Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe
-
Size
1.8MB
-
MD5
410fec919becb7842cbd7daf40aeee0c
-
SHA1
e98540db6dd523a9fe10b45912f7b4381d0f2edc
-
SHA256
9d085ced726fe07d7266e2d3c3300d2397c8325f4756d830f76848550b832a9c
-
SHA512
bbc90d1609965c4a39214f6f6ac2f656de0ed801154e13994c3ecbfa2f112417734b194c71ad92912340726f1bc504775dabf3c0c54d0022aa3f44b657142293
-
SSDEEP
49152:uE19+ApwXk1QE1RzsEQPaxHNU/snji6attJM:T93wXmoK8EnW6at
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4324 alg.exe 4572 DiagnosticsHub.StandardCollector.Service.exe 5064 fxssvc.exe 1556 elevation_service.exe 4164 elevation_service.exe 3600 maintenanceservice.exe 3624 msdtc.exe 4744 OSE.EXE 4668 PerceptionSimulationService.exe 4256 perfhost.exe 3444 locator.exe 2156 SensorDataService.exe 3388 snmptrap.exe 3812 spectrum.exe 1040 ssh-agent.exe 1112 TieringEngineService.exe 4728 AgentService.exe 3632 vds.exe 3180 vssvc.exe 1424 wbengine.exe 2316 WmiApSrv.exe 3184 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\522c07c8b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exealg.exedescription ioc Process File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000743c74e4cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048612fe9cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e19da0ddcebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e45d40decebcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2a832e8cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f9f4eccebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041f55fe8cebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca4d46dacebcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c4303ddcebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac06d8d7cebcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a0519e2cebcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exepid Process 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe Token: SeAuditPrivilege 5064 fxssvc.exe Token: SeRestorePrivilege 1112 TieringEngineService.exe Token: SeManageVolumePrivilege 1112 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4728 AgentService.exe Token: SeBackupPrivilege 3180 vssvc.exe Token: SeRestorePrivilege 3180 vssvc.exe Token: SeAuditPrivilege 3180 vssvc.exe Token: SeBackupPrivilege 1424 wbengine.exe Token: SeRestorePrivilege 1424 wbengine.exe Token: SeSecurityPrivilege 1424 wbengine.exe Token: 33 3184 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3184 SearchIndexer.exe Token: SeDebugPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe Token: SeDebugPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe Token: SeDebugPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe Token: SeDebugPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe Token: SeDebugPrivilege 372 2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3184 wrote to memory of 5356 3184 SearchIndexer.exe 120 PID 3184 wrote to memory of 5356 3184 SearchIndexer.exe 120 PID 3184 wrote to memory of 5380 3184 SearchIndexer.exe 121 PID 3184 wrote to memory of 5380 3184 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_410fec919becb7842cbd7daf40aeee0c_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4324
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4704
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1556
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4164
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3600
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3624
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4744
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4668
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4256
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3444
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2156
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3388
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3812
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1044
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2316
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5356
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:5192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5b9bf82ce3b529fcf9f84694d9a194164
SHA1cffaf138dff4b2b09d8e73f43c09a4adc9803a6e
SHA25688eea2aae6330e62a22384f95839d4a5de48c40da2dd4c0206409f178ea6132a
SHA5121d554e93a4d19bc60598a2d0af69a5b954bcf94a051271b71ba2698225d686e275544af01a54782618f4dc1efef4021a28a7f135e7c838c5ffab264ec37769ea
-
Filesize
1.6MB
MD5ba939fa54a2a27e7f3af158b888f9e10
SHA113fa6974fadacb96f260bb228f586ccff2fb2c5c
SHA256d7dc549e8a42dd20e3f03a91cdf818e9e439966535761e3b6304add6adf30c60
SHA512d5124a74a553df679217904ae077482faaf6c0f4ba1dd8003b0d061eec04ac951109434eebab4d0ea73320f4cfbab83af38cf819a008d0693f07a876c643b176
-
Filesize
768KB
MD5bd62d0ef8206ecdedfa6482006502b7c
SHA1f387507134de0296eef253e2973146bd5604def4
SHA256920137484d7330ac248d0c1d3a2c8300429c910f4846122c6454145f2a26648a
SHA5125ccac4b8bd318b41249cb1f3445d2b33f4489037b15682a084aa87ee6fed96d0dc36dd7b40f5fc817c22aaffb237aed59ead673392304ce5915b5a0ffdeba8c5
-
Filesize
1.7MB
MD51714347c1face890dd0ab34cb7b109e6
SHA11da027b89810b7a41b7898d00bd39ee90ccf3adb
SHA2561fb0169be1e57bc02e385c343ce2bd2c06b5e04919d4972cb41ff7b9a340dad4
SHA512d560975d126a88a633ee7bc0dbe22a57b81b0617d5a7a62290e34555fe612b27b9091f4783b691a4c03d9cbe7a8e836a94c6aee8ed9b09bd127cc2fee600f723
-
Filesize
704KB
MD58084485b0014f53f974ce6f03568486c
SHA1910ad7358750c064ce075eaef5c5e222d08d92cf
SHA25625cef448dcecaa4e04f88babef5090f4fdc191d4b249a0b907f7e18f7a9ca9ea
SHA512543be4df1b4eb3e38282c4d95fce3d03d525d24dfb9708857f276e31fa7fbf9dc2b1975d9e1c4f6a945565fce34e84361c74b4e94151872fafd77b3243828a49
-
Filesize
640KB
MD59a7b8f895bc74f6adaf76e995a856b46
SHA1a61dceeac4aeb422430f1f7cf8b3c0c194981289
SHA2562f7c1dcdca22506166affe461d8bd2860fb034a6771712e74c71c524c03c61e8
SHA5128c5b84c42fdcc304df3e41457dee621426e34e2223c9013e989d8d07c73068e5032ee516795bd3849a572d5f5d85efab6f2e6afe88c866bc908411604ef40c6b
-
Filesize
2.1MB
MD5a29ae52baaed383b4ffe28bbc1fe972c
SHA112020d8fe134c4ef8b76f53700942b83c42b29f4
SHA256544e2b0412774f8d7f055d4eb7b59b582250981c5afc8ce285f43ae81893ea3b
SHA5129737c1f71d8e2436cde1116c393d7bf973d74875da9073f593196398827f1ccdc6bb54931f37c0d757485c97841b74b92f6f95681e835cccddad00969fc79295
-
Filesize
576KB
MD51b4a3daee1e4d09e9a15b193df99fb8b
SHA1265be337fb131e6c4ae4026138ef5f1efdaa2713
SHA2562cd56aa00749cb7ea8010f9572f5702c030b12cf3e58e927088703641513eb60
SHA5126a93324093821ae7a2610ab3cbd500967c94db6fe85be43c4d1a9831c095c37f23725826596c1011740ce9d4ce08f8c89f0c0066a6c04418ccd9f12c62af8827
-
Filesize
576KB
MD5c72de033e3ea30d7537fa1a7c8b2774d
SHA1b417a3e07e057b3ca9f3514cc9edd8a2de985961
SHA2560946e097f12a5b607c070c822d81f8ac8f7d0a69dca2d77b9e95c1eacdba67d9
SHA5121bd3bf3aedf455a92394e36ffdc0c879903b64803c8430e9ce3a33ec9e53ad66b340e6a193666b7b4df604536da4037007fecada05c89587eb1f959180afdcd9
-
Filesize
576KB
MD550d00c5d8293c0883f47a136efd0cbc6
SHA1c89103b68d3f08a11266eb607d4c94576c4f7a3d
SHA256bdb4ec08bb15bf1f56235c358580afc6e49ba754cba75e838f51ea435d4c0008
SHA512323393da795656587e3f8d38ea7955f2419438656198b8ffa6dc4127560d0647ae14d66a2da027c76fc1e0dbe18fa2f0073566e19b06e1e9af3aa3e253931e94
-
Filesize
576KB
MD525acc44ed902aaa21d540cb197a6269a
SHA1ace569b34cf48bc7cdee46df4ed6e13fc4488ed6
SHA256652645c42b982badbb02dde4f7ed4eefb3bf5b098e77da132110f2ea2ca35702
SHA512c7ffd2accc5456e789c438a1060edfb6e09475c33e56931040274c1a80cca69c34db1a0e60958ed3f6536f38f1c6bcd20349ae282432e6c8fe39c86f5bd5c7d2
-
Filesize
576KB
MD530a81dba6932d7fb4cca501cdea4f342
SHA13ef9381eae0f0f5e42a9e9bbd354ade44af9fffc
SHA2564d7200ec01a4830a8c71fb857a5328a9181ffde0b98748a7e54533301f140e8b
SHA5128858e7e2f8e10c11f901c85a8bb1f8e4b6533196f946e7defbd9a3de8302ec462750fdcf225179d1cf4efe321d5a5f30dabd433be975e9ea12850ecd6b94eab8
-
Filesize
576KB
MD5f3c5c290e76fa02b447ca55dfb9e570b
SHA169ff1c7677fc2f231ff381f0c73ba31fce1e0f5c
SHA256c793d0260b7d1375d3a10b558a40bb9a18951b86b197724869f5361889cfac73
SHA51264fc7663be6d2955ccb268b79a74ba85fb2f9e5f25f51a09905494e9a05f076e8682a6ee252e8991b11073afef903b70b92e381bcb96cb444eccc54a0f36e9da
-
Filesize
576KB
MD552a9df7fb2fcf510a27e5f0c0979ccb7
SHA1deb71ecd20188991e7dce1cdd830c4c0771f3579
SHA2562e11082cfa6744bf03fcc001dbe461986cbd43ba674faf02d867ae7848b8c6cd
SHA5123a7d272b821a5374d510c0f0f1363bd6adae699cb86d1d2d17c9cb40429a86d39071f26267591842dc9a03b817398f8282742226c56640c7e1f05b8368bd6aba
-
Filesize
576KB
MD53f6f730f1d7e920b3d3eea4f37a03c14
SHA167eb2d7ccde7b08a46256b1d271e6d9eadd68faf
SHA256c0da03a5d307602fba9406adb6169c31a9b3aaae2ebd848a39cf7a00095458c9
SHA5124609241c496969e43c1b95b52daa4cc9c4149e7651d7c9f97cf6428d325fdfea70d05cfaff55da74e53f57baee29aa37912be7e3a9925f1a459cf0a8037c333f
-
Filesize
576KB
MD5ece5190e4a6faa016973c1fd601d6041
SHA1a86a5af208e361edfa32b45e6abfb286befe06cf
SHA2564d21988161ae8904063440c87e48edb8988eca041f4990213a4d6d370ac829df
SHA51298b86e08d5b68c2d51199307af7536225dde12478e9388f605189d936aa38842dda3086e98433a4c8d65799a69d8c88f2eda289c814cde4c24d0a59ff732abcd
-
Filesize
576KB
MD588dc60bd55c27eb3dd66ee1b982a4b82
SHA12d2f08f13932f9dd0b9095d2f2808221801e1625
SHA256e9dbd456b8bf3efc26f0c3cdeb6c1a3f762a21443a3fc2788f96e2b2b3b582d0
SHA512e5322fa40455255bdad5a2b2a0a206c8e4c021f094685e86e7533dd9a34bedac5a0dc05a8b9136418de089c169475f6b71714b07d82f7d6e480ef42e3ba583b0
-
Filesize
557KB
MD53761436c085b1822246257d896ccb49b
SHA1f58a3f8fbd1463e9e28ce8ab35d38cf123d9dc35
SHA2564517b56bdcca9f07805d15368d102d83a1679b749b409f876dff529d184a8096
SHA512c49c5aef65941d60c75d428b083844b8b490af506adbf4c43a692a6f1b37c6c2edecc593bb3ae68dab0ba34f190120c9c1f28cda6eca96d5145b5ab18d76e589
-
Filesize
1.5MB
MD55dba90952e01683508a49d994b6d8cd6
SHA12cff00b9e6f128fb7b6de3ad86b593c135462408
SHA2568a735de8e38a3e3764c3c9f75f1e4041e8520e76ff2074ac0b5ad93f592046db
SHA5125fd9e18fc79d7ca7309f1538061df3989660c38a34f7dec8c23489d62610828b1da2a6495991334074cf4342f94899f498263d4d724b6e01bfa6a8efce1ff7dc
-
Filesize
1.5MB
MD5bb47e7d2eb1486f655c319b23fe7d11b
SHA1e8597090545026c926d89cf779f52655367d7cc1
SHA2566fd6d9cde143c836d6d8cc178d7df40098d19ac6a8d8b6670251d89ddaa75778
SHA512ec9cd864cc9509da93b43a90c467766c114cc24f5e836fdecc39f2315f1c39260f4ae416abaa421d6a2be5205b527763da15398d4a95e23104860dbea757dc33
-
Filesize
1.7MB
MD5ee21b5f2503dd8f7bd3ab3c20311d0cf
SHA1bd74e4d17d53c6e09c98a3aa0dd7a2ec3a9f4590
SHA256e9f33057c76728b19de53661a3f7fc3c1cd7c3a481f477a4d5663dbccdda7ed6
SHA51279b3d49449e602bd58eb8d36e88e0ddce85b7c33c08b2e60504bd0d16399ff53b5ead68bf0657ff83001b0cbff42d84d584263c1fef11229313d91575b1e47f7
-
Filesize
1.5MB
MD5777916edc8e131f29080ed7a563e979f
SHA1804e71965e29e217e363e30ca7639f78bf73579c
SHA256654f8e80f37eb5d544a27d30423dcb3b861ad1d0aae1de0429107b71c9fa371b
SHA512abf08249ddc6f590ad4aad5f76fced5ddd801609ccd29456852a26749d3a828c63f909ba6402caed1ad40f417b5d75dcd9eeacf55011276d8888ded80e77e2dc
-
Filesize
1.2MB
MD5f73fe40f1930a38f8b294aeae7c624d3
SHA1f9784f9115f05614367a718af5e4517d65a26d0a
SHA256c358cf7d985c614eee62806a017855809331b8c2ed1d07cacba3bc3b61384e13
SHA512b6a4fb22faeb49a943e1e539b56eaafb1befb1357e1116b714021ce06d07a0351d7445de19fd61008554f64e98cc31fa28bbde06a153721739936044e549e619
-
Filesize
1.4MB
MD562165934269a4fc752b7bca4eab1a639
SHA1f9d56cb16c59e5e8ee04475a4766ad50c0933eb2
SHA256ea97272f2152eeb47ccdf8f7899aadc28f4efa0e6f6aa912789d0f8fe5ad5487
SHA5129cd9d38a09788ab233ca443e5f7ca785d2d434b82c493a10d8a8a9953e3a5f2f00544e42dc37450e323179c66601c777368d73467e53895c7e16287a54e0b4eb
-
Filesize
1.8MB
MD5841af7c46e2102f6e4686132449f2a58
SHA11080597189ee98f6a37c04be563a252d4bbb9c32
SHA2564aaf3b8ca83ecb2e1e3dd01d7e10e018ab94183314b44925819e944212904ed5
SHA5125fe71c2a1579cd708a6759c5a7b2013aa6d8a9a7765fef5669a2bc8bc08604234b3a4672f886a826e1679d39148b593a967e869d50b1f62d49f7bdd2725e20d2
-
Filesize
1.5MB
MD5ca5550a46fc28fd5a241d2c869241413
SHA1779902bd3a6a6faddfa7b9c3d0384611a905fda1
SHA256efcb92aab291c8a15d4b9a6e85c5d5338889b105d17f593063a38250891d9227
SHA5122b4328d799f58fd6db98af94516eed25071b853069fb6bc752b4ab3bfed7159e1b81a52fd03ea42520d6431e1a9593c57d22bee128c4303f35ffc03f84676170
-
Filesize
1.4MB
MD5b328400a4fd75c88bb210003214fadce
SHA1c18c18fff85416a3c4c789fc51ddf0590b178818
SHA256ed55624a6a5928870d56f2730d0c6d58f1ec29d63bdd5f626bbe368c1405d85e
SHA51234de98183f7711a1895587e23cbecebe319324307ed9f20bbc3e180f9d2bed01c43f1beda40d2f4263485ac149c6dc2c6a78e049da69a73403ace95673df3acf
-
Filesize
1.8MB
MD549099cb846e450ce4129354bc669244c
SHA1485d6a49f020ce9f2abe5dc30a20e10716042ff1
SHA256403fe101cb3359afd4059eaeb79b37f8edf168fbee9e07829d0830ce8290937b
SHA512e7c0f805c2e43553675d271fcc2adfad96df830d5784b37299f55954d532add084f3df103b32fe92f9ca6a1dc9ce5bd7dfb2dbacb46157eb9646e0bc0e2e1d73
-
Filesize
1.4MB
MD51f2491047a3897f06533054169fbef39
SHA1716fa55e03f1450bb61c83b31085760cbedd17b6
SHA256084938297a8dc5398858b08f0c62898a29e19ccb070ccfe585f5e88026d34e97
SHA512356e468f1439169695ac981d0155a114bf276bc0406d5bb6252df78c7cb062943d557ac0ad320613ca09651997dac8048b389a8a361a83dd76d2c84e223f74f5
-
Filesize
1.7MB
MD551ee45037c4a7fab4f4eaa87498394c0
SHA135118aa24f7cd6638d04d7d99f8ce7f1ccd793e3
SHA256bb8bd35448c60c0d2fdf2396e0ba22eb55ef359bbe4d639f28d71453f1260193
SHA512dde8ab5b8d692970b7c5f1887762824031ec83857adbf096800d32bfa26e348268028514de2787f1c2ed0df8cbff525a43894bf37039e9ece78d7abf2b7cfb20
-
Filesize
2.0MB
MD588a47db0b65c4487fce9f794c631e797
SHA1903ba876c1d63fbfd1ec97684f282e321088ef62
SHA256abae62f67f96abf32cb6806fb00617afbf13318991cd7ed67c3bc241deca5d6f
SHA512aaccd527fdab74b33cad662b42fca02043bb8080b23d27a3b71ca78ccc6f8f28a7baea3a6607f4e4fb1c0cb91c0e10ea15fa18948362c5e1b72d562080343af8
-
Filesize
1.5MB
MD5e16ccebadcb495ab853d674241d514c8
SHA165ba18dcc2a759d8b975d3f661c7f0319fbe8c62
SHA256454cc40ff7b928636ed1247f83c508172df8eef86ae27ece9b57973bc46687b1
SHA512de7b4fb74178fbb3459339b90ccababe1b5afa461086961988a9237a1f4121711df640c4f20c8e7072585ff7a956e15461e9a55c5f9ceb609644d419f883f7c4
-
Filesize
1.6MB
MD5acf9b07441f146bf63ce09f5168425b2
SHA1a57dce166852cf220211b47d15149a31940d2a0f
SHA256fec83f36c75de1da1268d0824df75e427a26fd126e9458755a8be71036fb6592
SHA5129e1d4868575f5a98d2951debc8fe1b9ba677bc1fda5282f82319477d713b6dd8912a4e30a5d931bd66f5a294e7a27abfefe605f624d1e545d3230708629d22ea
-
Filesize
1.4MB
MD5234d35f4fe63c8862d936a2676667b4e
SHA136bc7b75ee66cdcff5abd6f51974afb48aefd8a9
SHA256a8a0fa6ded9645afd5fb5558313f20084147960fff6935f25e4f0d87808a2bca
SHA51254a90cb3173fd37a69892504e9fc5277e579db2f1b146549738e851b05b2391cbab8621ea3770858c4d311a2e2183e9b217dd36d4bf3b7a2ec89f01a91490685
-
Filesize
1.3MB
MD5cdba8566b4622dcd9c85d0de014686d6
SHA1e57234bbb41c8d4a763a2ebaad1310aa8d1e98b9
SHA256e3beb8778e3c8c1f4372cb1688bb61f3f284be687d0425d7dabf4ffe3960465c
SHA512f04027371f973a8d32fa68c9a9d1a2942d43d9c3d52a84351deece08be74514f6d81f7f84ec08b1b931c140adf654895805f866a29d6e4dae576c8056ec4047b
-
Filesize
1.6MB
MD5b6ae013884becf3f1d6ca6a034a0f7c4
SHA12263020ecba1e38aabf0cef7b442f84865905895
SHA2564fc1aefb46df69cbcea31d9550ffdaf7c366729f8cddbfc50f9c9b45e6c190d8
SHA512c83409f805b5dd5be5c65a84c582c50f3c37b7e334ed6c9f48c2fd4e06a0c127d37cf6a823d3e80d777376e088c2b60bd610b92b7e4514ec4305755ce6994bac
-
Filesize
2.1MB
MD52c1fc2056560eaea5311e280ef06af17
SHA15bee8bae8b804687fe4a5b10b649a0b15dbdd62a
SHA2560661c12c4f6712bc126190a55f78f213387b1506cce453e2f2b92de333288a81
SHA512b9383a8d1a7de26ec417f02870ecef9e9859cae3ec0f39e424702a2841211703dd988d449dbd23b0f52b34b297e36a70467c0e9922182ad54896e5a10d329cbc
-
Filesize
1.3MB
MD58b53e6e10d829d287756876402b9c689
SHA19efba727c3924b9a5571e1d24cffd0b6d3bc2a89
SHA25685306cb870db66aa25be8d5f9b3b078416b557973eae9a777f44245a154af362
SHA5126b141e0be8f2fd24db95e2cd18a79ba3043dab010b5301f3b511c47448204d45cad7ba4375e98c4f3855175e86fcb36599a63d20a3824c687eef533e7ecd2de2
-
Filesize
1.7MB
MD53895f49a78cd18d957999fe6327d13d6
SHA1bdb6d713cddace1902b814db746eaef0a527eff9
SHA256ebed2d43f94d276863acd123b2c78a03a6cb0fb2049df116c365f563671dd67c
SHA5125fafd5d404b352fc4a6a9eacdf7bc6503e223f69bc51944e649b72b48376a28a0ed28a8e3a9cb66838098fc2ac62246b7d12ecf905e094e67a75008fb75d6c79
-
Filesize
1.5MB
MD5d55a4d3def204c20a3bcaf2e26d9184d
SHA1f4026ef0a7ce52df0822cf784a97609ba81dfae1
SHA256e2dabcf8ae7c6112c010bd463cfc6a37f09424bb04325e57c631b9bc5c78c51f
SHA5125b2f8d28110be626f5289b52e5f5be27551d1acb37a45581df22148fce5124bf700bd8da6ada1276564660068db6952b04b13fe1babaf603e5cffc233f53ab98
-
Filesize
2.8MB
MD5d5becf4dc8a11e5bf40c239e17033ccd
SHA1a34dc6299110daefeed447debcd811061ce1c0c2
SHA256a239b7b4f769ed1254c6696f70c36d48cceed4b491641a295c87b45459f33698
SHA5128b4f6e2b6b5450f6a0d66146b6dfce0e4479117581866c33c1115a6b8c768eb1f88dfd6943f7070256ba255b54711a9e44ded03ad1b0509ccb660c92885b13a4