Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 09:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
-
Size
1.6MB
-
MD5
282db536884d36d8bc79142566a1998f
-
SHA1
5a49a43631bd1c4bdd44958548de8761499a2081
-
SHA256
60e29aa74aba1507c25fa2ebbc8d5d7b9588f9d7cf5976809c6485e524a515ef
-
SHA512
1ef25d6278d863cdccc2e708de6acfb09e3431e759a8c7416b4e66ab7ee1a9a4162330e9b97b44089c919ff271d1b41deff90da4913e7f2e2c35ba5de730effe
-
SSDEEP
12288:x85bM3nExYfj63hgD1Zi7MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:V3nEi63iXSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4832 alg.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 3536 elevation_service.exe 4512 elevation_service.exe 2116 maintenanceservice.exe 3392 OSE.EXE 1584 fxssvc.exe 2540 msdtc.exe 4896 PerceptionSimulationService.exe 4864 perfhost.exe 4080 locator.exe 2936 SensorDataService.exe 2368 snmptrap.exe 2568 spectrum.exe 4648 ssh-agent.exe 4064 TieringEngineService.exe 4292 AgentService.exe 1216 vds.exe 3640 vssvc.exe 5092 wbengine.exe 1172 WmiApSrv.exe 3332 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 28 IoCs
description ioc Process File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\aa2e5d7e7dd2f4b9.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99406\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b47e1577bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b47e1577bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cfb461677bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e7b641577bdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727aff1577bdda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2556 DiagnosticsHub.StandardCollector.Service.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 2556 DiagnosticsHub.StandardCollector.Service.exe 3536 elevation_service.exe 3536 elevation_service.exe 3536 elevation_service.exe 3536 elevation_service.exe 3536 elevation_service.exe 3536 elevation_service.exe 3536 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3084 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe Token: SeDebugPrivilege 2556 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3536 elevation_service.exe Token: SeAuditPrivilege 1584 fxssvc.exe Token: SeRestorePrivilege 4064 TieringEngineService.exe Token: SeManageVolumePrivilege 4064 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4292 AgentService.exe Token: SeBackupPrivilege 3640 vssvc.exe Token: SeRestorePrivilege 3640 vssvc.exe Token: SeAuditPrivilege 3640 vssvc.exe Token: SeBackupPrivilege 5092 wbengine.exe Token: SeRestorePrivilege 5092 wbengine.exe Token: SeSecurityPrivilege 5092 wbengine.exe Token: 33 3332 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeDebugPrivilege 3536 elevation_service.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3084 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe 3084 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe 3084 2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3332 wrote to memory of 1252 3332 SearchIndexer.exe 113 PID 3332 wrote to memory of 1252 3332 SearchIndexer.exe 113 PID 3332 wrote to memory of 4612 3332 SearchIndexer.exe 114 PID 3332 wrote to memory of 4612 3332 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4832
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4512
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2116
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3616
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4896
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4864
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4080
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2368
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2568
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1668
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1216
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1252
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:4612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD567250eed236c05d6ed7d95f27a59ac00
SHA1e17beab2bb277b7beed990312729799d7af26162
SHA256fc240ee535dadeb08b98d74a4eb2b303d5629064c20c932eb7baab4fb3729405
SHA5124b72d6a51e40e23d38c0ba580cf2f37c7744e632180a7efebf1d6fcc5a542271e4c60300e16cbd976b59de1bfc4804ca7302eaea9775307755db641e99374471
-
Filesize
1.4MB
MD58638893edf64be3681d15c40899f1a9c
SHA10b0fa2c10510f6f94db60a7827b233002e00c7c0
SHA2565ed6da66eed9621544cd23b6fc30f17c94fab39893036a29cc8301cf5bc81ff3
SHA512c87abd6ab80fbcbeb6e00602407e255d07d12d131487858b6d5e436fb21c4ac69ab31a747baeb3d37d0657ea2067c289197039546de9933698f3435d2f86b80f
-
Filesize
1.7MB
MD54accf2462f07eb4ec70cf924afe8d9a8
SHA19f0e6eba3db7685113327057d84af4a219f5d8c1
SHA25644e9479a393bb268d526edfcf774838ee24b276d349ff2d01efa447a6588c76d
SHA512eda34b75c1f3beff373e915e8c61852dd473da098f35953d853ec23cc2d81a0605ac250ce0c25d833b8f523c5bdf1ffcc550e0cf3996575bc1877b7b6d462945
-
Filesize
1.5MB
MD5638e396d64bc51465144f9649f1a59d7
SHA1a79e4ade72203a130d376e394cb97ec377af9601
SHA256672c427033d9ff315ceaf5c72ac22376b2aec6c14a83e7adc371cad62c56b4c4
SHA512744810c31b083c7a79ab5e2533b4806110ce098f913774e121dd2ed4edf9fa652e4bb8e13b5b0ee5f28b732427a999065c4c4e733b8d505beca4ccfb9449227d
-
Filesize
1.2MB
MD5aa2162f5827498413470761c98e29972
SHA11baa877a8d2bd74ecbe64fe92c4b93c6c2db0625
SHA2563af98cc2b3daa04f2672daa132522007745dabd7d5d90db9e7338153f7525a78
SHA5123ea0f9674860dc9ed7968bac4dd6d9cddaae176fa523a05a7505fe6544f91d778525251bd6b1009860506bdeb440d62fcbc2c1ab923ac9838b5e6551305b8d7a
-
Filesize
1.2MB
MD518bdd33cd41b00b809d1ae7e4018c7b7
SHA1dab0a9007461098e0d95998b482fbdfc0928c4ec
SHA256dc5ee50d149478d356272c50f0b6b28f2579014619b41790a7254a79d57384bb
SHA5125a9aadd33c16347ae0415a808189cfc61844ccabd01c0da141697cd286d2dae06a8aaf677d83b04cd5141f4b96d9c99350c2a4f2c8d67c72e9e05734707de9fc
-
Filesize
1.4MB
MD5a3a14aa50d99dad5d16b7e7173e460d7
SHA1995ea520016d085f79afe109befc5a5674bf92ce
SHA25665be7718f196ace89b9b984524cbe50368724fc076d82f5c6705d52d3a9e33d6
SHA512829e066d0f74b9666e40ea2705169505476777e588da4d8b516387a9d4dcb8a4622f75ef2ced96fbc2f5105506c0b7e93cb0291aecd009eb5d985861273aa641
-
Filesize
4.6MB
MD59a51409ac79d856ca0f9a573bc0e5a8e
SHA1dd8ff216c4f827cfb0c9ab3318938fac1a18ab04
SHA2565bc9f0e6f4c4c5d162a3d83bc4ef9c02483b13e381b69d55b1658cdde22198e0
SHA5125c623b3d897a27df6d06c1c6773bdfa68ece82c54a1535fca27d586984219df44c6261378e02633c17157a0b64ee120198f84c996a80847c3d36f03efd5cf8f9
-
Filesize
1.5MB
MD5835cadd2ebc49924c39d97f87da69c2b
SHA15a74315be4f067abedba3d78a66c36de13286ba0
SHA256fa9ca9083d982bdf1407cf2f83093aa30853d79c9f2320ed6b52a78abad7e9f3
SHA512f09802d3c467166e4844c0e5e9b076f293d7ecf6c3be9660e009a250a4ab6561b963e3a155f347a4b67e01ce5560cdcaba07b0a33fab82d7aacf4a19e75f3b29
-
Filesize
24.0MB
MD58038c4af7d4cd5beebd1cd73208c0047
SHA1c6449c2cd9c165d7e360c428bc8b4adb19edc7b3
SHA256def086b635c4c71bd0252880ce1287b712c6bd3025bac73b7a23ab25295574b0
SHA512d40c8fba172c303efe78e6922cfe194a2859bd1815fa92c840a3f9014eff8cf20ab7fb70b6743704b9b6b78edc0035b68e24356330e7669b3dbf09438c86ce80
-
Filesize
2.7MB
MD5d185b8133d97fde79e68000a0469a6d1
SHA189de183c6fd3bd0416aaae5b48516b61b237265a
SHA2561c65a4bd7d17bd503806a48d9aa48824885f69026ecddfe9f0c209e38813e1d6
SHA51226fd72120fea9de1af1047fb2c86f5bf932ee518bbb91ed1d56af2f6818af017380c031efc0b47e7adb1c82b86cc62b86fc44c8bf9cde5462b0964173b443de5
-
Filesize
1.1MB
MD5b5d9f227bad0ae329dd9400115b288eb
SHA16bb75dfdba07ed631527dc3b3bd12932a92670e0
SHA256f9d875fe6e0eeac8c70022d1b36ef06be2573de252c7b1f693bf361a0d943a91
SHA512f30274e4c97ec76cfa507d5d8900bac40c54ff8f131b60459934526390d5848ea238b76ec0769aa147da4961e0283b1b0a321bc5677530a47279e43fe8ca2ae6
-
Filesize
1.4MB
MD59f6da93595c23f584d41c22c0926a28b
SHA1bb5eb41c08fe9c88e6b3fd7e3026a2666ee0aece
SHA256f1389b4338720170bcbe791df52ad4a195197d1b1dac4aae7157e841a0ae1c53
SHA5127f0a1a5bd2c84a16a6c7b0aef2a36793999a96a80aa8ff547d80da9dbf101cabce2d3f519619113b63aebc4d037bf43db005514e741e6c3d4f9ca1b7e014e1c0
-
Filesize
1.2MB
MD57abf42dd38aaaf61e4ba3eca0a33294c
SHA153de2ca89c8feca1af430ed23689f1585a28d878
SHA256324b82bf1f9f999f0d1cf4b41d364e60359ce4f0662f9a9f269619e2883ff3c5
SHA512beec7970cc4d5f11d07f7b0bd6fcc8e894227578f9b38472f7442912aecf3e606843b146cbefc116dc174df008f5fb786999ae301790070a8c4cbc625bd0bfee
-
Filesize
5.4MB
MD5ce229269130416151b92ad9fd7fe1794
SHA1a6d4cf97a3235d2d3aa8ab667a848a0caf0e5722
SHA256742babb33fa5c8ae68c74d824894873af64adb7182ecff86a3da4adbedf1d427
SHA51228877bdeabc657438ca2f73ce2fda0b5cf659967abcdb76d3f741f6325cbbdc270cc017ad058a6578925280af70b12da91939046d40841c6d948ab6f2eeb6a20
-
Filesize
5.4MB
MD52e6e24af28b0d07f1ebb5b117c4670cf
SHA13c97b208695f89c83cbdf7e7cbe7238d9a14d5bd
SHA2568a7097bee448b70aa029462f5820cb9917e541a21789f3d172386ddfcad8a9b1
SHA512fbe346f791a63d769e93014705207a69dedd25cef8267ab55abccf1e25225f36a2319a9604eb3e6b93a2269fbef186d608c6dd5259a54113f4fb5b07d9b1a79c
-
Filesize
2.0MB
MD58150c086a7dd06cb5ebb8153e834c44a
SHA1ecbeda501cec718cc7fff606d0d3a13b71fc8f79
SHA256c6d6a3fbea1aa2e5f17b360dae8d0b44f222c0731147edc0c830d3aa92f3c341
SHA512c7cba9fcd8cc27c5815f02115b0eb3190d755b1539c8472d11229e64235112d2f83460fd6bb8e20ef2cb476b936d136ce696689f882d8b93f0c16f9fa82a052e
-
Filesize
2.2MB
MD569401cdc01604de83627ffc14df973ee
SHA10c06704058131856e16861597505a08bb82082ab
SHA2568e4f46ecfcc8d1037e1f04319b259edbd22b10e7b620cffcd6dc26295a3e2ab6
SHA51244958a373d034cf6e3dd780476fae9a0539db23cb370c67019771292caf8c81e2af9a8dc866f1f54c755c9b2de56a3b5371ddac57e9bb06448b682ab31ed22e0
-
Filesize
1.8MB
MD53f7b7ca74ec7a95412fe0eb73059ecdd
SHA193adcaadf5900447061f7764bdf467d151e0ae63
SHA256f27a1c573a1430be303b02cc95b75a20a9b30b483382d65e13d98ce0340402e1
SHA512168d6a52739cf35b26e2d8c93dd7dd6b654c21ab8b3b024d2f0a24bf61c34688264ef1a5353fdaba7cab30856dff8d0fbf67efb5814fd2dcd33ad76a1c10ede4
-
Filesize
1.7MB
MD56d00fc23d05d298061b657d0d104a900
SHA1650ffb8e6b2bbd6ee03079efe5d02e928a76dd51
SHA25691c846cfb4a35a8c4926600921476ef2e2c4da7c180644440db00d507350f873
SHA512760fde5f497aaf24caf5933db9c2bbf59cb741e7c005c82f7ffc42575650b5e9713f2278f0a767f599bff4d3e0f3f6c34a3fe4b85136f929e75dd9625bf5cd94
-
Filesize
1.2MB
MD50e698e4a905ec24fc58dfe4c634fbb45
SHA1666522cdf22db73ddf53621346d3d9db74c43086
SHA256b23dbb39d8a52fa1f13110c893ec68c906ceea871aa904ad7fb79dc2eaff15ef
SHA512a4cb2399b8fa53495fa590261d0811dcf3569415dce604c291b0a1857fcd800a6252f187260c3c4c21560d22f8bae35a39d82d3608b7aa70236ecc6495372231
-
Filesize
1.2MB
MD5dac2ba24ac3ce023d77b095115db6e57
SHA1c7a7e90518e9bfeb76834f2ddf38a960752ba65a
SHA2560d097e7bd47293a921c21c5b491ae1b75364f5d56dd67700a0db6aaa7c4e4c22
SHA512037352477e826610c329e15fbf13ffbb94233b91adf20751c44a94f39ccb8c7878e1d35d06a7867798329becaa5f5aabc531742676b25a36ccf5eb278acdc3d6
-
Filesize
1.2MB
MD5bd53f195f27a0fff43603776057d23d9
SHA187c8061e4b5e22247df5bc9e668ebd29ec8f129e
SHA25652453ea1b8a431e9163bb42c87cd84b7592ae923fdc81d7ed72ad49f0b802f84
SHA5125f2d6f8fac3e3fcb0dbb472f525ac67e83b10ed9dbc36dd9859ef900688415f2ff0f07685968593cc595fc4608c362b29fe9d4a1b13acdf12c6f64ee9d1c8b21
-
Filesize
1.2MB
MD5e4db573b0ed5fdea6c59cf1473b2866b
SHA104d76ad055abb4dfa820d1e85508d4fb1ab2a5f9
SHA2560682bdcbe5ec356ae614259e6a19a2a77fd90d78a07e818e44a39b1bb560d881
SHA51227afb1478473e46a70f487f42eaa9701815bdb86b0cf6c4cd5bc0e4bee5b66486092e6a0644d10945d819ea3b7ce9c43126f319a57ac1893385328ddc3e55dc9
-
Filesize
1.2MB
MD5fee8cb8d7c77110bb54ffecc0b66dec4
SHA1030792a106083dcbdc49199039e0c95103d09485
SHA256248db0c10937e56b296d4a43c9fa8859528524d6d74ead6b4fe2a936feb2b7ff
SHA512cf8ffe720e4b3257aae27ea6ba02b49362a1bb1f97186e9be9aa4f3ce280fce9b6568819f25fe05732c7f0fdc305e5a0acf5f6c57989c1a1c0ca3bdcd0cfbb38
-
Filesize
1.2MB
MD52c193b8e3cf2341094ec3133670d98c5
SHA1b0080505467e4a3ca66d7ca43819e11cb7f50c46
SHA2568c03efdfd8d74a983c49f08fbe4e411039ac3a4d02cd02762c275130a8bfa1ba
SHA512b7fc1f6003fbe7771512871f5d0bdd7100db14c53918d8d05dfb0ff47d8445ac933b3c9e8799d7cf081724ac3d4835bae943b6809c142f7fc7d27e232bfae87a
-
Filesize
1.2MB
MD5f00c9e2988c813e484ac8ff8501d794c
SHA15cf37d7954311644746c5d5b1043e1003a758fdc
SHA2566f5076c542fc2c8e7b70755e70bbe8434a61f0247eb23c0c6aa55ab949d8e92d
SHA512a528887f35ca85fd5d0a3d7d5e4982ad9c0a1263fb1efe5e7ba37ce2407f2249ad8fab08b62f557db0baa39ff7b588b397c08ef8ca915b8f6dd17fec51c9dd94
-
Filesize
1.4MB
MD5465d878186ef401aed1e74c9522a6850
SHA14e88a48d04de845f0ca6387bab3490bc4a5602ca
SHA256cedd1f7b64ffff17d485a63b9b4639abaf3eef4a582d83738646f829cd59baac
SHA512e5487454e11fad36b33ff418025895efb8706236dfcd6076f8cb996e7d8d5ad04bf665aab84828b684701d1aa07e36d7157f1efe43d25c4264c1472a0ebcd583
-
Filesize
1.2MB
MD51b097593fa36332cfe639b7eec925fc9
SHA1ce5a5a2c83b7f414d14992dee0b2beaa62f2e8a2
SHA25618439a9717b2c08ac3cf0a1daec52ac1c4a2c1ef27e7d5f992320ac6953759c3
SHA51249519b519264bd34f0cea5ca95eccc8f01c9a5810fc97c8ae9f8db55f2ab2e55e332c8cd7efe1a18473b7cb6868e01b7b1ebf9656d4c3aa6b275fdb66859b515
-
Filesize
1.2MB
MD51dfcf368e50833c013d0d840a29721b6
SHA18d90fb2545aed9807d4de7013e73140ff09dfe26
SHA2560a0829a3469484142d64a0a604343bd56cce96e6dd421a9eb68b20d02787e393
SHA512b42adcb16aad2c020383a64006d4eba792fb79b1e5bc453d3cb17ca2e865496f5ad7798ddb8e7e6be91fcd8c7b775d9dcd0c915efa000218807fa187c5e4b14f
-
Filesize
1.3MB
MD507e4c6a8e5c1969064c8760bf43e9946
SHA1bed6354effb8a26df14655a9dcb62d10453acd8b
SHA256c1246f3108f3e1935d8e65fbeb765cb7fe7aafd62388f59b59cefabb9c10585c
SHA512e205a6bd3b21cfb8bb1b6c867cc498a41b515b799925288a5bb2601afb95f8431f4d68b14fc8e6fa37eaec622ec29a8ca9e87e4ff5efff99ead8c127cb45a029
-
Filesize
1.2MB
MD5185d268a9a8c54701b3435a0842e3376
SHA1b63178b27fa543afe940cee4b59da02416d19098
SHA25630575eab0e93595742df9f2b0d1ad91e0d776ec39b922abccd9246c7850d1b96
SHA51256dde10f4b1eac52761ca08618930b3d422a77108183bf36a5acddd450657ea05de2d227421921145f17c3d56ab6817c42ce5b5c5b0d580e8949a1a2b7d03a7f
-
Filesize
1.2MB
MD53ec1fa42bf3f2f6114ee9caae3211aed
SHA1fccc30b5be42e1fc2a4e986ec4e4e694954d08bd
SHA25661a582158b6fa47c58717ab3ff39d8237f42ab397c4154152c8db040e570a190
SHA51253a20c787e4ffc7337b95540f8243a5e91603f9189fe4f7e962e1db63b63a3e1578d5069c9d64553f02d5f8b069f63ac95abd94f4e99b3ac2eba8c814f8ca771
-
Filesize
1.3MB
MD5ea26e00c2796a46c451771e2880f701c
SHA1314f913ca08368b65c4c6b41025db4eb2b2a44b9
SHA256911424cc9976751c7d7bb6fd9450c42b5f5c22be03be7b95d67c2ab1142a0268
SHA512f8ef0435584bd90a8424502051e499e34a3aa7a426f538803c3b11530eb9f4f31a0868f9539e3a134997557761f02b981623977656f479c326726b3cb790b2d7
-
Filesize
1.4MB
MD5579930cacd637e16aa17c026e3757a58
SHA1e1406ab87b18657a208dcb0a67d9bd830eb2cfb9
SHA2561e93e9d34491ea395db9878f015845f06492c77a7d0a31c9e2a306f4784e2fd0
SHA5122da630f8890a2c703e9d804d5b21b8bbd263bfb21c7969d284b121bfd1baa0d4862f9ed2cfb8c0371435904c77ecbf1d9c86297f938d77d484e76ea71024b022
-
Filesize
1.6MB
MD5b935df218eda34b20d93e8ed1087c1a4
SHA19d5de8c11e28496caf68160df6baf15e1764bf85
SHA25643cfbca7d1deb083a6daf525fa919ec580b80d46b1d09eb170dc209d05b0b8ce
SHA5124b4e1873fc90aea8054e2055161852411fbb1f26e71416b5827fdabd70e67d0dc6aab478d4ffbaa1fee867404192a0293701dd56ab85e02d51d3ac53311c606c
-
Filesize
1.2MB
MD591fb8a5bd7179b9fffc6bc18bc9192da
SHA1d9691984f5de36a6fc917ce6b95cd53c122345bd
SHA25603de0182e4d0b7abb1f6b6ccfcb5286075e9be50ec36e7f3ae446c85e6b4eaef
SHA51242a3a58434ed09dd95984f9e9d22d9edc227736a687d4101be4c98b567c7c57a015274141a802fe67ea8738aad3e6ba7530b68b2cbc4b5973f36ff93252d6f01
-
Filesize
1.2MB
MD50ef43028fd22efe8b96d409002db170c
SHA1972753ba7b107418ba030ae60410bdb95540be5b
SHA25623ec02219305a9eeba049c99bbafadd97bcc492777ca58ec15e25cbb8693bab0
SHA5125b4b0dc9b7a994b4989c3b0b5f7e381bea8d22b045500336af488eafbededcb93093d3c148cffe38a794ff930d5e352dc8ccf372776c65ae561f608e90b661aa
-
Filesize
1.2MB
MD5516eac1321f4fa54f8bf875518137a72
SHA148ae14c1c66844ad29d9e62c58b3fa8adf779c98
SHA256030e986b49c41292e97a4d312dceeebf833c58b69cbb10cc2a9f2833213bda29
SHA512cc23dbd3bf277606d4414fe5b57e78f93925e1ece1682ac0a6d20c806724aed6e564aaccd9abace025e96ef43546d6715b505573272f4d67ad4426c2124958f1
-
Filesize
1.2MB
MD5aea63bc86d2a824f2e4583fb761ba826
SHA16c12d0c6107b2b0ae6c2810aac0e2d04f068081f
SHA2560c3ec317e21c011ae90cf10b3a0b36c7ca89a4ab8f5c92383d6c7ed30944d719
SHA51280f7fe2cc6d0a0f0c4c75b1068ee15de010b701935d38c1cd9b3b6888a5a7c35c5ca9a757777c88566e7aa53c2b5048dee39dd24c39dc1750a2426728d9164bf
-
Filesize
1.2MB
MD52bf15cd9be7967e28009b91f9494288c
SHA140eb31113638620754c9c398b583563410619600
SHA256fd9ae3a2adabf37601bd885b067a3b1f190c046aa817817625b29feb22ed2955
SHA512c7e684bae4a5b0bf8fc75a31748c2496387450b7d23b7e307038475be6f42fae4550609e45e163158b98b7525d10adc82b4ab4cdcbef98eaf68195dd35d8647d
-
Filesize
1.2MB
MD53eb85825c92ec097d82ba0ef7263cc83
SHA16579c6859c949c5f2b89f89d46bff99b0f7ffbd8
SHA256ebb63ed59958a4bcc9f4364378dfc2c6d4d0c0ce230868ff33fc449b28fb0d47
SHA512291d67cdaa8df6a17a937acbda1d9a9adac01aab32e79bd2f6c5fb032919f2541e024755d036bde80532fd4a140469ffc5c3645e5f393611ec531f98bf17b947
-
Filesize
1.3MB
MD55ae5d3315b3e7f81ddfa0316da9e8ed4
SHA171ab1e7bb96916c745a49aaea1c68e6425a3dbc9
SHA25680bf23ef19faa05149a6809a4dc9401388a77b323719b9c6f6f924d012f5ded1
SHA51204e1d5c850e72278330bb53df3450be1fd58d61356f8687bf4029f82362760e35898c248e92c24526c4f0c4902b1ad244fa0478ade5bf38993ae5369d8d7ddca
-
Filesize
1.2MB
MD5308d364a7ee2ba8817daa6f633453a2d
SHA172cb4f6349ae15ff08c3719d7eebdc23acc4c0df
SHA25618b288d21671636dfae12894b9b2f509bb581b6f3fcf1bb4c3adeb80986e9edd
SHA512fc463e30928754b647abbc360226e04fa64454f1c45f6e2bfe352221a42c7b23c4a336a2d285648fd18e870fe78786d392f04e2ea305352809b1c2feca1eb28a
-
Filesize
1.7MB
MD564bc622ee63291dc0a02cad9fb1cb68c
SHA12c7cce93e8e0bec434ead1ef6ce547432890a137
SHA2567344b028bc03a351d4c1478d15c746f35613fc1ad769343b50240c38812e31a6
SHA512197c16e4abbd255335a77cb7240202f94157f3e6a5109657c8b13a4c56fc21cf06074668e66a32233ac90fb540c8e39d2e29807f54ac0dbc369be017c7aee23e
-
Filesize
1.2MB
MD5cc1dcabcfa1ea4c837615d0379e87176
SHA1e1051b3971bea1148d8511726d91449c82d1835a
SHA256de5606904eccd9bcbcaf96e50b9dc2886116ec12b313fba5762c20837312e099
SHA5123f4ce8b3c07303aff7aa142df6e51b727fd2bc5a21149877198790ffee16cb8ce78eee0a79786d760ba16091b7ae7235f42725f1dda0069b218a6a58eedba815
-
Filesize
1.2MB
MD5a82f023dd26a5f3267d2b790af0a021a
SHA18f44c1fc88970d98b20ec83791bd1cf3843c8e20
SHA256973f4c7a75393b5357149f86912dfc053c5c1ad08b6d96bff25504c677ff56f6
SHA5127827d50307ec4befb333a6d96b8355540760cb5bfc05d0e6abec0f027b5cae8576d988a759ebd5b860e9b5cd9a247cbc61da555ba3cdde6155001f3f73429f1b
-
Filesize
1.2MB
MD590a278c793113c7b964003ee5e42f437
SHA1560f5a66cc1af06a96d60b4204751c14e1eb5cfb
SHA256756bfef23a88afd6c2e5221d0a6ca67669975d8a4193b611d291efe53eae9975
SHA51242c46efc9019932210852851945ac9d7cb4a0c54b78409ac5e138bbaa2bc2778fd6b96286ba5a20d4880c76d5578ab95822bbaa035b2814a9f31039976f574c9
-
Filesize
1.5MB
MD528bbaad40523dd9fdf28aa3d77e45417
SHA137dbc6ea00b4f6e0da9d639c7819321ff040fb2d
SHA25674cc08cf50f8bdca9fc9d2d96e4d01293b8a29126a4117046764678b5093dad7
SHA5120a74fdd657d0ef7cc6c36cb33c0bc86dd12b9ee446885910081cabb0c1e5d40dde5b5997942e584f4f4f476c5003630615f0e281c0b3b3a8880c978cb85209a3
-
Filesize
1.2MB
MD5dc47ba6cc1498c37f33bebe4329e6afe
SHA1a7f671ab759a51f824f37e9c98340cc3a959ed7d
SHA2568563d649388db9ff43ce398384fbc98f27f2997f705c80496ca6818ef432d065
SHA5127562d9c6011117374b772c6c80594a584e77169e6de7c6cb0d0fa8d8f44919b375db6cb15c81b6f6087a18906dc5a84f38e25a779fcfaddd78778b823b49fb81
-
Filesize
1.4MB
MD5e61b7a1064331f750a5ba6952cc2cc15
SHA1c4a32f57b61f594252798c6fd39155c11c38217a
SHA2564b9553f2cae5bf7b2a673a4f53b1a06352084991d9a13ee51f6cf5e1dc9af304
SHA512d55fa82dd94dc7356bfd696bea54e758c84e8bc6eaeca570b98fb86133f3414869478a7941a8fa90b43b2a008677e86172b940f9e035b2c7ac62520d062c3500
-
Filesize
1.8MB
MD5f2f23b1ebe62431700c6c9827dfbdf41
SHA15e7709f67a80efb574cfd11216d57ff48c2b6165
SHA2565fe6890a30734661be2e3bbfca773bb2017f63761d0a509540071e321502c231
SHA5120f4930ac3932fc9bd04ddee80631641c31f047230b3aa25544f2675bbf454c11d5bd44147739503b0994ebe24f767879baf3a944fcf956c2e52681acb3576674
-
Filesize
1.4MB
MD54430007e6895a6e7f262206721053a07
SHA15445828519e98e0e49fc4e93e689db86a05c985b
SHA25652b5d862e6a9f94554b7e9984be42a5c1a6fc9e1c5af174d858027f32ab6bfa1
SHA512ee44a16e4d807ce8f554705df06917bb315d77201f43cc496ff4aed035167be161383e41ea177dc563a8c4d4fd32b19d5a7097af0a1d6ddf5998da745f452fd3
-
Filesize
1.5MB
MD5c9841da88ec8c6f3ad37549cf7d084d0
SHA1e6a2ddfca7c5d373e10493f17895dd31d10a5795
SHA25643c44b7999dd7e6ca1765fe3ae635ad883a7696e17d81a9d6452ab97ca3824e4
SHA512e45ab28983e97a453ba4955ea03535976e617c7df2559dfb6cbdc895f0448445dbde7dbb9e182f3976402c13d7ce7c6b43871644eae3630eeef34f473ca8d228
-
Filesize
2.0MB
MD594a80a24807b11a7c6e2879641861883
SHA181cc0dfb92fc987a57f50b946935bebe70dedac2
SHA25634f830cd99e7185a0ee066a376bced2aa0fad01a9da332a354cb83262c16218f
SHA512bbcedcb6cb8e12f5549a65eadb6a69c0ceef7c54733d60f749fe6fc7e7e3f4974c0c9366a67bc2a1dc8e1fb44bb082448006a7a58859197ed3776f511853d13c
-
Filesize
1.2MB
MD5292201a01d584452d81c2502f3170a05
SHA16f44b34a118a9be51ad2fd4991055e7881b25f11
SHA2561599098e8947be075b31ebcaa1d0d42884d5bc8ad880d68507584220b909a023
SHA5129934fabb9cf05e8cf2552bc4dd936a75a49bab934439ba9743244f821eefedee7e9f20c8ec48869581d1ad0c446b016494907c54e881a5d615d2786d5295d9d5
-
Filesize
1.3MB
MD59e9bf3a0530efbf0023c13620f525612
SHA1da50b58a710603f39bc84752f51e4bb6e10754d4
SHA256ff371c7c56abaf7c349cf893b823fe3f0543f5b4917415585a7309453cc79d0b
SHA512e523b2458ca56faa3e382a3e4d0f3662017a0085a0ab38b1b7f61791f5da915987926eaafe1e12e8c79dd18df64625d95b325fe2add268560a781706c9951a03
-
Filesize
1.2MB
MD500bf9c2d419180c9ba4d249d99c336d4
SHA1f28725da96daaabc868951f3a5515f4fee373584
SHA256afa8fab3802551f6baf5bbee6c3d07553f5445dfff18504f9dd5a678ffd4cfff
SHA512ef6d4a535dfa4323a0041ca00d2f18825a4d6dfcff4c937b809312ccd2a01b5703051cb66802b2dc27b3f005ce29b359e467532df42a96a76f0f5a3d279bfef1
-
Filesize
1.3MB
MD5da8e14e0cdba48771e88d5376f14c1ec
SHA184d27103e0b26e88b09d17feb8e69f0fb31b9b7f
SHA2562de5f1385ddbe03a8f28bdc434a6488908ce93ac24708c31a531d14455ad27f1
SHA512a5c992fe9a1b0fee85048642ffa9ff5026e6ed8040f86970dadf64e0f97c63f1725744f25370bf5eca1b184d28ce21968cb69ff0f717c9d17ede7440c9629a7c
-
Filesize
1.3MB
MD5c3092f21324706c9c5eed14b2c73195f
SHA18436d3e7a06774d56dd120ff8002967786dd5947
SHA256cd9c6ccd173f8e52575267cc58c4a1b7fb42c637c3c94f14858586c540168297
SHA51220b2fda7cba9eb11303452d74dd54e79227ab0b86720dbd84bad3319acfb39e9f311a68b9deb9b1df0e5e564737afc8c003fd1902692a65fe71708b415518e6b
-
Filesize
2.1MB
MD5ecd618c21473f9b16c30d6d511388810
SHA1ec28e18599906cdf01832a2b9ab0e18c87e75f84
SHA2562c46c0066506776785ee5e96e1700df759eb894fd8de269832cf1d70062d51e9
SHA512eeb986a1d689f23bce2d50d3ed62b41f0e0aa56e39a524280ed78a0147efb32ef87d7df1024877069e3e36f1a762bcb214fe3e510d08af1cf806d95afa0f5184
-
Filesize
1.3MB
MD5b08a6f7c28c36391e45e2418688c3fd1
SHA1cdb05c9782e6e6515d4f0a2493d31dcaa67ceb64
SHA256d945be0e2158c1370b7e1f00e2881fc1c5f1331d75dc19bbfaddc0298373bc24
SHA5126b68c8dfca4d81222c3e89b8c0ac67c86d252abd5bade5be30d07b7b382e5cffb08d504b3da9e381a9c9f3023618ee69e89a99173e82903e3c2c8154e586c1df