Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe
Resource
win7-20240903-en
General
-
Target
2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe
-
Size
1.8MB
-
MD5
88574adf6b22687ed4b867a60634bed8
-
SHA1
36879e28e86a180301967aa746e31babaec128b8
-
SHA256
d4f61d2c92281ea792f9875f829c0f96f834f2f694830ffc7e5fd0d85b0a8a25
-
SHA512
fe2f440d92a19b502f64367e0d09f70daa63c8ccb0cd6e786ee9e89757901561d891e653c59a4b79e4ab3b60e6d81bf6e2d58ccac761a303df2192e3249ab977
-
SSDEEP
49152:KE19+ApwXk1QE1RzsEQPaxHNOkQ/qoLEw:P93wXmoKqqo4w
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4548 alg.exe 3184 DiagnosticsHub.StandardCollector.Service.exe 2896 fxssvc.exe 1964 elevation_service.exe 1464 elevation_service.exe 3696 maintenanceservice.exe 516 msdtc.exe 1688 OSE.EXE 3792 PerceptionSimulationService.exe 1232 perfhost.exe 4780 locator.exe 4380 SensorDataService.exe 3188 snmptrap.exe 2192 spectrum.exe 4272 ssh-agent.exe 1016 TieringEngineService.exe 1504 AgentService.exe 2964 vds.exe 4052 vssvc.exe 4980 wbengine.exe 1316 WmiApSrv.exe 4824 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\23d8388d38f5360d.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f69cbf42c32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c571b7f52c32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbd3b9f52c32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056fd82f52c32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d878cf52c32db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c8108f62c32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1af74f52c32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d2bb4f62c32db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeAuditPrivilege 2896 fxssvc.exe Token: SeRestorePrivilege 1016 TieringEngineService.exe Token: SeManageVolumePrivilege 1016 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1504 AgentService.exe Token: SeBackupPrivilege 4052 vssvc.exe Token: SeRestorePrivilege 4052 vssvc.exe Token: SeAuditPrivilege 4052 vssvc.exe Token: SeBackupPrivilege 4980 wbengine.exe Token: SeRestorePrivilege 4980 wbengine.exe Token: SeSecurityPrivilege 4980 wbengine.exe Token: 33 4824 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4824 SearchIndexer.exe Token: SeDebugPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeDebugPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeDebugPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeDebugPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeDebugPrivilege 4488 2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe Token: SeDebugPrivilege 4548 alg.exe Token: SeDebugPrivilege 4548 alg.exe Token: SeDebugPrivilege 4548 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4824 wrote to memory of 5012 4824 SearchIndexer.exe 112 PID 4824 wrote to memory of 5012 4824 SearchIndexer.exe 112 PID 4824 wrote to memory of 540 4824 SearchIndexer.exe 113 PID 4824 wrote to memory of 540 4824 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_88574adf6b22687ed4b867a60634bed8_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3264
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1964
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1464
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3696
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:516
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1688
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3792
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4380
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3188
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2192
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5036
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1316
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5012
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:540
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b1d1d997a1d3755b2ea946449620c307
SHA171a290d8fdb21d67ab378a406acc5086482fc990
SHA2561a94c389c80b1032a5008119a21a003da8cc72274e9e655d884f58259496a7f9
SHA512150a9d25a075008e80c9f7ee9dde236d5e64a906a388655551a71143e17589dc77c70bad4c364058ca4662fff36e0566de3555afc1e5c7ccc0c5b0b138f87b15
-
Filesize
1.4MB
MD501e8cf4c740da327c992b95edf6391aa
SHA1d0cad6960a41f64311e1aa5d0b4ea2301cd48c30
SHA2568eab6498711b4ebc75cae4bccec4be147f85b78969a90c17da851de2d5690d09
SHA512f216f63969c326f6bc90636ae30e4ee08ebe2dc28dd0c29fb72b7addffaf407c86df5b7e7f8860a0c64722bb6c011a94ff239e78ef58e07df6daf5ec51957155
-
Filesize
1.7MB
MD5014f4ef52971aa001936904e261b06b5
SHA13d375fa0e312f578f6f84827122457d74751c8e5
SHA2564634d8123c58f87b79afc81fd1925a2be500d2bbfe1695f0abea37819edda697
SHA5125cd14a87f41d80e8c610d2d93e9957453a29428a177392b153411c1b3b142df8d7b934eb32656d1c2e537c65ac8e88d17f265e866fbf35f95c7f259267aabe0e
-
Filesize
1.5MB
MD5815f03497e76a42d181586b25028e9ab
SHA16a4ab0b8cc917fa265c375d4c499ba42e7511768
SHA256456b63afdfdcd0e5766e3a3f831c882f347a748d8421b4076bf878de1ba89315
SHA5125ed437e3aa8e451d33f2cdc0f968b4a7088a7d78f95251d63c7d5970800234ffe0ff52f1e56fdcbe23929ad4b6fe07c4e4c702b60e903698109fe742de2424f2
-
Filesize
1.2MB
MD5ebee09e2a0bd4ad6560364fe255b7c24
SHA1fa6e380b833ecca0f393591503339a36e39180a7
SHA256db13851352d904262cf731d9dbd315ab5de60757d2154b062a49c33b2aada6ca
SHA512984c5ba524b7e5cf4a7eb6cbc400864505226bb3d480ef7c3365478e36574f833147a219ac6f2f2eb47b1beb1474a179acf199af080b4abfb5ac69e558dd9127
-
Filesize
1.2MB
MD59f3d7e718fe994a98e92d5cd682cc13c
SHA1010a6fcafce75ff179d62f8453e7e257fa07a661
SHA256066727b0cc98d0ce5276507baa0cb37947cea81df5052028bba1684a6aebf496
SHA512a2206fce8a96c8089c533e06f1fb444fdd4e29236c666b3707b8ca8372a2a33bac629265c96bd4773af1521a5ef9da105ad1fadd182ceb85dfba259d0a94cd30
-
Filesize
1.4MB
MD5edcda6e48ce98463d0f414ba9a8c0f60
SHA1459fb3fa3a94e06d3fdd06ea3b24016f814464f5
SHA2569775184adca6fce0666915cc46c91577fd7eb6b6f69047eb9857dc128eda7b58
SHA5122f7fa9d4decc630a3ad956b823a1a535c3f64d65036869d5185b8af22ee5abcdc234dd846ae82fe6f85e525658cde42b3664d029a15bce7175d8f1ff54811485
-
Filesize
4.6MB
MD5923b395efacc87739acd1402df8ad9f4
SHA136e268c1b15aa6f71b926f196935fe702a1edd43
SHA256f6373bf90279119d4c83cf98db395b3376e0e7146fe9abe2c5659ab39be521c4
SHA512ae713030005595a8ca018fdb2b15ab8eb51ef85c30b590e964cc73f61c41383cd9fab1131b8763c0ae0cbc60a01cdeda3d164add1b3a0bffbdacf03f473d2b77
-
Filesize
1.5MB
MD5926b70f78cc1caa2f7273503f0079757
SHA12a022bca7822bc21cdb245b5b546242bf3ef989d
SHA2562ef49256bb874103961718f32d3ba6728875391f78a296ff158d166a202bb62b
SHA51244838e8311f88dc092ea39b352c52ddae8685f4ab7095c4df56f0a94ffedd50e81fe75b1cf1ab1ed03c7831d07f6b9fe6ab01b0ed9d26a3b5b2306dd1fdde39b
-
Filesize
24.0MB
MD5bea1eccfe0c89664182d2d68502932b3
SHA185d38e4305c81275ef8191621ebede944f10bb0c
SHA2566456aec97200bed30b7293bb506987d1a98bca92c261cc20e18f6f9298046be9
SHA51237f3b461f1ad9cbef1f7d01b678f57d66515c8def15d74a846c93f72c3925cee63af663e38dd3634c07be943ccf765ed5ecd209567bb41d36c3d87b04424f2b7
-
Filesize
2.7MB
MD54534cdde6539c1706198261db19a05f7
SHA199e56febeae8c5952e3042078a2f982f298a02e4
SHA2567bf9db887bbea616570bf0dc0d36280b27b33dc6bc511d47882dadbd1eee724c
SHA51253c8d544cb2c683bc5a9373a5280e52c8e1ccc5eb2a175196fddfc13af9277064ae26641aaec911a843e4f1e0444bb8938b1bd45179bc01ff12febed82ae148a
-
Filesize
1.1MB
MD5e9394d122460b018f0e3d76f856a78ae
SHA1633c07d3a3c301bd88b3afd3d6b7badfb85927a5
SHA25600e74702e07b8080aa1845a81539342184a886ec8e4043747130a410c4bfcd5b
SHA51255ae5ee69fcce34b77a0f1e62cf536756fb8213439d260148957d42a225ea3e30f040472afe395f316eeae679f72834000d7648945ddd0a31fa720999d520f40
-
Filesize
1.4MB
MD551069605bc27a85faf941d5ec7e1b8d1
SHA1f1281192c83e312f7f917c261d3f661b360c8996
SHA256869d347cb5a839e837235b8e5929c8230a2325e5542a18a19a53e7e550610191
SHA5128ded9ea5e30f017ca1289d2c5fda299e393aa7a28a42d32a7a39616b405fabf3a785977a616b31826f82ea96db7e91ec0bc277ffe095eea4b0b0baec07eeec2d
-
Filesize
1.2MB
MD5645bef3a09c46b8397a9892486a5a4e2
SHA1e7409c95f0c01b01da300bed545559d3d56e3ade
SHA2564ac4766e5f99d73aeeeede63c30524a68dea383d3476a0c3aedd20c871fe80d4
SHA5127a470a325dc0babbe5edad87eea940f72d195e9ccef9ded9847e18020d221f630878958a35522d78690548b924c363dd7be06b7b8fc6856a67300aa70307fa69
-
Filesize
4.6MB
MD5d38c9a7d0c76de22b8d42a66e467743a
SHA1b494bdaec4461587d06ab6de1b180a05c81f2dcf
SHA2564c3596f91e9d4968f50dd2384d381965f63399755c002b488e08b4ac56739d1a
SHA512df6688754f36b828008a659b5dc11cc9eb36aaeddf33731acb638aa6d20d84c153c7dc248c8fd265e8af72e7bbdfc6c998333de8236138082fb6e001f364ddf3
-
Filesize
4.6MB
MD581c9da9033baafbbd9c6e5bbfb7ece5c
SHA130985e910bc8169f242588156b1b8c57d9c5572e
SHA2566fb083fbdb1774019110778e084e4dcb7bfbf44a305ffcd977d1c0163cdaf157
SHA512c61718db7843b73e699233c41f95f56eb22b331a76482c66cf9b608eb9f3402fdf2dd9802316cd9b7c580b31b2d99aed5f96bdb371c414b3a86ce47c1e9330be
-
Filesize
1.9MB
MD51b660308737a80ed27bbe5cfca494a9c
SHA1acd38eda2e188b2977ffbd1a3d6f407f1c70180c
SHA2564fd8368fbdacae1c28e0f8dabb566c2559934a100962a0bf58232b84d4e37a8e
SHA5121d689f3ed391557c9c7a49f0b9ba030c24b1896ca4d253e636708212bd097fe519c7b9885e024aeafa0d03db295cf9afab386f4dec0671b3dc89685e25c72476
-
Filesize
2.1MB
MD52d509f9ab1cdc7eeb51524a6e665a7e2
SHA106cea425093bd85334be7a9a1bf1b3442dbf6240
SHA2560ba8e5bc563e96c962b56b4b1b971aebb272292a563e85764e5852bd00c9bb44
SHA51284b55eb790107652920ef5cf721dffd067647c177627bccd9fb43899b71fc01a0b1c11895d1f052e32d8e6443bfc16d3f59a6aa3be08cef92f679b8ca31d4eb4
-
Filesize
1.8MB
MD55a1fcc8a7985f1c5b17a9639ee5f31b1
SHA16f3e0fb507c16dcb4151c65e788d5aa979feccf4
SHA2568a9b5e6beecf367c42f9a00d2b72b07c94dfbab6e416d013d240e9c317b13682
SHA51285ad11d80d969b61864526ca11558ab22bf8eb6d8bbcabf7bff58869451e51b2a2c366fa128dce8d10eb9836cf0a8201e3f32a059006eba595bd3c5a9a7d1f14
-
Filesize
1.6MB
MD59089de033e5b86d9ea75131809e135e2
SHA130d2ba64785a30db57b8e19834ead76378fc7ad2
SHA2565e1711e426ca2fcdf2860f0037bbfbd555b483feea8c5c3dcafcc3d4f852eb0d
SHA5122048c8a8735d64cfa72d9761ed366fa82047dc88e5dea463310f024c34d59dd1ad784d58ec4a0ed6fe851afad53af423662fd9211445e839a3e287f6aa0abec3
-
Filesize
1.2MB
MD5e53039660aa420e936e5f5c29750c73e
SHA1843e3287a13ee0047da0ecab641482a9dce003c6
SHA256e012c508954eceab99653b1421c79fc1843b200df8c4311dbd103013b3dd354a
SHA5123c6e861484a5652b69d4079b87dcf2d16c3301cdd10f9953863c2637deceed8e4e0c013b7a955ad2a30a43e3d54a2b03641ad03cf1afbab1c617f5afbb4f92d7
-
Filesize
1.2MB
MD51d3da7299759a19aa408bf65eb0285b7
SHA167b09554421d0e2a80b9a9b137410ad61d4957f5
SHA25673507b1a9b385bdc2e824c17f95fa84679c5304dc970b24a03b645ba1f5d1b25
SHA512953c248a996f102010f880d3ecfe2361fc7bb9b03f935cab3a15b6496d69583e90dc6118ca9f5a026bc36408ed5d1b7dc8813f8913afe07a8f5ddff0fb177934
-
Filesize
1.2MB
MD5422685df504376b3398bdbbd74aa35e7
SHA126ed71bc92227a75e06a23db364fd8c4e25b39ae
SHA256aa5e5be7e3b411be5eaf1996f1bffe9c35c72a0a7996e1ba418397bcb47f1322
SHA512477d3f1df4e67ba74dbc32cf391850b4d790be15cd6250e725188009b73120db48be02f707dd0e6ed89ed3e40bb3f5a2ca241ab0b76be36c754d77dac6ba1f18
-
Filesize
1.2MB
MD5973b1586072b42fa9c3c1c1b42bbbba8
SHA1300b1312da914f9ac65559b02342e28f1b69d988
SHA256e71052693c91a9339b7da1b4b0f13b30ca52b8420ab6394fdd766da55c50143b
SHA512d2544644ae76ebbcb801862c637a3e4d856bec80417f5b1b0c80698906dc53626ea77696888c7c7cc537e520747f37e311095c589ffa15c94de0d4a5914f39f1
-
Filesize
1.2MB
MD565290a78363d26241a5cc95e2401591b
SHA11645dabded3721c1f172267e4f5945703d3d8e9d
SHA25695ed755c998253df4ddfec00bf102193c30eeba81de5ccc056f5786f56ed19d4
SHA512381e34eba184975cf13b4e9c07936810800c9c267430346c38f7c569d898db3f941ed301d23cff34ca2a724643a8c9898a720e4b0aefe8151749777321bd0b73
-
Filesize
1.2MB
MD54defa31b6862b471910bd3ad77388b86
SHA1e3c44db56e7cde457c74cb9c6f199d01b92b4b69
SHA256bfb06fb63bd2925ae0e3b3c734b68890ccdc1c99a6d1eb339c3592db29cedf25
SHA512b60acdc509007fe6ad2eac53d0f9e43f8b94573f898163b97209cb102eb368995e6988ec8fdddcc7f24e0fc295e3ec9320d7e92b4db0c5ce5daf912f601068d2
-
Filesize
1.2MB
MD50d752027ed48230126ac2fdc54d708eb
SHA19d072d83fd0422713af218e19636dfe86cda4e6e
SHA256e4f9824437d793f0e83a91c942b4429de77202cb0f82c3b2719ceca97fa57ea7
SHA512c99a83540d02634d7fd743a057042a8f2ecb4ddb327560a94e0beca1acf6f2c1a3e7e5ff6826534eaef31c4d1b6a55d626d823465cf15c85a363326a269b8c37
-
Filesize
1.4MB
MD592024e63def6303b8e1d6b4aaa1e8e5b
SHA14ec150a1edeab06d23f03b151ce30d289004e862
SHA25650105b2b1de4b8d2b370f0fd3d77487a02baa9cd60b9dc6cbfbd4c9d3eba550e
SHA5129e3182c0b37bcf7b701db4b13f98eefe985f0c535faa7c316e318e54c7edb7e34f8c15a13d2af86910a12bde94dcf8199cd9b4cd5d4db13775e91446da7e4796
-
Filesize
1.2MB
MD565309008f8c97cd5ec0cb0c2dab31096
SHA18ae069b5bdcfc2b7d99d14e9b07c211cfbb7a9cd
SHA25628335918e18479c82fb0deba6e15886cf4285c5ed36d14616cf77b7db1fdb044
SHA5129d1042395d4f729dabab2f23ab90acc1616db362c4ab0a2badbd001c7670d472ca438af636b10f72541b0f2185f5f70b0b6fe90314491c5208287a9cd4028ccd
-
Filesize
1.2MB
MD5bef0252df08ba0fbeb80381bdf724b53
SHA1598274404c94f9a5058072c1245850ca82661653
SHA256b0470c9b7cb17bc6d0a9b063d3e7c1fd36a3da062cbb338c6939f016622b805d
SHA512526edb987654d2304e5529a9528c7bd02e4509abee4d32ca1d0119106969d0f9a4a0413c0619ca49950370081c6beb8d69f398a0669756c03452467b027da45f
-
Filesize
1.3MB
MD5f65a60f5d1f606e889140d753c4733a2
SHA1ada397de63e24635f33386b29e04321207a07789
SHA256d3f7421fc3d01c4692d273ab453bc09ae1b237ddaa868967e1687ed64a781408
SHA5126778ae39a1cedee13805de98fc25fd85d57fa30d44557954ed3959b16dbdcaaca503aa544db083b59e2b5dc4288d02d012192d31e0d7567a4a328986d1e09efa
-
Filesize
1.2MB
MD537eddb839b58a3b9f35daa2ad9495ad1
SHA153076ee225daa70b036daa58b4acdf06b2c48beb
SHA256af1b60361e1afa5c32039b8c08a8863f54460f165040ecdcae531dcd8b0e9e2a
SHA5124aedb04e706a39555d046acb3e402f2a86f98c811f3fd700aee7e7fe5c6a83815deff6d5e18930be541163ca73877ea02ec339b951609606283a6cb0584b441e
-
Filesize
1.2MB
MD568e9397190a872f923013a2f38f065c1
SHA10311d1fda74ec984231aee233da1cd1f30d085ed
SHA256006be1e2fc7fc60f0aeb4db077e7deb4f762881aeec644ba0749089c757de861
SHA512c63f430da041f636acd12d2af4f61e07d0a14346f30bc1ce40bd502dfddca6c2d3a841bba210a413678002d7c517e6512e7c6820d279d4e08bf516d7ace8457c
-
Filesize
1.3MB
MD5767aa2311005ce5b5025b3807d9b409a
SHA149436b98cc1f7efe197bf1a8c38d6bf86a7b2edd
SHA256045b303b955c863284e8c93de74677ebd666c02bff7965d0176f1a4825adcb3c
SHA51215a0844c8c9192b742ebb3a684d61f300f95600be97ef97aedf341b3793c5b3bb70c82a9ba083a96f0150e04b40135884d3f6875f445d6c97e2c0940e3bac4c9
-
Filesize
1.4MB
MD5d4cbeeeee7e87e42b90d2e075acda88a
SHA16095c8f2dd722449465e2ee07c89b012b8fc1cbf
SHA2569b92217152155540ffb07a4c321344385eac2c23ea7c3091b98398655a4d4376
SHA512880006fa16f44fb83ca7942402a91e23f72ed9a84610866849d6744ab01ad83ff0b869b6cba96a54bf9149d2d990aa15cdbbbf0b1f022d27a85cde0ea263c419
-
Filesize
1.6MB
MD52242502f550c3f6b8da8cd8f96a27370
SHA163363cb46e775dec3b32026f4825a40a3320b342
SHA25602b61b5a050732fc5da772e14baed9228a1020a18dc9cd9c91d7f7a205c29483
SHA51239e7fe5e2416593d64a472ad26456e3331c6a07be9a62922a670ed5f1e27dc3bde58607d49cb0c6f71b9d23ce1081a709f7adfa026ad587831348d02a40fa19c
-
Filesize
1.5MB
MD54b62093737ad3e26c118d6987617ac78
SHA14ef56b71f6fe6120439b82c44a719506a5266ff7
SHA25672b49167b796ac5504e66ad1739ffc2945affce62bc9c7b683281ec450459d84
SHA51200fc3dcf25c9df6143a28cdde62d64ea4e539b5909833c808272d33d67e733e6dc898f792c7c4169fc7b6ca0cd76a0f11c531c06151e09e28ec0b9b098a9da41
-
Filesize
1.3MB
MD5722595fc855570f751c2b6f949c47d99
SHA1ce8844eacf26c9a6ce6f730ddb1ff2cbe299fc67
SHA256717d31028e2dea7e94c9f8a7001460953b3423580d28b30574640debbb679374
SHA512a8b12ac117c3e6ac92ee5028d2e78b01a26f2fe5cd767d69240af618be215a33918d28268980e8025f01d7abfbe3727291b77b0e0dac0db12bdff5b10a9e2d6a
-
Filesize
1.2MB
MD5aa9ccf54fdf49dae259483ed5f1bf6c0
SHA162338488f895462cf9746cafa8d32fe54f8e53b4
SHA256fe80c9097a373d451b8962754c67e6a8b4eb19058c41779bf59ba0894700ebd7
SHA512d315000400c83368626316c309668b96237516b17cfd166e51cf75653376a1bcf779889ad3e9d4d5bc1dbc20a18411f15d020b3bba6275d9531b447d4011d5e1
-
Filesize
1.7MB
MD5ceb2a33e8586d9b06e43d7d93be76d3d
SHA1ee40f1e6da33ecb51b10c3b27880f01f59079e2f
SHA25641daa463cdb8da80b11dea3669ae2888d1df8d89e555ac27a4079930cbdda3dc
SHA512c30e0dcfdcd5292b136f2fad322a4f860b3cc60d2ba197043fe18c7488d9a35aeb73d01b59a612bd9b00de70aa25c68874aa20341dbfa797522e2f1140ffb6d6
-
Filesize
1.2MB
MD5a14ed59f314599486cecfde3c4c43a72
SHA1d7b9f1bf94dd0a69403f91dfab5ab377993c23d9
SHA256a93826e7838f924ac5814ac2b35ef25187420d8ac438e1670224db313827126a
SHA51290a79784580e6b23a3891294e0802ae651e708a0b21aafcfb04f7e95f6e1651c52665ce2baa1eda7f2984d4135de1ce6ae60953d59a09b27b1737813b5a9178d
-
Filesize
1.2MB
MD5c60fdc2471eebf1c050b867c2e1ba282
SHA1063b474d6ecb1b9a85ef9d2cc2a3c18b64d7f0cc
SHA256581347e7333eb2db55adde66abfd2f3c5c4cc8202e6d6421d0b4ef30cb43aab1
SHA512a816e9560da333657995cb5fcc121bb5b4cdb2e9e75004dfee7e395fce4bdaa2768cc552499aa6bfe0c694c8ea6d0cbe70c8ce4894ccc20055bd3b830266d624
-
Filesize
1.2MB
MD51696b48c5311b80d40552eaa7a43dcaf
SHA1f49f62b4dc2b3d6d50cac30707994bfbc8154002
SHA25604fc2025783c671f7b608a0d2eed6d36bc4c75846efa38892f2945eb3d5521c6
SHA5129abc41fff8e05c436d8adccdd30cae71925b2add9ba506f833846fd676e1c305514f0e067c6f0725f3ec6a87f6f37d048e647fc7195c6ada95dd0cc0e35184d2
-
Filesize
1.5MB
MD57b23ea4b5f3684a97b2e4ba073d9c7ef
SHA1e5ddbc16242cb3c66a052d9613b13b1f29a82def
SHA25678d9464cf03caa19548b5886e03bb35685e1fe2699282978c913b7226e10ed7d
SHA51206f841a21dd984c3bb81312dc1aca3c99415a0aa74ed6a782eccd3a2a3a26935d1118ba115dd01aeeaee67e2cee1420c9ccda194593e5419c6aeb5743381a89b
-
Filesize
1.2MB
MD5a1eb2a47ebb1c0d0a9dcec4f244a4410
SHA1524d9f104dbdec4660e9ea8c252c726c46ef061e
SHA256a3773974bd172f0d708c92bb89241d2f3e6c39957ef573ed39e389473cd5349f
SHA512afb39ef0f09bfae33e7dfcfa901c826d0483cca8fcbf2316e4f7a257b5c22a244f3e35f4bdcb354d1878316b83af4166b097de1e088e263557ed203719f16aa2
-
Filesize
1.4MB
MD5a999f846b3f8d2a2842d66f11fe3097a
SHA153d1b8380cc6f3cd594e98c5438d70940b97bd03
SHA256fa8cede6b8315608a661da5805a934c89702c93edc081e95c64fb3111a96f2be
SHA51299e2be37a14e04e9313b9d761cf7597ec2b60c51a288296d6c6b8460e08b64f05e391a522f54226775c3517b8c4b808a9380fa2700425aea5dbb1128d8eb70bd
-
Filesize
1.8MB
MD53557e4b076e935686cca44cfb8a23b71
SHA1f9b9c80fb67e2f8ff975d0f605a489b6053880d0
SHA256c6d86ac565df311201eff72943bee65800f6178035afafb8c09d279527d31ee6
SHA512dd800bfe9671d0712ca619b4a4d1e0f07f0b9ebdfa9b60e963b67be878a7aae7a9a198572393a6b93245ac0d5c9a2fb790a2cb74f03dcb06c9c5b414b39d0114
-
Filesize
1.4MB
MD5f13e906bd8d3229732dcf0cd18f5d4e2
SHA1ddb751ee6e0c3bfee6fbbb3bea4a5d59f3217e98
SHA256d853d369cf99f4e9ec310716c42b07df441a3d071ce3e1f9d31929d524c12a11
SHA512997d4317126feaccbeb3a0083c719695722835dc92139a39dc08ff57d5a958dbb3047ce1e10f36c251612d3021a32390be7fb159fd94e1ed3bda7eb6cd9a1187
-
Filesize
1.5MB
MD5522692903a879f84cd6b3b4a3630b5a5
SHA127108e5d5f192b47ffc09139103f5e0e62150348
SHA2561d91c28f3a4803ac2758e6c8c451c7a5e2d42fe3f36878dcc920c641b595d4d4
SHA512161ae46558bbd19cf7b079f72cb17082e88f9e4e9df8a8b9a0664d81f5a8363265d6e91e1e055dbf7bb7469685afe674c9cf82f6e73e189d38d05597274595a6
-
Filesize
2.0MB
MD5fdae79a552b7e0f747c11c40895befe6
SHA1bda3b106e8331ce82c126e2cb75d87daba016c39
SHA2568bc2c5489419bfbc9422490bc53d4784284491207ae86dbf55a69d9b9b6659fd
SHA512a409da22687359eb7f4d11cc2bc4e70eded76fc0c0c49f484f434fbb48a1cfd0547dc79fa8bdd79bb7a9cfdf0ce2772bffd335361fdae45530b59d8b4b3b484a
-
Filesize
1.2MB
MD57ec1886ef6c6b006cbc4ec5805fcc6a0
SHA123e8df427cffbd1d64a3a1f44a050fc62f54bc1e
SHA256782026e06290872065451229086497e4125c6a0cc971c55cfd8c6ddb4a3b77b4
SHA5123f72e324a81f4d763ca49cb13f05d5149937cf07a5fc024f3fab6809f267bbc212bd5802fb531c9490bb12d683c1e28f36a524d7201a5274ff629c45d6b11c5f
-
Filesize
1.3MB
MD5bd169d73ed06dc863e00621e47f77fba
SHA1a608d9920759c2bc9f7fb9f75d8278ccdb669d80
SHA256021c0ea5ad39cdfc17b7d75a8a058a97b07fe4cbd238af8afd64d9477085910b
SHA51225a6e56202569e395c24247d43c8474c72bbc249493fa6d3a35489f52de69a61cb258eb14214c3ebd001f086065c45974c254c9c6a4b438abc84d77833ce5022
-
Filesize
1.2MB
MD5e8212c9191e15690aeb8214169f54b8e
SHA1ae70e50fc3f264f5f35081116448cba05621c0f4
SHA256e9c2234e812d95772b0715ee86600385249bf2045a69dc799ccb30998d81ef9c
SHA5126c7bb719f99fd592d01df3e530d4985a20bbba1e97f9e52da5e2bdd68f8e244ac52674e5b2b8f9e70879736e72a622994220fd4ed640fba040c02d98133295db
-
Filesize
1.3MB
MD57e94f3c78b94885a33b18ecc9be42f56
SHA1b8981b9e300e41b5e03f3382a9609158126a4a2c
SHA256f22a79788e7084e0946b29bbedab29b845516ac0f5963232f57f7a45ddeb96ad
SHA5122c4b598d654753883ea557440b9e0f23cbfb4a97dec54cda47938d4d0acb507a03bdbb7fe614824e2d7dec41e9ca4be38bbbda85ca7687d00f57e2bedbee8200
-
Filesize
1.3MB
MD576be0f05db0b75b2937f71f9a1697f1b
SHA1b71fbc28b9047b28c2209453ff1205fb76443f03
SHA256b9f2cee7c4f71df52a66b8e5f5140603b65353230208ea494fc80b36377abc04
SHA512ded008a4a56cf786b677a188ae82fa996bf868172d09a3a2b607a9831222da74f552c794426e4ab63009ff0090d6c2316f5981af2c5a9ae78a1f217034b1f44f
-
Filesize
2.1MB
MD57977029e810f0f6609fa7d51ae5c2227
SHA1f0720e6561de4e630d2252e151b163fda148196b
SHA256c7e90823854f5ebff724ea1627a50c84777d53a2cb288855257af211247118ff
SHA51260ced8a1b47681b844961ec0ec3d6854f21fb187aeb12226b086879fab5e317f0f2dff6eea4754967ed8168ac342bae48f3645ca32ab2d40ff864ff2e4f8d0c6
-
Filesize
1.3MB
MD5398052a6afa6b2b30a4bdac574c89e1d
SHA1b7810c3a735f788ddca4e25d148c48fdd5c9956b
SHA256be85fed067d6756a7c46dbd6bc6b02c8ece5dc4b18e7b78afc62fea9f482e7be
SHA51223d33c482735eca6e018fa75736f9fc126be2a825f623236987676840b63d0b3f0a8e86c3d37d16a0703c3ef6b7aff5ca90be2ba8db5a337191aba65dc0cdcfc
-
Filesize
1.4MB
MD5d373b8e7c8df83de2ed021db5ddd2e8b
SHA118e2cd12b0fafd163f8c2578713a7d94c34a3b9a
SHA2564edf39f77bf9d6684246345733722f21ffa041607d8f9ccc76de084913ef17a0
SHA5126ebbcbe19210ad0d3095e3e5376e50fc6f157877d9ae04cf3d06bfb99c66e426b62e3181dcd14ee98a40aa64434125e7f03813c6b49f897031eb3cf7a3baa8ef
-
Filesize
1.2MB
MD5fc07d549e854981a2acc5d78c45a58ac
SHA189378a31560443b6cef4a25f4dee72e9eafb0473
SHA256cc59a5e573da03e09f092a20f87aea1ff59de24be5533671501e3a6a52e3e595
SHA51290a11a13d4f41c969d099c94fc2e8626df64de3b8981a654f5be8f28fb245be2f9e994565e7f865e1abae74b35072a6bbadb2755e60d4eac4f9108fc5126629a