc9df83a1
-
Filesize
841KB
MD56f72b0c3cc54af193fa6034e926a954c
SHA138ed7196006e967cbcf0b135154d579bdf07ab9c
SHA256555da8ac5765ad434a500ef71f1678583878a6a51a9d2c24ddb9701d3feb5587
SHA51244734468f2727f7e252f091e63732850babd5ffd8acb6aee32579810bb89f6e4d01143566aaf64e6ebd1fede0e6d45b94914e1494bfc1eb5557231c4769ebdcd
-
Filesize
581KB
MD558de1661399f769d9d56dc193be2befa
SHA132eb18540cb3d6d00e2585edc6353ec90f05a62b
SHA256e5281766cddafe564daa687a27bdf3b87da96dc1f2bfa3d5e2369ce476ff46e5
SHA512893d6188f71c6febd10a5197145e22215508b19ffc57187f9f363c474b4106d0417b91036dde8113b776c6dbc024bbbe7ee5c36c07778acbc8366cbc1534a997
-
Filesize
581KB
MD58dc80488431c401dd0df5b057043e045
SHA1ce71bbcc97495c94714d653991a4e07ffdc6188d
SHA2566babeaab11db196beff0d5e3ae06bb527c0856ad82aa3dc54939a52499f29e5e
SHA5124c05f8a3374c601b6245c0ad34bb8f3a089ec551f2de35e9f9a4ed2b29c2a75dc3f07b0fa8826f71df6e8e25028eb7579f9012722b4815c067a02eb7eb8e43b9
-
Filesize
717KB
MD51a464c01b94e8101f1b435597249b7be
SHA153d58d7ac2cceb6c039efdf8b7bec738b6cc5d1e
SHA256ebb6e78e30073bcd4c47a8749fa0e261af62562f9d802c9ec097ddbd7f2d43ca
SHA5122c49ee5344730c5023ef2b44fe3e6b36a803f9bdbec2b35c07b2c49a0995210f0dbcd7a3eeed59d7e53815c867efd7a6ea885fd62fbdb1177ce8eeff10158080
-
Filesize
581KB
MD57258250e448679ce3651152488aea02c
SHA1030443720124b7e5a5f9cfa0efa14244929be90b
SHA256450c45ea43b0ea5ff59bea73896265c9c96e9f75f5d46e548670218b8844d3ef
SHA51266bf0593c317b08794d3ca94cb936c1940ce0cf17b6793462b916b7a0e089b9ee231ab1963ae21841541b27dd8709af3289d80384f81a201eec106aa109aac08
-
Filesize
581KB
MD521b70d92838ca38eeaaa5080236dea11
SHA1f90e772581f1add28bfd93ed08ff9dde86b32d6d
SHA256afbd2ab03ca35d13ad0dc8a6e2443e40d59ac4ec97529905f34e01482eda282c
SHA512c0b360615f7a32c87bddc79e7c31b297d51eca8a39fe83f0f0fa6c24f670be5cd4f02b37bc64be53f833811021522a8fa38949aba3befeccaf2d81da97e46bc7
-
Filesize
717KB
MD58aa87053452d42c9bb3cbc9272c19273
SHA1d300ac6e41c75c238ca491ecb14543ff9fdabb05
SHA2569ae525777f2fcc7f9200789dc4528d6c3f2a1f26e59f5e04f1cb1424b19f915b
SHA512e50d8ffc0d602cfd11d987208a8b7d68bdd39188740639ac68cf7f1813031a45a329f0ad49db9817ba75fd2048b9edd536fbd398de53f98a312e8be0ed14903c
-
Filesize
841KB
MD50362a9b6bbc4303192f0bc8bfb77b2a3
SHA1460945dc4c578088d00230d5271021bdc865b350
SHA256a80af5ed0eefef910cc91fa49b26d5af12dc43eb914d0bac03fa1396707fc4be
SHA512114fe181e45877cb4ef3683498373296c6a6b1065ce9b6eb7ff83b50899e199ab2044fac3aaf7e3d4175d3a26c76bcb9ebf1ff3d2efd2038fdf598370d8c1a78
-
Filesize
1020KB
MD5265460e94b7470846acd1150bd8ab34a
SHA17216053bc313126eda0476c9cb22563e78d2d13e
SHA2567dbb3d0c95698b6cca697a2aa47dc8566a1fc88dc2e59bb997a8794b133b261c
SHA512113616056bb6a748f1afd67ad1f8c5a9df82bd846451030177a6274a902c9e9ab40a00508afc534eabcf76996e2eceea00e1509c3acbe43024fc7156a44e7eb5
-
Filesize
1.5MB
MD5ce700324367c35dcb3a5582eb224ca8e
SHA10efde3383ede0553f9dffac7a476a7d2ff05b6dc
SHA256c7e4115869e7d47b0f6aac64e3aedba386779a3be1bca9db529a0dee2b951958
SHA5128846e3971fca97ca70bceed71e45e34c4f8b22be8115b514708c8ad6bca343a7aa604fec09e8f172df2f18377ba01ddb1bab6348828a17522a02fdf88cb9e522
-
Filesize
701KB
MD585f6f2b8afe25acdc985d221e85c1fef
SHA10f76a6b17975d59e34c9902bd83bc82ed6f98c6d
SHA2563d3fd6c7f0159dc731f6e1673e94c20efdb8af68ad5ee642362cacb33d581357
SHA512ee96cbe4333bb6d9168a880e39fecf60460ef57a18167b7e4e432a6403938185f6218208f183c8dc46328cdf542aa05d7584fd721185895691fa29afe9590eb8
-
Filesize
588KB
MD504a0ece090e5541eb99f3c2cb22d3724
SHA16493340c69d6a20326cd1c1fbdfbcd8d687f2ada
SHA25663e4cf0c73117b5268158de024f1b8b41a2df6d2177f27770f8d65407cdcf478
SHA5121b0afd3f978d36b86b3cccbe38a9084d299e85df2dfb8d34f0c9e4559b119e3812e7ab1ae470e8fa4c9e0ebc1d5a12000b7fca93ea21594497e4d1ab89118064
-
Filesize
1.7MB
MD5595392c85bff2f22219bc1699cf7c100
SHA11e3b4db4c276da7099f2a8d8d368b30c512532c4
SHA256933300c25dd3a70ed63365fffdd9f37870511a4fb2f22af70dcc8d2d422a4326
SHA512cbbc0ffa8d1443e5a5d77ea80e47e7819d5f779a07c9bfe49264faf07b4da940c32890654a4db60ef59ed428e2061b8b08f4eb1b9f17708680968e72a2679186
-
Filesize
659KB
MD5d920387f5a334d0cd21dfae07f736be0
SHA1b7837f32b4af64071991eaa670461a7f03b32e67
SHA2560497ab7642e4d038cc5a9a5bc489cecccf1fe56f855948d11baf04973a76231c
SHA512a3ad4f48234bd99505f3d80ddd0b58c0c17441b8f82778dda5494475ff56063922791b18e899313724241633a5caf58d06daa53352a8799b5e352a199e8ea9ad
-
Filesize
1.2MB
MD5da6804d02e52cb0182de0a37dfcab1cb
SHA1e6ec2c28d4e9ee9bb5351912ad5522aa805c4b1d
SHA2565a309b9b26e65aadfc52f995624274794a6f712c8800b14973b553790d724762
SHA5123a850f254ddba1340bc50d8e32f9b42039aba9ca0f19115c4187f87a76b5ec9246bfa8b837afb79c37d1d35eef606ef5ef4c2ca5fc8ed633b5f2ca09b562c06e
-
Filesize
578KB
MD5799232804cae284c68166fd74b6dfac3
SHA1bfdae3e43998e5f624fd6327ff99ab484bed7cb3
SHA2561dc2e90cfdebd30b9b86097301492e957fcd9c146f7a4d5df7f57ddc2c7f23c8
SHA512b56139b5bd87c27225171483e949bb816e98bfe5361a4c08f184255709c93beceba5add1d1ddcf850b581216c9ad06ef97edb6bdba7d875910028af8e6aef7e8
-
Filesize
940KB
MD5c324cc7815b937f9fed0f26565aafcf4
SHA1f593871bffbaec74a5e4516e320c8e01c81fa8cc
SHA256e9802d61b1dcca14470544f49d46a5bc067412ef2f5da556a5ee37d0dea0be50
SHA512d499d92179afaecc464393757d6cd5383bbdd95c552f78a380a831dd0a3d960fb4d0459623ae5dccf63fd94e58feadf768948fd86c948ddc7feb19b44d8925ca
-
Filesize
671KB
MD56afc7eb4138be41dc360050668a3a8b5
SHA1f89065fce70c6848041d7644738ebc7ebcb64759
SHA256f93790c2ed525d94c2984bf6af87ecf23879c463d6d42303ae1118a96fd9f076
SHA51219bc6c2d3d02517d3c9cc08ec72b8646c44330a230cee76822b258d5220369bd249e1518dd73f9672163fbf9bf0ecbaa8e4bd9ab5ab7cf2fa8eb393d31844620
-
Filesize
1.4MB
MD560ff85fb5ebe284ee590450bd2c110cb
SHA1099ca71ed45661eaa569859daf11d5ad37f4a2ee
SHA2569eb0223e315c4470dc0c4c6b6e54c9d2f72f8caae8257ab3708621437d628824
SHA5128c21777e1ae5a5b2cb5949c376ddd8da4e894ab79f733ff02d3172943c9872ddac1f60d67260a4782b0e172cca912c2df9aa18e3d1d3dd7b27287bef5edb308c
-
Filesize
1.8MB
MD54de1a08e7a4c9cb85cf012a84587dc60
SHA1aaceccee9f1309a619ad8a8cf235377624204b74
SHA2561fda6672e11baccd5994d6302bee4891fd03fb5a8c0a2a141876153fb3220e9c
SHA5122d0df7f4b7d68f77a7605d844670673fb970b17cbd5c48feaba825f119e2defb19241fbf88b79048be76899182bda9e9b423c71155dd569aa2c87aa4936ce3e1
-
Filesize
1.4MB
MD580cd11835ae2b57d07ce50f2ef26c7b3
SHA17e327c14b6e1eae8dcc4df0d3b25af367786c726
SHA256b4d140344c9bb1aec3d5aa03e296e2904b5e1d4879a5835fafb89bb6a4d479e7
SHA5127f24a8cff2ed26a2320f4c50a323db999803855d20c99e385f34fa83da2669263af9ccfde2ee7eb8a67b94e3ff395504970f5e80dd1ff0fb1af157c0b7df9d45
-
Filesize
885KB
MD5691cd72b197e05f963ec2d62885fc024
SHA1d78619e048d3f186b541a30d0bc782dcd9240ff8
SHA25676af3dd6aa1e78d971cb84eea9c310e1d848d850144505757080c868948d6024
SHA5129ece3d8cf9e69d07c97202f6951c8e62d9d01e655b6fd3438b725e09f4f450ca20c554d4c495d3c962be7bb7354071e8dcd9365345fc7b0352d6548c80df77b9
-
Filesize
2.0MB
MD5c75c68229686adeb02f9047cf8661ade
SHA11c5385efcf3acc17d55998255f8574efffbf34f1
SHA25674289d99fd3193f62a00e9c340f95204c089450445e6905a0143face80af151e
SHA5121598ff33184bac6864912f6538668f9a70aa34447c4bd2ddf8b563b5d9454304e45bcb3f15cc54d22e1a45290d5dfff5bf992a6c0022a5deaf1b859627fc6ab0
-
Filesize
661KB
MD5242e26910ad5855316e020e22981c294
SHA1f57b20c399454a4ba8e447d07ee49ee2eeb98869
SHA2561dd93418edd6279631a1dbac89f6ba7731c33b31137d2e5aab6eee2ce512cc2b
SHA512152c0041ee6755e40dbd9012371c643c1956c8fea59f5f8cdc960f04f423eaef92c2722d636596d7c8852cf130c1191b7a647df091fae27cdbbc1cfe9fa0f7a8
-
Filesize
712KB
MD5b74aafdf790eff7f991c7fd3bb02c1c7
SHA1097ca8b772e4a75b4c53bb44b8e644f201bd657d
SHA256fba5201842ba934131efd5cd716d30923d72e80d25281622ed75d71eb270ce16
SHA51254f50a44484f80ef74ab1674cfc75d2dd509ee4d0f7ef54253cc9a28779a216795fb214376f67b7ad66a7a9d19f5a28ada2698385b9675ad54051545d4705f81
-
Filesize
584KB
MD577ef783a4d3d4c309b9c8c7b1f2ffa93
SHA174b8d4e9f340b2d8f56bf97464c1d42b612b82ca
SHA256ab8a3c5b9b2bd4ee919e64e94c8dbffbdc9f7e78be4a95bf58cf15bc63663ba8
SHA512fa920ac60d305012ca5569c091c1898b86a0cd3205476a37d792c69a306269aa52f05ce6af6c983bd68b1e59e319fbd4574ab8c5d61c65fa18608bf6b9eee338
-
Filesize
1.3MB
MD57e7d2ee9cb7b67f1551310acd1b6d707
SHA1a48d0cbeef6c84e4c52745f82b897036e35728b1
SHA256271e762bfc7a7db33b42f2508717ea7ece0a47455f68cae9544698e649ab3b5c
SHA5122debfcc0697729f13bdc47f183338be399ceb9d6acb5713a4fad76f40eed0b2fc9cf85fe2a472e059e4eae9c59ba3d711db0b454a432fd955329b5fa013c4912
-
Filesize
772KB
MD5c3d9ec535056837b32fd4988f9837e99
SHA1e653786d498bfd48c0e98626b066e68c785d9e7e
SHA25606b014adb34763c352154433a9e4661e2e883a3f944dc04cfa23101f9e73e465
SHA5120dcafde8c2a0c46507b221d00805a919fc3c9b24131a1bf23062980c98ba4ff73be2e606bb7f740f32b34490c6a141ff2cd6125d0128c0a20c423ee65b0611b3
-
Filesize
2.1MB
MD5f66325d2b1516c14fe08456fd64e5f20
SHA125045c754072c7166885d38e639a2f499b43284b
SHA25698ca0a3a9d4832417736bb8ff1a948e4505de36eb6cf775cf8ae1681c2595979
SHA51255ab418be3c5a807e7b80acaa699046868f579615b74a73071850746890bd6ce3c374751804b7bed85c97966fa573c105b165be5e9bf97c3cd085fed53664099
-
Filesize
1.3MB
MD597470d802f746469042abae126978301
SHA1685b2979add0b3647df5ce7ab41e372b5437bcd3
SHA256b9dadc272698bbb4f66e2fc7e744138f14034c1480316b7bca05fd5baada1ee3
SHA51201cdf20b3dae561488ef7c90312455614268d762ac5c5ca1b018990fd4d7d76e5bd181576344bf9248504ae46a7e328d76fdf5e46304eb2b642fe7b3fc88b409
-
Filesize
877KB
MD5ed7bc0f5bdb3c83b585b194a12c439e1
SHA150dcaa810678ff51aa0f4c603bfce16e45d6df08
SHA2568a3bb14bc0917fc89f78c031b4ce2f52487e8ed85ca2d4a00a1da759a2cd37f2
SHA512ab1c10706952647cc23f60e0d48ecdcb13c8a609c33b7275e4c7fce2eedeef564e915b6b4688fd1375f6fce2247ea7f25c1718ac71dc615aa410f0774c6fc654
-
Filesize
635KB
MD5bc4e3bd0ae3cf5b9bfe3c8459dce5941
SHA1c2d5c81fe944556e779fd7c34ea94bc49d6a46e8
SHA2562776a026fe97f866792ae059c327afeb19c2e0335a71a02d44f522a6bb6a1622
SHA5124471603b2d7f21fa34625174257c8b20fc5ace5e6496a3de15b6eca10b46caf6fe6feeb654dbc78d63ee53cde9242c0037c2f241048a9a70b83ad605d472a747