Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe
Resource
win7-20240419-en
General
-
Target
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe
-
Size
1.3MB
-
MD5
ec76a3c1872882a5ceaef4d73468c028
-
SHA1
eabd10a9af039e394637d89f52f91a388d73484c
-
SHA256
e478e1c6034c5f6f2a2078d496b02859ef975af9bd63dc59c7aebda2912cc516
-
SHA512
e37bc18d812803376024eb00fe0db8c56dec7c7a6f689914703243351f6dc97650fa91d63d4ee5a6e47b8c166fc00bd896fa73dbdf9b2736f3462b1b1fa57b0f
-
SSDEEP
12288:YtOw6BakYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:m6BAc+pFB5z+//ufNRoZW
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4928 alg.exe 4632 DiagnosticsHub.StandardCollector.Service.exe 3492 fxssvc.exe 4488 elevation_service.exe 3012 elevation_service.exe 3132 maintenanceservice.exe 2876 msdtc.exe 1900 OSE.EXE 3080 PerceptionSimulationService.exe 3732 perfhost.exe 2232 locator.exe 2832 SensorDataService.exe 3860 snmptrap.exe 4224 spectrum.exe 2348 ssh-agent.exe 2520 TieringEngineService.exe 4648 AgentService.exe 4076 vds.exe 2412 vssvc.exe 2024 wbengine.exe 4880 WmiApSrv.exe 3792 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exemsdtc.exe2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exedescription ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\60c927c253fadf5.bin alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exealg.exedescription ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005309a2dbf2bcda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b97833dcf2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc6223def2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b77f8ddf2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018938cdbf2bcda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e2582dcf2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bdb16dcf2bcda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exepid Process 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeAuditPrivilege 3492 fxssvc.exe Token: SeRestorePrivilege 2520 TieringEngineService.exe Token: SeManageVolumePrivilege 2520 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4648 AgentService.exe Token: SeBackupPrivilege 2412 vssvc.exe Token: SeRestorePrivilege 2412 vssvc.exe Token: SeAuditPrivilege 2412 vssvc.exe Token: SeBackupPrivilege 2024 wbengine.exe Token: SeRestorePrivilege 2024 wbengine.exe Token: SeSecurityPrivilege 2024 wbengine.exe Token: 33 3792 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3792 SearchIndexer.exe Token: SeDebugPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeDebugPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeDebugPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeDebugPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeDebugPrivilege 720 2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe Token: SeDebugPrivilege 4928 alg.exe Token: SeDebugPrivilege 4928 alg.exe Token: SeDebugPrivilege 4928 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3792 wrote to memory of 528 3792 SearchIndexer.exe 111 PID 3792 wrote to memory of 528 3792 SearchIndexer.exe 111 PID 3792 wrote to memory of 3040 3792 SearchIndexer.exe 112 PID 3792 wrote to memory of 3040 3792 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ec76a3c1872882a5ceaef4d73468c028_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1192
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3012
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3132
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2876
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3732
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2832
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3860
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2064
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2348
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:528
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f67cbb007a0183fe52dc5d55d37c2ebc
SHA17cbf4ca56d1cd0b48698bb99cb241e1ab6819d4e
SHA2565674f18da5dacb82099795bbd339ea702f8514971154dbcd28b5f1c09a9c1f74
SHA51254a1b400aa3e5c2e0b0f1725aa797b8695ec043c14847f6b16b6dec82a1089c741b33330a6a14b8bac7c9a169afceafb34c63596377bacc4b462436f57f33413
-
Filesize
1.4MB
MD5da2565246124da9ef404f53b199c6335
SHA105aa97ed76ec4bc77316de7f2637e8844bde9dc0
SHA256be3604d6cdc861a710edb71669a14950a719b0104a629e0a589be6aa3ce75176
SHA512c714b619411267c1b4b6bdf77b58c27cd7df7467246d8a602dcfa3ac1aa04416a9d70a94c795ed022fd97a82eab9d5435b6a0d338947149efd0310d27b2c70f8
-
Filesize
1.7MB
MD5f790d3a9fcd217919abba0437791f714
SHA147d2faa218da4dca9146b7df84b87f555364492f
SHA256c04c1480a5b9f74dbc18d231b2b188b4135a16686e2128c8505b991709163feb
SHA51246fa61543968538f9d9c8addd95280c9538e617ec1365883e286acef0f10135b5fd27e2d89badbf823783a1ff011c31670c5e43da69379e4d0eb55c34c8f73d0
-
Filesize
1.5MB
MD55d9c14d61467976f1e1fa48a8701a8f8
SHA155dc435ee6a2c089c0d68b9148cb332efb59d7d8
SHA256556c2247cd937f8db17dfef420b666b4789d538d0623e2c5bf492f3bb29989b6
SHA5128f838737a0b8401a014dbdc66aec4127cc5c3ef98c366b8f7c1be6e07f57c86fed115d2bfc8faf38e10240e2c87da8173c38403c01bc98aa2de84d438e60f1b8
-
Filesize
1.2MB
MD50e7faa1eb1cc6987c338e4291b299498
SHA1884d62dd7d16b266cce0d72c9477a454489ff7a3
SHA25660966ea84500f408d606bebee6ad479eed2fd41a9ccd51c838106a7be066a91e
SHA512271154f7efdd16a9524343678133d263ff75aef169426b9d9eb471e4944bd1f26cb7880e36c929ede99828ea2d326e374704ecd0923a653cd6fa04fd353e638e
-
Filesize
1.2MB
MD5d24ce468b6c91885a3b0795421060256
SHA10358892e3091fc6092f14f0fcf593094d26a224a
SHA2563aef477307daf5e6b689fa86b86cfd8a50831f0e35be7ad3d241c4650d37d3f9
SHA512de91dcb6784847bceff9acd0454a9e733e574b5940ea82728a83a1dff0ec52c3503d874f4531694070ec1dc79327f36f6051c31fddb0ba257d90802da559f4e8
-
Filesize
1.4MB
MD5b4034d52c5d60e74f820a53d39cf29e0
SHA160a2b3cfe8821d0b727d073804b2b033672bcbc1
SHA25603dbcd08b4873e483ec2340cca93b7d646c20eccf67008db1fa7fd971dd700e1
SHA5120a6a41a7a978caec7d8d8e224dc353f8a3c01d196c8965975c10d5d7fece2870c3d5d2cb2102b991556cdb64c2328b683083a6c56d6950481b2b4b8a658e027e
-
Filesize
4.6MB
MD5493687a58713b190cd42d802e25507d8
SHA18ecb3d00197c371d13ea1b84107b350001b927e2
SHA256f1ff3b0c6132d4b5dfed9d0d9d3d3d4010f7ffa742148caf3ff77021c85e2d61
SHA51294f51bf713c52d503df9909a5c0eb214757bd3aa112c117b009ac76a103b2fd4eaa4cec56da97d6120a37e49a8a7e0242380e78d97e109f532287a395d86f58e
-
Filesize
1.5MB
MD5a8631a0180efcb173896633683220df0
SHA10a3df29dcc1642d4bbd49261c3f0cfe029f76a1b
SHA256d7c88f8506e03edd567f3168338758683c4f737f8182dc68e64f6c88686d8b82
SHA512fa046bc81c1659207447a4d0ea749449550b799346efd526f6b76b273e6e51334b372410b9563cfd2065f762570aafde7d2b19671cfbcfbd0cfd0b087b007397
-
Filesize
24.0MB
MD52d0be33e3d651efdd3df6af39f4f94a4
SHA19aaf1e9f95246ca45f4c50d56e72d12d3750b2b6
SHA256a7674500f733ee7b7e1ab83fef2e8ead0e4b8eeb61a1869a654cd03b16373a37
SHA512c8c9097446a32a9bad8394bbeadd68c130577eb9603ddfa5d7f18df1ea1ef64fc0a9196a5958c05fe1aa90448edea58c4c097fc51d78ffc10b543d10908e16b2
-
Filesize
2.7MB
MD59e40c4629829b09a17cea191a15ee472
SHA1c81ca53a06c1231af817300d8efd1728aaf4a69e
SHA25674942b42139ce78fea20898355b982fe7360a1cd506f3c18360e788855911229
SHA5129efa168d472d1baadad766cd7a2b5f87f85b4398e55c18dcde7e317419dbe5ca32731f4b08d19101e439a605881367f7c9a12e1fc12c7c94c7eac6c1646b3b42
-
Filesize
1.1MB
MD59226c77309d60cb795351664e8f86283
SHA1180c2d18e50af03cc9fd120a7baa27c8f6905d68
SHA256bcf03209225f02341997b463736c5ef7d64aef6ef6550a7b5ccf265433894fbf
SHA512beafd9ef5a92bae05840cf7565203d74a5a49c1d9daccfc3d367808e9463d3df51fcba6b1de4ad8732821883030ee7304a3810a9e678fe06ace19d925105b9a3
-
Filesize
1.4MB
MD5160f3a928f8c55fcb3101e22635f3189
SHA14ebca4b853b9545b99ff971e21cef5b22885f7fe
SHA25691349f56f48e6990d37739bd0703b297e1434bfda3664634d6ba9d905c6aab9e
SHA5128f2286cf33d6f9b81ab8ae62b2395b7dd2cb709cbedbe20247902c1d40cee57715c44ae28178182bbd158b861a8b8a2520b1e7ed45c93851f6e056da257a6993
-
Filesize
1.3MB
MD5992fd5b887fb66f55ba5a97cc17973b8
SHA151b60f818fe6417f96061b8cdffa1727915219ae
SHA2565852179008174977f738e62bb8f897ebdc006a7c75911f02330f98df5901f261
SHA512b45bf085ab703dff422e91d2a713932ccb46df673a20086a691c41f9938dd52b92e3852da864802ceab58d9acc15dce9f8e18191aaef05c9ca26c6b5d2d5ba10
-
Filesize
5.4MB
MD514bee8de761a2f2f60020b96fa18afce
SHA1bc4ef6cea0f3a6dc12b8602f366e4f75d29892a5
SHA2560a54b5d3b6512011156a2e960aebc3b9b3303fa634cc26717b1b6262693d95ca
SHA512a5c6b4c8357b0f91b64802ae90568070311f930e71885e967550089bcdf8831aac888bc8689787d737ec509321e2fd06c8de4a9249ba81a2cae0de9e71eb9b7c
-
Filesize
5.4MB
MD5d50dcd5f85a647a07ee2b3a6e7a29447
SHA19c9000cecb5fdeee2b1d08c1af6ffd7be14ab808
SHA2569f94d08a9c7944ea210cb0acc984c88d9116e20143399ac51c0f6b759107d095
SHA512262775416c061efada4795e517625daf3b47683f6b5e47fc406f75a33bb4e9118db865565517f8aa5dc3b32d0880ebee0f9ae7cf1c7ca344a2de7f94d552285e
-
Filesize
2.0MB
MD5a02402183df36b6c8bfd2332ec030a58
SHA134e0b9c7197f60a8db7bb9646e59030bb7440d83
SHA2563cb8bd97cc687f3c25c404f5016198d6f819353cdb2dbb7fa7b4247fb24b2162
SHA512b18608773715d787b09accf56e8ad435cb2ce4e1a4a12dcb4baa34c2b32f90d9722c767a8a5b5f8b8c105578e0572ec186d7953fb6b6e20cb2d653ad6e9492e7
-
Filesize
2.2MB
MD5d4f4758aba93c1ac9d27c42dd1a682a5
SHA14f38d75d580514bd47dfab41c22221f509e9a745
SHA256ac3225159a23a267cd7de76496ae006a017ee5aa961ca3447ecba808fc694c18
SHA512b6e983a026384737332a50391ff5004cb7ff2c11d9d65342fa1cff97f0995f8ab73586f1f97bf76630f1e0a87ab54aefbe7fa56509c7b54e150432b16bdb4c71
-
Filesize
1.8MB
MD5d35c699f5186ad2bf615f507fd79ae0f
SHA12aa1979b7c2f0f3e614de723834e7079b7afe2be
SHA256b5c78100050d01e4a57927d3d3fbba984893afb34b510e7dd93b9eaaddc1fff5
SHA512133a37c6dc405e92bd32e8c7b9d51fd5581917a9d8da1b5c2b4f9c22c132d89147e435c5555ef941b0e4bd56af9323b252b8a69d0541b8f118035a5a4b3f348c
-
Filesize
1.7MB
MD596276e5ecdeb48e6e4524a0ce4c77775
SHA120dfba44327c206afddbc3f9436bac85270c740e
SHA2569541defdc5be5bdab1468adaad4ca1bcf381ea1c01f356b0b4345098e7f68d66
SHA51228e17a5833ac03f02707e377cadab7291619f2f6b462eda15d0de965201e9e3b6c26c2c86e33c3764da297ee7168e9b2ddd877e569079afca57e6aa37c96f0e7
-
Filesize
1.2MB
MD5b7fc6450d6be10c480658a9421aa3c5d
SHA1437bf671fd1423a4176e2aaf2810b039c679845a
SHA256c89f890537ab54efa87335fbf19a9407a1205fbecf7427ee27eea7fb53f8956d
SHA5123be20dc56165e6d0d9ee8283df2cf965b0042b689775ff28fcd9daa31a830e6d8ca0fe629bec841a0345559dee1e8834fdea9de58f843f501f8ab689b3deaa79
-
Filesize
1.2MB
MD5e3fec1ca3660da4d4f6d1b2879e8f0a3
SHA12c558d860e490c89c0cac43b0c5dacb088e15143
SHA2566ac7c51a4f74d3ed18c0df6fb923a656d10c7f7a1c1ef14adef23c3c77f512c6
SHA51296551c420a6f908323f2568f1c1d71fe5eb55771ab25065ea2ffa3173383a8d86b671f26f15b299db5e024b7fb79c2012e264c0b5b412e1d7094e7854671b34f
-
Filesize
1.2MB
MD590ced1f70879d2d9b0aa6eb68d4e8043
SHA1b4674b84ba8d94fe2e095d6e7ab0eab5cffb5fb4
SHA2566a9a63e071580dad45e6aaa367991851db2d597239f96c3c71baeda5e9c287fe
SHA5121c00c867b64fd5cce6212156f792c081d89131d3390fc3032a4eeb3d1ab7b85bff074bf4e6c563b7f45c6012c484d4cfbb0f5e53724b503e6614fc34b2fbd7d6
-
Filesize
1.2MB
MD553440cb86c36a77fc6228aef2ac0cd17
SHA1aad51303ad6c63cb974f8a95b95a29bdda42958f
SHA25663316c60aaf69da3c487a5f9e9a49b680f997856ccc494ae55ddb9d9247e7230
SHA51232e8d9bcc30e95e5e08b667222a17d4fddffb87372bdba9e8697563fdbee23eb37ccff0ae140c0da546ce7f19bde1af514b41775ebcf04e3bc22d07f0d0b996e
-
Filesize
1.2MB
MD56b12e62598e09af2dd2ae7f29fa93d36
SHA194442547ee5c8c6d1302804c06efa830a1d76a0f
SHA256c7d62f5d77471df05b2f1e94f4ac048a8896b72b231ce625e8fb0762f8b7abe0
SHA5125ce6bc0fadee72f7b11438df9a4192035962fd534404c8173661f02c241a23f102e44ab3713fb4612c79b08e189ea4589b684afe01cfa46529f466df39711757
-
Filesize
1.2MB
MD5cbfa1fbb15ed0e89cdcc1b29f4af5214
SHA1c38ce329cb3e627f058800bb9e5e6e82fb32c463
SHA25628e72a6656b416c260c1e5d94f3d3e2cf36a19e2b01e68fbe5502649df3159d3
SHA512453c61faeab47d4c752fb3df6aa4eec456cdee9faf3c730eaee07524c061926f18c0402a8107c64609a7a06311f7a74219f2ca254bd6eb4c02e8d2934c04d862
-
Filesize
1.2MB
MD57c9d773939caa2a341a101787376345a
SHA15bcbe6e7612c29da174c54b9c6d33b64356a5b26
SHA256c713a3890517aaf05e6ec90631d84a1f82b61d39e36208d2d2f6accc747ec690
SHA5128df87280c370d64b8ba922f45cb3196f5cc31b9b169f1f3802c9ce528a96e3e671d1ece6bed94e2a0adf0c6f735e1854d7ea065d369cc835d7fc6277e4270ee1
-
Filesize
1.4MB
MD5cb25b7a625b5d7e20f79b2d8f9c6686d
SHA15614cf13aefda21c8decbadfb66033cb7014d000
SHA2567b462583c1d80336ec350ca8947cff51d90637b3e159b5fc487b1a7aa40f9b62
SHA51222fd28027202230921e63cf4e8a41d869cdc926a070bd7456f56b7d6dda2eeded38addd67748edd2710b10ac28ecf81413a1c00962b48c9d132dc74417d1fdbb
-
Filesize
1.2MB
MD537204fbc6d8872d6bcdfe0037c698f60
SHA19c1b7d32914041836e202f70ae1bd7335ae1f807
SHA256139af29fa345803d84ccd230f2bbdf907edc7ed693f8e307dd61263dd2bb3b18
SHA512c2e1dad072dc72ec31edc157c6e992b117113f726e3884f47931e8106771817f3fa4af0ad9f2225aa41179ceb919dfab52d35cf491178fb43d6d7069e8517e3a
-
Filesize
1.2MB
MD5df1c936f437139cf63e7b657509f6a45
SHA1dc053e90de8a131a9c8d2cb48241ea4e4de87374
SHA2560afc43a8d50eee5fc530534499de5489a1978a7e0774b71bfd433b9922a1b51f
SHA512597a00f57e05b2b62e2db8f2d010f05d38c12da126e277b4bf9c0b895e33a292ceba24055e81bf2b5fd520f23424ef6f42f10c2170ff57c2b11915082a95df75
-
Filesize
1.3MB
MD5e31f87f1a733f93acfc1f7278e4530ff
SHA1a3cd39829fffb37e347c96cbb23b7d6a25c4a8d5
SHA2562bbd5aabb58d77a690f229a3920dca77a926236c90b1c335b090bd975eff6fbb
SHA51218ce6e5eeb37cc43baa18877bdc2af5eb259c1ba5e9a02d5daa6490ef3a5e7d813a4a15aaf14f16261aab963b791fb8b34e12e994d83afacf1c38e7de9d4ec8c
-
Filesize
1.2MB
MD55e526a6e64ddc80ae3b06c902c20a692
SHA1bf0d4d92a5b5c04fd63a9e48463994763233bad0
SHA256ef57283d6df764817569c3d986fbf3e2e5a3cdc4709b58814dd6d4f2247d9882
SHA5121a291ca730c547831f5e0325d515be6f31762625f6a5819412f763538cc0b5ee4e8203b38a0e2ded4f8ce55d377f704ec6f571c3757893312af329a1b22f26a5
-
Filesize
1.2MB
MD51917f1b62d4811df625026f670533811
SHA1fd626d50719a6a581db4f7f0d749a0addf72f55e
SHA25625b405a17a9856def699c34d73bc0ca9a76a0cd08929b7371bccbb4143b5a5ea
SHA512ed1374a9d58a8bd7cee49eca87bf6843f148a59b73d87c0fcc81a8ef8ef9482419ad934b91c8ec6f6779eb0dadc8f61db36642f2f6c0755377a1ac22123baa69
-
Filesize
1.3MB
MD56cbe5c00e1a1ada33a0f7a5613798a62
SHA19042def6a86f15da832fbd23a8dd2636886f1917
SHA256454e45257b2f1556072bd6633824c4a02c8f60c79d87e56a6aed4fc9ff001af9
SHA512a166e13d37e7a000cbded440cbab08b3ff6e5e2b2966a23f324796f92743e98a3142f1f888dc446cc1f6766eec6c05f54ed7e00b9617727c0f4566dbaf0e6f9c
-
Filesize
1.4MB
MD5a9573cefb7958079ed192f9baa503d0e
SHA135b8fd9a5acf54fe5527c0572bdfa68756ddf34a
SHA256bb2b69bfa21e1bc53c0cd5201218bc747599f70860072763e6787e49692e97d0
SHA5128e96879fbb50a867cdd278a5d6ec03522e28b041f7d62500898804a4b22976a3f88f29b9c431e98debf08ce582dc7c30bedee2918054e42551e85450770f6eca
-
Filesize
1.6MB
MD5b54cf74f785faa0900677012e37f130a
SHA1c3196042bf3ab8867ab651af7e76dcdce29c410b
SHA256259a63a0d4c3d63e781b675b1ad4b137156cf308feec1dc5fb92da38e72d5865
SHA5121183247d2260022d3e732434a3c5a040d3f5f9e573c7f515c521808283c81c01017bafb4ee72e13ff9618828155cab92c7d94b93503ab61aaf1a2f5539ea4246
-
Filesize
1.5MB
MD5417878028bde4ba14165c125dee1bb08
SHA15bb4c12b06e1edfffe2f80f42a810acf22ab7420
SHA256d5d88bbcaf42905871e615c1a4e8ba21a2eca28c95b800c3959c79b561950012
SHA512573ac4f818f174a5f1348aceb457a5f2cb7595c12a1c0e7128f97fe97090d3bfd4aebd60b751c44ac3ca75bb77fbc50bfb601894f3bf518d4fc96bed0225597c
-
Filesize
1.3MB
MD5e21d7658c99579eebf653efb074e84e0
SHA1484fe45485c374867eaf3e6f7df0123b18abfe58
SHA256efdb1091306e5fb169f6b5ae98486b8b378a02318f897689922c50ed75a3b501
SHA512764f69256a3fffef16f04d6c4ea6e69eafe7fac98dbc97c63bec19f1727f0e3c3919addebf250b10b944a7f204ebd3ba81e1b02bc2a4b1951ab20382f672987a
-
Filesize
1.2MB
MD52f03b6dc00db0328d6530bad74b72a44
SHA1d4a2a52e71a02cc534899d1fce5d2bdb1c5b6b02
SHA256163b0ec5e4023cb2c2fe768839fbf53e9a0480b8de9fc8292aefd3161a44bd03
SHA512e2295cfbeec103433cbe869bf05f9ce0e5a54342bd90cf8912b1a78e0089afe1c37761964fd29ee28b68e6c88d0c133dc08725adc83caa4b758efaf558e27ec3
-
Filesize
1.7MB
MD51dc5eaea9c46aa4e54b95c04476b6ecc
SHA17e128db6af557d81dac36c396d317e8305f71d3b
SHA256b4ae911d2f15b9c1af96a8674ef87bfc86661cf60a248282e73f50514bb9f7c0
SHA51215ae754bbaf5e542ece9b3b7534ac97280f67d19238d4ce76b85e166d8eb789610c2a8ab20958f34c3f2d4a752c97cf52efc3357a79da78de228dd0dd03ce3bf
-
Filesize
1.3MB
MD54180c98e1e7c5e8fd1872e3c20d77624
SHA120d7d6255fd4635845fbd226aa6640edf88bb451
SHA256abc7d8e28312e0fa15a01c252dbbb30ed158323a4447658be93ce4521fa167da
SHA512a95b74cc6878d36be2675c81a0224c752c181afffff88d5687a8dd60340f972677721f46f83cf560fa51f422272cd8e2974b655021da4774b75586a5cabb525c
-
Filesize
1.2MB
MD56ebfd04f600a94e572a20c14fd5312e6
SHA162869cf419ac7279280ff35d122852900c3668ce
SHA2565c27ea85f4b8ae954b2441b82665b07a9b8b144ce98571ca9fa5391682f7bbac
SHA512534784e0559af13f6f3a4bd483ff52fff2f958fd8635c27b53fb76ab8bcacfe642dba49f562bf048dc7c0817b9a9c6f9582a310483d15e3091568bd43937506b
-
Filesize
1.2MB
MD59eaf6244efefed800209d17f7a4dc947
SHA1375703346e2c58c0b627ab4e620839e9c0744e3d
SHA2563019afdda5087e97f4ca07693ec3a3dd2dbaec13e2516fbc0bc9bc1e30568c2d
SHA51229ee0c56d1786ff7d41109af0ceed759a08129bf15591fe9ac240709026cac00cb11c0a7a8b9079c59e9d723fc7265bdcb0b5718f741ea0409b62ab6b1a606fa
-
Filesize
1.5MB
MD5161f63b6d5df0ff6618f0616f779a07b
SHA19a5649219efeafa81d9a7cf732fecb748e12cf9d
SHA256a7b0d5627903ab1f0e0d15a33a36fa74bb098c9ef49baad7b44127c57d676071
SHA512f93aeef71bc17ea0856d34ab053ae0ccd6dbf3470a28f78da721345565b83f90df5fb62059e36216dc20aa12633ce70d42044ea02cde4bc3f46150a81924ee93
-
Filesize
1.3MB
MD507041ec10bcee231386ae9489ac7888a
SHA1176a0bf2aefd9db3a731c47c4bb684b7dfa87a7b
SHA256b4b5e4457ff2a4d93b6c483126ffae374e1ca701de229cac5299ae075611c949
SHA512dd66be714f87ff5b22a2788d063c76426d4613f5dd1a8a11ed7e1010c0788c75cde4355e7ee72b337a98f54def32569b5c9c50c8513c9ef7e6b95853254faf2e
-
Filesize
1.4MB
MD5159c93f1a774d5860e8f4350d4902326
SHA145ff62d3c5f158de1c1090eca338dca4e7bdac02
SHA25626cae63e85e615672dfcebc8e1168619dbbd8b712bd24581172ab70ab1b86819
SHA51280d55a32a0f5e3deb0d76a0ef09caacbdf2428551159236dd9f076592717a0f47b12060a3ac1a0996995e39caa11bfac8ae75dbf36f2f63d51835fb52fc72366
-
Filesize
1.8MB
MD5e239858b899b8e8a101c49e42a455bab
SHA120223039a7cbaee9d85aae830ccae7b2a480d986
SHA25624e004341ef33bf97ea096368fa8a67762ce5ef8c089b4093ed2a7d7783102db
SHA5127feaa22540174cc1af3969fd3276d1666af200b397881ad8cf481ac582309f0fedab6b5bf67bec1e3af39c32feb523d20d294dbb2ddec9c825742aecbd633010
-
Filesize
1.4MB
MD53d4587c6ea29397b87f3cbb118dd704e
SHA14f49c46f9f4fcbcd997e24333cfde05643463b6d
SHA25667be3751f70fe2ea6e5738fcf5d16e827eaa209149c2919e8584fef566318781
SHA51241cf0180a7e6bc9d73a9777f8c93b25bab0100ffcc7948964d74ed2f1d2f371ed97c839aca4a58b2547caf31833071dfc79cb94ca7a99fe3f4c2ad6936c9907d
-
Filesize
1.5MB
MD5ba91ffb8df36cfd59ae1b9c49f34e992
SHA1070f51ada07727c2d1019e264943a9ff0ebceee3
SHA256b9ed8c6e807142f860b6e4d6817b80b6c9a892fd7b166b82224a00c15e21e6d7
SHA512cf01f70afacbb0e3106a9068e877001dc2d1d3f84ec63cb4655f43896d659acd3aab0150aeac566e5f30461d243ad004cbb2e81794570bf6a8cacdc9246a06ec
-
Filesize
2.0MB
MD5fb22ee548bd7b291efa7afbc72eb01e5
SHA1f255b8e9aaa9632d5f365ee437f3ace3c155a3a3
SHA256e306a3955c5943f205bc28866c8453a35b802451f7c90a1eb812f3474b01db17
SHA5128991901d857b51a34bf8ed0e7eb99aa8052d8e5e8e344fafa9d59ccc403e3882ac3f26a1e34069d30bf69f3ab114a95201f1955e90d11d3e12ff6162e58e04cf
-
Filesize
1.3MB
MD51380bf8bd7a20e52e8d817f0662023ea
SHA1bfa1494faf397b13fbd7f9dd0e060cf82df88d21
SHA256349c55af19d4ab0ff886e2a8af84aac2b4b19f5f88de5552075cae51fdb4fa4a
SHA512e120a63d07b106fa587cf3c565c92fbc8d70f27b287ef386543549df88de462c87d666678e3221e2879e28850c47305c7e00329c6735c21c1e9a7e55a1065d8e
-
Filesize
1.3MB
MD574ffeb444959f41c0d65e045f10f4cc9
SHA12f30c9454513374575abb2ffb62dd1e91f45a976
SHA256232f5d9408922a6469c1b605b599777061165d52007afe80c6272c911b795263
SHA512f948847ebc4d418c0bdfe4536e98f3b5853dc0cff96b26be836436a3b2e19ae68309e07fe792201375dae9ff7d5130ba8bec11ff24d5f4b5efdb8b86f17aefca
-
Filesize
1.2MB
MD5c0134fa64ae6b1507df2c7809d0cb7a5
SHA15bb8736dfa6a4fbc0a94731d2f9f09e9c6c30caf
SHA2561aea9686e53a7e819cdf9bb83330163df322fa8bb0e38ccbcfaf774340299e63
SHA512c207a2ed1f2dc54ad5b1d633f3d5ced0b137b44a16d967787375030ad2246a0a9689b3988c3c50c750ebba5047e1ace324490c034b05dbadce266de2b7590680
-
Filesize
1.3MB
MD5913e0b1178c877007d1eb826490ba08f
SHA17ead1999267b0e8967ec2ed63a1f69881cb641be
SHA2562124a6443631d80b2858dedcb5c70814203c3a0e55e08244cba3b9c565ceb9d2
SHA51276555fbbe5283189242c0e91ad19bbff98d2e088146330bfec9070a9872ccdb364752eb9724c9146dd8748f36ba3aa793839e708a2b8f6696c1a15b65cdc1d57
-
Filesize
1.4MB
MD5fb2ac637a53e57cec3172ec76a8a7fae
SHA1de4895bd52bcaace215b43d0442ec201c0b3a262
SHA256a5b70387b41a94fd452f0bba4295887eec0b515f5819fff28cbed276b12cc898
SHA512f7b8a9c5d99565ab26eb780422ad577dcbc1fea8689778a13b1a0bf53a1710f5efc2321ed92f3dba17c7e13849023d525033779274d5a71b16f976ad7acba0c9
-
Filesize
2.1MB
MD504c6f96b59d9e8e40bfafa958362a865
SHA161789923a7987adc574cb1a4984cb258f0bf656c
SHA256080e7994b0f876c6dd1abc081fd279416d60bd0c019a42d6f88f2a155a1d8d47
SHA5122e952b476ceb50571645df350a73b8cd121f3a98004ab8ac56670ab7150dff957cbb0811f59314355268fd50c4ae6aef7cc0a876391ee88e548f0e9ffea51aa0
-
Filesize
1.3MB
MD5dff74d738db5e063d393637113476ad5
SHA188e79b082ba623ecc0b023e4f7c17823927b02e4
SHA2566c7929c2f4188fffe0865b19413ef73a13506d049a287a01a85e66eddb49cd57
SHA51283645fee5cd2b32a32a788ed7e60db796377a652ad455706605cd7e24af046d422138f971054b2a3dbfe32d9c7dc1cc310dfdd67f10f651d735b74ceb7bcbd27
-
Filesize
1.5MB
MD5833e5fefd975558252764d6bb87b2790
SHA106e1662f20545722497f0d559fa14fd92f8fd1f6
SHA2562870d0509bd96974d3d86e5d8a80e707c678962ebdb8e0e7974606d4d25949dd
SHA512cf7caabd719f85e4c5d8f51122e6a5a53eeb9c1eb5162d2bc21e515284021c76076653b8aea9a83ef59a07dcfeb4c5b9e1146af8dc75fd3fadaf75f1ef92be22
-
Filesize
1.2MB
MD5e94bd151d6f0e71f804f48f382124a6e
SHA1704a46d1a51be50471f20734b26d888cea1c6147
SHA2569ad943a26638e6fa6ee7d71ba29ca71f6ecf90c98a8b876737afb5934e2dc531
SHA5129ba533d98a21d8f650df3131ee2eeb9da9c7a07b8b33b9ccbc1820d881c307a0fbca3c64e4f7bb1a17c8d76d0fa319d12714e2bce72ac25ec9fabc791da18b30