Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe
Resource
win7-20240903-en
General
-
Target
2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe
-
Size
1.6MB
-
MD5
63e25142176e21b75cecf8660e2c01a2
-
SHA1
c4d7116e97537e026071574256aa885378257b45
-
SHA256
aa41f224361b340967937577403fb465dc721372f6051d887af66fa8733195ef
-
SHA512
98ad813f976ea2dae62eafc9e3872cace8ef2cb3b8c971278425c2d1f8699b8c93856bb8ab1f98c7de6c47d73669101be6cfe6247c37114380b9311308cebefc
-
SSDEEP
12288:itOw6BameDhmipJq1XNzAP96+zH6BO7N6X0hu/eVnXW1jC:c6BDMh1vqp5c9LPY2JOjC
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5116 alg.exe 3640 DiagnosticsHub.StandardCollector.Service.exe 4048 fxssvc.exe 2940 elevation_service.exe 2072 elevation_service.exe 4968 maintenanceservice.exe 4964 msdtc.exe 1836 OSE.EXE 4892 PerceptionSimulationService.exe 4880 perfhost.exe 2312 locator.exe 3600 SensorDataService.exe 1752 snmptrap.exe 3284 spectrum.exe 4408 ssh-agent.exe 2788 TieringEngineService.exe 1420 AgentService.exe 3200 vds.exe 2388 vssvc.exe 516 wbengine.exe 432 WmiApSrv.exe 868 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\879dbc2fc1221773.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\java.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000803453a3ed31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddba9aa3ed31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7a07ca2ed31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000582daa1ed31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046310aa2ed31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000448ba7a2ed31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b61dea2ed31db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeAuditPrivilege 4048 fxssvc.exe Token: SeRestorePrivilege 2788 TieringEngineService.exe Token: SeManageVolumePrivilege 2788 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1420 AgentService.exe Token: SeBackupPrivilege 2388 vssvc.exe Token: SeRestorePrivilege 2388 vssvc.exe Token: SeAuditPrivilege 2388 vssvc.exe Token: SeBackupPrivilege 516 wbengine.exe Token: SeRestorePrivilege 516 wbengine.exe Token: SeSecurityPrivilege 516 wbengine.exe Token: 33 868 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 868 SearchIndexer.exe Token: SeDebugPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeDebugPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeDebugPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeDebugPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeDebugPrivilege 2080 2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe Token: SeDebugPrivilege 5116 alg.exe Token: SeDebugPrivilege 5116 alg.exe Token: SeDebugPrivilege 5116 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 868 wrote to memory of 2984 868 SearchIndexer.exe 114 PID 868 wrote to memory of 2984 868 SearchIndexer.exe 114 PID 868 wrote to memory of 4420 868 SearchIndexer.exe 115 PID 868 wrote to memory of 4420 868 SearchIndexer.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_63e25142176e21b75cecf8660e2c01a2_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1988
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2072
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4968
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4964
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2312
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3600
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1752
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3068
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4408
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:432
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2984
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5915cf21dae76de0692e737e0c16d6fd4
SHA177ff7e6d16bcb1823819f6ebe1a3f08109b0a80f
SHA2562d8542d7fc6fd2bfdb8d71e3b40adc7a62aec8ab58f8b5db8cad59dcdbeca59a
SHA5121dd395f83ef854b542e8ef3716d7c92a2683a5a429c73c53d6d86691cb0f5d23173ff6123f89650f124bedcfcb226112d98f0c11bc006b1f0f684e72ea4e5963
-
Filesize
1.6MB
MD5c3d014827cd7e3145bc09a2c15e76a2a
SHA119db3a3909cdeea4d1465aa057088b9c0521b5c0
SHA2567f8b52981108e550470cd7a74d4a353eba8a97bbdcc5eb7c009305dc7b26b66c
SHA512188d81ea2fd4adc73711e55f634e805031d95e65bc5860fddb6dfdfa4c557fdab83e8298a4fdbf3d7d0f230b175690d8118d06eee8961e840204dd2bcc3d4895
-
Filesize
2.0MB
MD5119a86136018f0b4003653c2f4ca74fd
SHA17389db74f9aa53293f0c8b4859506ee2d3dc96da
SHA256838dc54753fe6b79724718daeae88c75bdbb36db985424926afca2faa5af3b69
SHA5120d4b8648a4da760a80d747f5cb10122f3ca00c23c16c2ebb40f595513dfb1cd215b46a4deccaa72599c3a22e0e07f53c28efa63d5fd95ba7d5bf4fa5818424e6
-
Filesize
1.5MB
MD56bbb826f81ebdd3d9f3bfd38677b1ba7
SHA12722e2f7fc736c80967ce8012b43b5fd88f6f3db
SHA256edbf63cfa25097f5b48b396394935f82bbede7b7a58c4f73129b1ef49f6a1630
SHA5129a6d0b2f7323b15f3823d6a615bff64240304a878c77d0f4c5bcd9370602ba046c985316c3274529795465cf2975c919914847edcb40ec6f9dd55708cb9a2367
-
Filesize
1.2MB
MD58d869033053ab0fa37337162f628b487
SHA1a32dee59814d3958cb571f92de8e2b960d5b2b16
SHA256e3a37fbc399bbc874354cad4756afe3a83e7523572ac28291e6bf36b4d0f058c
SHA5126540dce17346e687f8c48d112a9922e180d333d58de5b3539687cd4a978610e4e48751d07386ba4838b817574f9f32057e72fecbb683c541f656b73dd8b6fc25
-
Filesize
1.4MB
MD581de10e114f995076efe7cf99ee2c899
SHA1e3804c1b85fac5f10f1d1659899ae88497ddccc0
SHA256bc4bb1d44e3850feeabd008c9412e1a6b5969ebb31b28484a78e104e6fa4f867
SHA512477a84e5c694d87b9ec871f20d8c3bad25471aa538e3d7ab6e7f9c6685945cbe799d58237da279323b8b1ecfc684e7a56dee9c26a73e494795c31283fdb8c7a1
-
Filesize
1.7MB
MD5eb333b4ca1d774cf4f08fd6eaec4ae4c
SHA177bb2d0c271c6295c0fe4b906fab1bd733aea802
SHA256e8c21b33a4805339981500062f2c98a0c5d5a77bca75f984d98d333e49fa7940
SHA5122795f3a944455c4413afbb8f805cfa8ada271849d62fe99f790fde334d76ca08b04dc9138835a8eafbd2865e17e6d8a15e3145c7d56d43cd6a729abd119be845
-
Filesize
4.6MB
MD59037b4b58b19682968cbad8f5a8fc80a
SHA17b86d46599a85804eae3a79b2c1bf71c3d2f9275
SHA256c705193cb30c1198afb9ee8ccfbc12bb99978f1506db4faaa5823be333078c6f
SHA512a4d93c0f9340ec72fc3db61158f7a86b23f6d5ee28395762b0d3fa91547d1ea816fa782448ffd506fd674fc92a55c4a57fa5f4e670e457d850421074cffb02e1
-
Filesize
1.8MB
MD5e378eb5b2192e4fa2e01275749c33bb2
SHA1f19ee0f3aef0d53faae979102ef5d72759c988da
SHA256c869fc883588cd1e38c8fe2fb976f28a363dcc75633c44ab74d18430286c04c5
SHA512845728860a819e91765f53e7f9180fbb5ed95786ee51b6564ab7c7095bb494efd2705b9a228ac6e7bc931c124be153483ae0cdcfa257d0823420de0835a41af4
-
Filesize
24.0MB
MD561236103a6428eb31dffeace3d98ed30
SHA146e0646ae7f3d856f12facf50563fff66a3c8e29
SHA25640d4f0433830e6babde7c24a9c86708b9865dea76678e87589f9e6171df90c9e
SHA512d6d8bd51db3477893f0f4754cf0e05c5e31bceeed5245f4f19c5fab85ec5b8bba30a1ab155db1a959690bb743a07eaea0defe76bdca704272649ba14139e0b94
-
Filesize
2.7MB
MD52e8d1729e968fc07af9ca8a2818e2ab0
SHA11ad73dc5654be97e7cd1406f122b4f66bda37380
SHA2565d804be313cf15329f319d71197104d48d30bf0fcade28e04a1ebc52306a5ada
SHA5124481ace6823fc89656d6448e170bc4270639a92977301973e0beedc8056f59a9e95bac92b60d46db199d7af1b78354a43ae78371a0d38ebcf3567b3ceb599ea1
-
Filesize
1.1MB
MD5888c84d486663886f1249d74e6b82bbe
SHA102657c08490866448261cc99da8cfcc841357a25
SHA25607f5b53ebaa87d67e95a98b410ef2c127424586d5a7dd419eed1d80325248cb6
SHA512bfe8289abb1b454bcda118a8878ae00d757d5081ee41dc8b16c0c8f7c9edcae51025f9c510927358b40a4aee681f6d43eb414a1a8502f930dec7376e2bf59d70
-
Filesize
1.7MB
MD517b62d005cc253d857f5bd112fb5cca9
SHA1a2908167597c51320ade6f7bb6d763a39d8fcac7
SHA2569d9be764dca1520dfd4cb080a681210721d1132cfa23d625bf24492d474997fb
SHA512308954741a080468d6a381d6105d8857121f49ade5fe50abf8788e1085d54be098e52ffc6350f5f29ba3349e0f3d73e171300cd781c8cc26b477534c9edb2455
-
Filesize
1.5MB
MD581200538afe1b10e4a8be998f901784b
SHA1f02b3bf0f1f8544e360fa1913ccfc6edd4a3f5de
SHA256696f8d306d28df9f1380c55cc7aaebf7a13010cadc2f7e78849d7b8bf38d80b9
SHA5128643325dd66fa8c116496f2003910b89e18891165176cd9ef2a8f9e36d292a39532280f532f0a99d0216458c62cea8fae52419e234b0bd9e4d32393131087d58
-
Filesize
4.6MB
MD57f18c82ede67ca52f0e47389e6e92b9f
SHA1044461156d927cc06bf884a93c0679eb840fc9ac
SHA256351ee192afc3f8d9fcf337218745639297cc2472f6a36abbb522086e9cae00a9
SHA5127ea4ff1d3fbd86881de76c396240e54a3462478b2229f1f529171e29ccfa54e6e8b20e69053ccfd0143b086c781728e63a8c5825188b09fd4f8e17e393b4fd5e
-
Filesize
4.6MB
MD57e5161d361be01dbc52314c0b4fa896b
SHA1e68cfbdf22b9f55ccf65026051ce759f7f5012e4
SHA256ee00e1d36eaed816a3d7edf4b4b7ebcc66b5a8283938a4fb23ec221c9a4511c3
SHA5127cfe7eddaef953b868ae1ba32206c5ccb31cdb2f9594a21d2e0e3b6f13d904038185315f7dfe06e9677e6fe95c6727146e9796ff443ec144ef4f57c19d8684d5
-
Filesize
1.9MB
MD533befb74829757e84a9c41ca38020934
SHA1f255be8c0bfcd0a4f0cf54bfe0f33feb262e7ba7
SHA2560e96ec2d8c73da6d69bacb5c67a6adfde55a89f2aa6c5952de2b00c04eaa5f80
SHA512a5863fb6520832074ff21eea77907751550ba3b6399789efd1a166641c1c6abdad9b7a9bd5f2a6fdf9552a3adaa68b608ed8bf1eff0434322971a251adfc38e0
-
Filesize
2.1MB
MD5bf28ceb7eceecefa41403b936f255625
SHA1a4c6bdbe4dc08171681030e9be5a67a14a843583
SHA2566d610ab84fca3559be8083764db779370424e991e57d1f2c38862574383feeb5
SHA51294f19b0e1c2ca8860ab04f4d9b6ff4da9d85f775e4f82cc6eff144e62b34f9bc3e73164c3231bb2f811a95280b49f155b9f7ab1c345fa0ab5c27c0c19a853048
-
Filesize
1.8MB
MD5780cc2a32fa9eb1b6197bfa8d1d0f295
SHA14c743bd84e098ea8e490fc681e6dedb92fc01199
SHA256cd97434dd418e46b20028bfeba53f0c8f76af6b142af27709b5ace5bdf75a32f
SHA512dd3432864adb53684ff93bfe1b920cfbafa02e4c6fdc9bf1a42866324249c7352da9c7552984ef16b062fb9d7583a4fce33fe0739c98711aec4e96f4264e48aa
-
Filesize
1.6MB
MD530d8fae88de5cb29649267d7c675d536
SHA14cc3de8d5269ee587b5a5bccb0763b5099bcca37
SHA256d086bd5d1f486a0009f3326a3ecc3b61577a2091e3a90d2df8f7da19920efb95
SHA5128a0589a1a910917ed00ab635bffa45beec94d06cb2b806e45b63a856a55ea86ffe10f8191a723c2e0c6435e7486ca59ed836e1fde8e7de4c50bd0e378e9e174d
-
Filesize
1.4MB
MD564d5ca6cc8e4919800e73b2069c4f190
SHA14cae87ae7b9cfb09c2d26c171f924c7663a90e9f
SHA256618ab50d38fb81f47c39495dad9a0ec386eb87bc8276e9472bb99a05e0b99922
SHA512f4f42a115180f14345b9596d40c7d4027da411586955bcee53c43c2f7948f69beb4ffd731f7393a3ae711c1c73015ca1c80c9b9f74b52bbd105d498117e25757
-
Filesize
1.4MB
MD5b14e0c5b5639bcd4301fb12a51730572
SHA11b824199fbbd51e9756f013935a1fd55e8d6a30f
SHA256d6c70586c16ffb9d5c6f92b98cfebf9cf1c3549f9a693c03c91b2d336c7b93da
SHA512f160c414957998a36bf912cf8d68eda2686448492c409a02e14c4a964339d8f7532fb38b4dce1a6688d5cd37318999f1b65a126b340dbc0de181d755620f2b50
-
Filesize
1.4MB
MD508a12bad45d46f0e99f0fe4e98e59492
SHA1e96f05113297e78255088b737e0127bc62dd2d67
SHA256bcb8289c853c2a34de629ac1c8aa7716dc9dc5a9597104630f56bf65b5cec88c
SHA5129d337f2fbfbc57a770d1743dc97f1b7c6bb71990bf9b7b8e4a0e056604284dc3f453b271a779e86eb8177f7f0112471dd566452c700377fcf0be4dfa1d58960e
-
Filesize
1.5MB
MD57702e0c20611a53a2d369ad8df2f9480
SHA1fa7a11fc8e2966688e6e61b17ae52fed7534fe4c
SHA2563a23a84250ac203386bc3515156b55117ade644d0ee3bdf8a5b9157eff081d6c
SHA512ccbdec167d28fa365c8fc54172a13b73f8c663fd0daee12feb044b99fda1abe899d48066d7d556b1935dd4d7a5f74b419bd94395b129df87fa8000cb8eea1706
-
Filesize
1.4MB
MD56dc1f113e6e6aecc5e61efb9bbb063cf
SHA1e0cb9937c23068d13c3bf851f25e711c3b3da90d
SHA256dc232b8490b2586395e470cd7e740406f54aab14bbd35aec65de35d7c919265d
SHA5123698c2dc3409580333b5232dcf8a21d3ec65dd5f3586623047dffc29258d726a36deee69090f2a1616038f0780a7ec4ff7e7b9cdc0014f350e67bcd9c3ae64cd
-
Filesize
1.4MB
MD5230150228a2455a8f90d4934f47658c9
SHA12aff9346f5d86e5d5c10f880bec734cac17c1069
SHA25605cbe6236bfed7dc05887d76ae441915e846a14a416b276b955c5ff2e7a8cbc8
SHA512fb31fa022414b6125bb10072e06761f272d3c323ef4e6d3be7d441afa4846a2176f73bd86c78610c126ff6c37ebfd2582793ec9a347db80fd9f2621406f8fe31
-
Filesize
1.4MB
MD5dc661ea497748a14482d5f5b9b97af1e
SHA156d6d8048c176ba0327dc33f3aafb54b4f692eb7
SHA256f8f810ed758551178ec88b744e9fdb4c4800b3f2ddfb685c6a5cca84b9ed9005
SHA512164fd5875aff1a160436fecff5aa9aa298766e4b869d127b6ea1e3d5f1f15ee8b7073d38591b03a7a8df172415ab2ed72d637199e086d5cbfb257b090c95ca0e
-
Filesize
1.7MB
MD55582875405989c3a9831a9b2ad536caa
SHA18f3fac10dedfd63bd9067c3e8f3f92404bbc2e81
SHA256bb857944ab23f4c5221d0e1e07ba70c236c3f8ea62dcc33609ea52baa6064685
SHA51298ea2505d8cccce19bac2758d49e2196742106612175430c87e3bf16a13ccb5461b92d600a5695d4bd0b1d934dbc5874abe9f8eff1ab42fc1e0cb9bc4de51a4f
-
Filesize
1.4MB
MD59e4806c8ce5cd61ae2ed4fd9c7bd298f
SHA1c8a2aa6984e3c574c622d625b3625510b5adec20
SHA256fc697fb322ca05de945f605e8be9d2b71bf438cf98302e4016b9106db76601af
SHA512d8710b136d19af3fb654b1e94e408e1f760c78119bd5da93c3342bd645a70694cfd29aad4b46aef464d2cb2ac9dc671a49e2b9ce154eccf7290fcc2d9ef6a1f5
-
Filesize
1.4MB
MD556e078b319836afb34a68684d00c8d52
SHA1092ba25daf502fb0bf0bc5bc4d59c2830da08392
SHA256f108ac22e5131e02323dce48775330bd79035dbc4a5be13c789bee1431c166ea
SHA51286a09d664c12045a73d2fb8421f8fbe6c7dfc5f5832002d6a02ca5955d034220787a98205cd136204c15ce110c5afc258c4c56fa30f59547d51d33906584bd47
-
Filesize
1.6MB
MD5b960a8d10604a0198a046f2db2413990
SHA1abfb4892f3075e0c58ae0ada96cdc27a2590ba0a
SHA25640cae3307f919845ecf22e68ae22c4c1315a2e3d9131ab34a9d4d1e0a963f686
SHA51272e0679341bfdcc8a294e95566351c2152d8b7976fda831316c3c916ed0fb03af55d7e1f5f68baf2bbc0df745c3b0f80e548be322f1d932e547f394fee75b1f9
-
Filesize
1.4MB
MD56a98e2f86658515881f67ff6effe9c20
SHA1cd600e4d4c2a8871d506aa68f07c469de00be42b
SHA256d723bb45c00eacd5fbeb5b7bc963533449255e2b3433b504feca556d042eebee
SHA512f314f9c164a56f352120f342f06cd1558c41e51848967127d284853bdd07fdb77cd2df068389c7df93e0d1e9d21f3c35242906a5ec81abf3aee1f1ea72b34fdd
-
Filesize
1.4MB
MD5082e20cf9c8809d927788b5c831abf46
SHA1ffda53736abd91bdb08baf28845176c24fc36e55
SHA256fdb729955b6d892cd96f637c2f5726734499bdc60ea0b600d813d0cf843cd6a5
SHA5124a4327e427a7822333c33b203ad73e69c1c77c16515519a695c501aee07c77255f7a14aec1d0d4a48ca2ab1e5f49b6c87f4bb6af1c12c4502d33039640621922
-
Filesize
1.6MB
MD5e14480f2e39a78daf9d6dbe93e37b504
SHA1e7981513f0de885785bef7577aa9bfd7287911dc
SHA25612f30578fdff34f68260c9022825fe777a4bf3f060e927345b133744cf016bba
SHA512be20a4bb839a1548a7ae356f6ec69cfb4b56ace9b57cb7190be9a4e14940f7af7aba8b6c09e2798ec1eac3758c41193275a727838f845c391fdceb06c3cac4da
-
Filesize
1.7MB
MD57488534fafc8541538a170beb4c573fd
SHA1bd5e87800f990e10d0d2cb63e50e53df4d049e07
SHA25627c0fd55b637e2f37de5e68b7aee70cb40f061be723d549dbb45e14546a60cf9
SHA512fad07079ce2506aecc6a709d8fcf5813d86234bfa553f28ce550e194d8a95c86d30b14db78cdc5496c9d21c57f7b377159ceff467a0227d64d6ae8f44b119e2b
-
Filesize
1.9MB
MD51f69ccd9dd83db800d75d97855425642
SHA1e41cbb6f2096a0c39052f34076c657a5e0e5ac28
SHA256356dfa6a43bc80690ec27df101a3703e11be844606e4b1b243cc5a6a19a12263
SHA5128b55ba2fe69d5298e643190c4a5f9b6104aff69cf0824675cbd6538080b79e0114dfd54a307f2bdea0fb9c72a0aef47bae8d3193f0b1b559e6cc83e168988507
-
Filesize
1.5MB
MD5868b6e4e16468827e33685ef95db85e3
SHA19a24fc2e0d13fc534b411abd974dfe690e7c6603
SHA256d9f68ddcfd77f760a3c9bd7fa17844bfa22b16989e054eb5312fe86775c66fc0
SHA51263aaf1df53271dae88a012791e93f7a3522a3ef3dab6781beff8566ca32e48204927bead2d7fb15ba7b3669cd932da1c7b8699c258c2e7a3043d6df9dfe6bd80
-
Filesize
1.6MB
MD52d40fbb29dc95ea9bd38cad38f117505
SHA1ef5ddeb58b61674c9835af700bc29276bbf3d566
SHA256d713533a5f79f097e201f4c340473f53d5cea5d100faa4b257cb83c819e42974
SHA512975eb8df120b445f668fb0441211d504d37b0853442f494a1141c1312538a64422e720f19ccfd5610277c4f5538e3858f23ad9fe51a796eca4c9534e2774033b
-
Filesize
1.4MB
MD588e99c2e66f3301d759c8ef0fdbb8f64
SHA1c30879195a0b54debe89861151b2a14966c68bfe
SHA25671077f7a334a5bec0b1df20c1921d94fa9f83ec9067387fbec724a4d152bb9e1
SHA512c4b78788d1c71d4cd1e8e7def4fd119c662f687b41c40c0231373ef67e33f11f577de90e9b22af13251b2b89101bd5bdd4467d78136bbd3c68b4e1b08e55ce54
-
Filesize
1.7MB
MD5bbb3cebb822f584544dbfef30ce09cb3
SHA1483d2ae831eb179f3c294130e5da78d36dfb7a80
SHA2568402e73060f3d9fc1f5c91decce4de2103e5ae2cdc15b2a9346d676e2609523f
SHA5126d2b620b32151f2149beea05356b09749f61f5cea9bf9c87daf382446930fc177c4b777267b3cbd897ac7b12470a407a1226326884cf7fe6273bd3df16be14f3
-
Filesize
1.5MB
MD544dcf7bf46153073821fcbd1f8c53b4d
SHA18ad512dddc0bf1e32a7e86e60477490177605cb7
SHA256cddcf614564036bb1e66089efe101cfb2720587f634d2e5ee1127d36238c159c
SHA512dd7739860ef289c4607e97c6f666b90897986cf299e2b1a02b2b7b1839ababd36b5df51d7d0450d708f42cc41117973d1a672376ccda0b2afde206138b3be46c
-
Filesize
1.2MB
MD5ea75b8ce857758e6019f36079cd0145d
SHA174f05467fceefc41d0b121cadb6ffae8c13976aa
SHA25627d20c36da539480461ef7155bcc06962618385b0900c6985a14ebf165e27b48
SHA5122b6c7710bfe9d2949ffe7d842f6d89a8c3680fae066fdbbf3982f3bcea54bda6ce1059c1fb1f37a9d71fb2ef85827e41d986a21f07f3d6a04654c2528c2d8ec6
-
Filesize
1.4MB
MD55959f92c2d5698f954582871fea68b3e
SHA119399bde495a9905df9b194ea05e2c2ec4e85625
SHA256ca6b659039428b5fe391cf999a688ba94bf8aca77fbff78c8ebfe8f22eeefc1c
SHA51243eb0ca429a47b28330bbecaa7ce4c22d87f7204a6f1784417092b7ade26badf9609f9660641eda5c5d0ab05faf0f66dfb52e375686b2460ffb4a90e07e79f51
-
Filesize
1.8MB
MD565ac2f626c4e94163d3b8dbc8a57ded2
SHA15b92d01e41c816a69f3ba4011ea1dcb0660c4c41
SHA256f199f899a1dd7b1b9acd9ba6be2beff2e7852a6ab031ca82704c4ca416f33676
SHA51294c2cf512eb101c6860e1fbb033d14f49eb5db9934083276ff9a8fbc915d7183b9b0f50907f05628cf2a9690f11a5f5c3058df2623a8abe7f74598c718f8173e
-
Filesize
1.5MB
MD5016b286c0b279f05c746d269c902f581
SHA1157b25f2338135524ffdca4167f116bd573f064c
SHA25612fafce64bea196e9a13d435d1cbb6777f46ce49d32d3eaaf1268571a4bb0dbc
SHA512b247439527e69a88dba19310b409294c034d9d19c4d9b9b36f4ba01ea147b9d6e21b7e5e86d82de737dc79a74a4efe53eaf64922321b688b1f9b3ea10ebca586
-
Filesize
1.4MB
MD5b982a2d57f9e9b6865f86ab7d1352f51
SHA1f6bc7689bc26921aa592a1c8a897e3eeed60fc68
SHA256371cc78b0831a4f34c017be8e0c6b613eb1b1db3fcd14642fbb7b4901ff006e4
SHA512f731bc03b150d42bc606e9964c45ea60fe6e9d64260f059d408e4b44839683a7fb85541c261728ccee3c33fc869ff5688192b8fb251b06ca89a61dc93d01155b
-
Filesize
1.8MB
MD52ec8bb9020554f7a3dddaf57dfc9c9b6
SHA17af6aa2d4827ac1c1ba21dd19296756ef2fba3d8
SHA256cda9df65bdde5683aaccc36f65a0b60fc0c338e222775c10e5a8ddf86b65157c
SHA51273a0dab1ad3af57ba61c1c0870a14ae0060bf2f410e20ebb69e33fe2d09be403e6090ee3a8b2b974aaf45eea961d636c882359de01d9aa856fde7bfee358641d
-
Filesize
1.4MB
MD5aafc5cb645c0fbe33c3afc707c86c68b
SHA1cdcdcf95d441c6879c9b98e22c3427904db63b38
SHA25664765f71ca46c42383dfe970c2e2785b58dcdfef3819141c3a2b46f212d24006
SHA5120c5af14b2beae799141bea16a385a9ccb8ffb334634918851e16697b4b4dc86cf2029c04859a95db262d1848d28323ac26ab32612875371afa26942e9057ebe9
-
Filesize
1.7MB
MD522b69cdd533c299e67674d7c1c8e96ae
SHA1410766733c87abd5b4c9a37afcdf1b24d598e0bd
SHA2561876394175860ae4039d5747b50cf1eb4af07b5d9f9ec3859a04ceee2b62ba29
SHA51266ce80f1b420f81a4f2111f7be409f8c5e26399f38145867fbbf07d45365f180aa5a235204f6d3eddf525c609a41f886c8d2e59e53e5874b1a0c376a33cd3eb8
-
Filesize
2.0MB
MD55fe50c93b43be8d073ead4af33857085
SHA1b8b55a751a09bd0423c4b6c5b3a0b316d3bff533
SHA256a8a3c7cea26f1f1504bec0d9cba228df70bbf63fe9e32dbd28f50f3f2064a8ad
SHA512573a10b241ba51f9d98a1ac557ee0cbecd79262b9091289571b9cd2d80b93dbad33f04a9d50433355a3de2bbdd45e158058c5fcd09f89dc7c468e0fa1817db68
-
Filesize
1.5MB
MD53a55670377c68e1e83915eb6d2e5c5bf
SHA1583087aa07f297a24e82308037a7c822c6c45b20
SHA2565efed42f019acc744118c1b11c59889c42a9a0f28ad0a61ea9362434333da299
SHA51258767eae05219d7769ef385514a021846912e692d28fcada967a1d2a73c522cebad7cb2e85f8dc978d048f3acaf0b14f43988df08f93bbf9a482ee84631b6ea5
-
Filesize
1.6MB
MD5b32eca617978912c30ea2c008952d046
SHA184e34e10c81c321a611b7491fc12cde4d2f8239c
SHA256bced292b1dfd1459bef8b52ed6724f75f46bcccff67047142ddfd03d947199d2
SHA512789cdd58f6afd9b1081961ea47afa47268237851d4f53f3d2925b0bcb677b620bea07c3d52db31bf82c1d1d98e4b6c838cf8009257a6cef8b33ff9bce684d3b2
-
Filesize
1.4MB
MD5e27dbb1092e7b6eee609e0f07605f28b
SHA16876df45f1a1ee3145b16d5f2886b7b4df9467e2
SHA256c060c506e2aeb7914c62eb9c6044be9dd04ac10cfe9301b07827f431db4e1b30
SHA5120da0126268058b1c3e9093bc132e2b60af08b17ff5022b98dc9711aef8892568cfdc7caf9d982d8ca41b0fa6b860136696e725ed7fced88515d4a7ecf4262ea3
-
Filesize
1.3MB
MD51421d5eb01092afe14e37ab35ae3ffab
SHA1cc59e456394f5decb44610491e2f5aa8c1a83198
SHA256c4cbd70fecb95b287d4c9cfd9f7064fb3f09eea330b731921fbbd048a3101c2c
SHA5127a39078509bea693bdc43eeab0a75e2e6fe25dbb076474594c2f0efcd0d211893ad3c7c8863e63f736c23529cb836fd588193817e81db94e1db1658c3ef9c2d4
-
Filesize
1.6MB
MD5cd9fb980461721c96d125e2882a3812e
SHA1379be73656e7bf495593c55137e21acf6ca6ffe9
SHA256542d94fa218aacc3a4d0c14c67dea264d10cfbf3be865781ac7123581081fc3b
SHA5124b031c171a10fc2be21dd52b6e2a8d9aa458f7aa82c50168cbf117b7b77c800b8236fe98d28a674db9956567262afebde8d91703db54e4f33a534f4b6985e178
-
Filesize
2.1MB
MD5db86ec92713bd8a254b2776e82f9719a
SHA11f01f3b97e93646f3b5e5d96276c1797276cd785
SHA256d4c08f2c48f6ff039c67be2802bd222c5c3191843a6185046633f8d33336406a
SHA51248a6dc9bba5119f94630438071ceaac590c3b2b78c1109817f88c94a3e61005f70b436c75c7696b49d1ba04033238ab9137b5ce93cfb485e32534808a621d8d4
-
Filesize
1.3MB
MD553865d2640289f27b7a0ffa2ae8caeb6
SHA16093c52d68ff27abc56b3ab259fcf00972447430
SHA2560964fedebeb21bc898230f3bb332c855f6254721c9fa435cb4217fc53b67c2cd
SHA5125e122f3727302ff3700ce0ada2985ff7a12098655de2a9f2331bda7425abcf950c051d551b8cd8429a17f028b745c980aef056866021ccccb75376dda8130d37
-
Filesize
1.7MB
MD5a44ce47ae870f07cb5c87854f496a0b0
SHA11469831ea7621990fb25f5a80503a788e0143a73
SHA2562803eff0ad30778ac331534c8564feef44315e5f75a8831e1c0bda9efcdc8e1e
SHA51217e42864eb440cfa41f03be2a5c6823fbc8119a65e9b1d9d2dae73a0e1e9bb84e69a25498d33c58750bdce06e8c6f4e558c65cec1fb5af0df1a56930b27bd99e
-
Filesize
1.5MB
MD51b5e4f873a251a7a2667c6d0f5708e80
SHA15b431b1f3a12cedb22a0a639a924201d2f2673ea
SHA256425ff9dc64622c1389237869764085f308b60aaae4573fd85b8bc450447e9e09
SHA512a6cf3a966c271cb34d8be6e241a500599c7f13811ceff32a13bcd265060114a70efe9b04874b720a0a91bb4b58dfb4766576352cb60ae86742828c5e1cb7c459