Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe
Resource
win7-20241010-en
General
-
Target
2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe
-
Size
1.3MB
-
MD5
943d8eb8eb32fc187ad237abdf02e76a
-
SHA1
59c5ef6ac7a0271112ac9870ce0bc147e7cc63d7
-
SHA256
aaeb6a9ba4d5654a8043380de601dbf6c188d32ce22530d6180ed87739954942
-
SHA512
4dec5d057cdbde7e569f219b51e41c22624e15369c3d7c455a86096f3c302aee669abd59e58f5ba8213bb8093fec7aa0d8a1beea75213549a349b49bfffeeebe
-
SSDEEP
12288:ktOw6BayoMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:66B3SkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1428 alg.exe 4080 DiagnosticsHub.StandardCollector.Service.exe 1844 fxssvc.exe 4256 elevation_service.exe 2028 elevation_service.exe 4624 maintenanceservice.exe 3692 msdtc.exe 2284 OSE.EXE 1360 PerceptionSimulationService.exe 2628 perfhost.exe 4128 locator.exe 1312 SensorDataService.exe 792 snmptrap.exe 692 spectrum.exe 3460 ssh-agent.exe 1836 TieringEngineService.exe 1520 AgentService.exe 2272 vds.exe 5040 vssvc.exe 2632 wbengine.exe 3428 WmiApSrv.exe 1168 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2f3149f94857919.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b92fd35f032db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bcc1736f032db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba46b135f032db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab733c35f032db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a99a4335f032db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d489235f032db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a289636f032db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f82ac35f032db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d896a035f032db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f5ca535f032db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeAuditPrivilege 1844 fxssvc.exe Token: SeRestorePrivilege 1836 TieringEngineService.exe Token: SeManageVolumePrivilege 1836 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1520 AgentService.exe Token: SeBackupPrivilege 5040 vssvc.exe Token: SeRestorePrivilege 5040 vssvc.exe Token: SeAuditPrivilege 5040 vssvc.exe Token: SeBackupPrivilege 2632 wbengine.exe Token: SeRestorePrivilege 2632 wbengine.exe Token: SeSecurityPrivilege 2632 wbengine.exe Token: 33 1168 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1168 SearchIndexer.exe Token: SeDebugPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 2072 2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe Token: SeDebugPrivilege 1428 alg.exe Token: SeDebugPrivilege 1428 alg.exe Token: SeDebugPrivilege 1428 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2312 1168 SearchIndexer.exe 111 PID 1168 wrote to memory of 2312 1168 SearchIndexer.exe 111 PID 1168 wrote to memory of 440 1168 SearchIndexer.exe 113 PID 1168 wrote to memory of 440 1168 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-09_943d8eb8eb32fc187ad237abdf02e76a_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4260
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2028
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4624
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3692
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2284
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1360
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4128
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1312
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:792
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:692
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:432
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3428
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2312
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:440
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD511a72e2809c144508200837a866709a3
SHA15c3a07256a08f07a4c01d531a9e96b1488c86935
SHA256665d57cbd536c37f69199b2486a557a7eee9ee339336845fe5c743b14c5b81cc
SHA51254d68910b6ae316d6a9273e4b818afb894870bd4742c2692e2518c0cc4165571d2ff714d77d761e2e0ccfc5df7692d3a7626a476bf02968ed92ee3f6cfb70d59
-
Filesize
1.4MB
MD5083edd1ea94b3c5d819fe4e481f82898
SHA136637796ac14658f38affce705a8e2021177b125
SHA2567387fc5f2ef042a59ef789b170db2199fd70923aa05d07470a396d15a4add58d
SHA512a0d43a3e905a8a110016c785a09c4b1ab7254babe556168667022a614be9cc8e7dc4688e156c1458d16dbb75fdaec6699e3e61bb35438098027578db559aa8ba
-
Filesize
1.7MB
MD517cbff25ae77bff4eb405b52685b0011
SHA1825aebc8c4db9ee42f72c7ad17fe1898b4c35d29
SHA2565dccb79119e8c55cc418ac15a10505e5d8338b22a23d4c9f1b1f678fd4c9b7e0
SHA5126323f8a25997bf29ea8cb0825faa0631541432c329e2a61ae80243504a1675886da9e1222f702844016b635f73b511a1d50f47fedeaf757fac7e946475247d57
-
Filesize
1.5MB
MD5c7192c95306ca61d73dd409ee08cb0d4
SHA15987706d1d4a26cc9965338dcf5481c9c9e5f27a
SHA256fc85c60f3e64d03453ed538d01cf6ef48b11e8d55a5c69ca544439db7b5ea008
SHA512346d6b009ee3ea6b20a0dd90df431c1ac948082b18003802e74b7249e1d36681a26edce2ae0b4d7da748f692079a36dd9d1152c02b0f5f11621df8dfc152ebe0
-
Filesize
1.2MB
MD5d748b9ada9ec1fb266f02c5221763cc6
SHA14db7fae331a8309c73c4debfccef94ae8c5a89ec
SHA256ba8e7bee9bdb5fa9a265a8ca71a01151cb50306fe9d81d8831ed17b001735c7e
SHA512b0c47a6f37fa8319ac5f3667f6b402419b2cc108cceacd899dedab15f8c013ffaac91dd122f9c1b1a0f0910512d099b3bcd9bc166483cff90bed3ee7cd0bc6d6
-
Filesize
1.2MB
MD5c1eb922d84dd23745dfca76a97a5dd41
SHA1ecf9e90e7325a31d428e95cf2a6fae1be70ff27f
SHA25600c2d044238386ceb408747856c6360860fc200f13eedba86fb93581649abde1
SHA5121ee4537cf57757053ee10291f851fcb0985bd42b6475c9464210910a48245c6ed445f3433e824055bf9214ec672b0b50bb3f71922965ecf10dc19473fc7ad4ca
-
Filesize
1.4MB
MD5501f3627a672264e4abd0a7a2cdcc07e
SHA14dc32e25e9c971372c4c9c94f322ca71cb0787e2
SHA2562ea7763024e0d0d299b1128817d136009da9b7b447c7b7f8cd7faeb39912cf9c
SHA512638f20a7093c3ca74bc4a125fb190617fef262ae23c716f622dfba96c2fb0e53ae26ea5aeb1a3763befb1565e7f336ce65f4e7a8fd9945eda2398f17de0f6f3d
-
Filesize
4.6MB
MD5d839f153b27659ff0b525d3dcf505b51
SHA12d0d5be640f51579a3ad06023831b0e888405d39
SHA2564861c4a30bd770204a1c09c4efd9f7108ef5156d4ee9daf06015428630f2218d
SHA512580548de5b0677dcae0ba8c960855f85aacecad5b33b38d189b067b74832766d5b21ae3371953f3975287a1ef917d010f88d72372d8b1c80161fcf992fcc3870
-
Filesize
1.5MB
MD5632cc9f3a76a4c68e8560740c5a99d25
SHA10fb690a0f36830de2f63d1487b8551e1a9708133
SHA2568a41c3557234063a468f63eb27d7452d9013cce8bce6b89ed6179a7eb42d8e41
SHA5122c34884dfb63f06837b153edbf74dc2bdb5f4e3819da4ba90f585dcab40395b454403dea32387450dbe4ac300fcec4c456ec32fda34756d00b7d7a571035d6fe
-
Filesize
24.0MB
MD5b985d9219c3181a06fe0e972f24932c3
SHA14cd22e9e07d7c06d9ef6e86ff50893dd81527cc2
SHA256ba09073310923262701e33917fb534e3e3a158ad70e5aeccd1264dd32f5595cb
SHA5129fff74c708e5a1fe3e513cbfb9c155c28f4ac65242f36244dee8b277816e01e642f27edc632aa28a04f76143cf54d574f81dcfe3be4cb1c6476b91af45142d0b
-
Filesize
2.7MB
MD55670623ec47c223aa01a3a8948cb7925
SHA1125e9da17b13017e24bd8b1e78e77fe6df946f65
SHA256020d0e685e1e4713159e9ba4b0c924a579342505c096da0cc1620f273069c1cc
SHA512bf422969883520a10283f0973916c38a520c57909db941b131a5051b23f8352963057bb2ed99ea4020d55cee614c3a4285350ad04cc8db08cf13a76405a7204c
-
Filesize
1.1MB
MD509ff7d6c78adc22dcbebc43063181974
SHA1614f601733af3fd8eba22d397cde352050c7c14c
SHA2561124282a20f38412c193702c8f354e016edbbb1073e4034704b29da30c2a4b10
SHA512bca6d12cf4a2f9722f42c1c090672d82a43a8d33c0ff1cc3bbcee485b1a897bdd993d2bb13b908a2fb040316554b6be6076a8bb7f19577f5aba4b2b30c5b3c4d
-
Filesize
1.4MB
MD52b29b1bce8d34100a83382d6d2ccf5e9
SHA13a14dda257bee629c3f8a4d7c4ff83204c453acb
SHA256dbc2d51b3c738c055c1785304ac7b71347adfb6b9342ecd890120995e144909c
SHA5121168ce71fe40cc97f32512de275320f02c6731012f573fbc85f28d164ba03208afa37e0a37198d25094ee5e2180f8f9c5e847a62415c5051efdd1693b9c7a602
-
Filesize
1.2MB
MD5d2da32c6a2a6c9e4bae71f2d505b6fdc
SHA10737a3cac5253fa1b66c174f28e61c03fb1dbc36
SHA2566f6b588776ca17e92a0374ccb0a68036efd807e5d8a45e364e769fc3d14d87b5
SHA512d3292f8e796413873f1f9307ff140945a0759565879efb74e07d0803c1e4e82b807afa28ab96d178bb085d6c68c29afc9906b5055adfcbbe4b1091d18b58eec1
-
Filesize
4.6MB
MD5988e4276300f27fb10e95592b489d224
SHA1f366534fd2e86cbfd7951436dc16f25311155a16
SHA2560a92a7f4244a23d0a52e0fae345f34cf1ef2aa83eadf8ad5ccfd5a58b80acaad
SHA512c717637779ea721def85921b3a46c6f23a62b1af46092bad4edb92b7189b12b972b08a922e3a3301b3a41984d23a74996954af2b9d133156414dc9b10c78bfa3
-
Filesize
4.6MB
MD5eaeb2f2e7d83090efb0d9ec891a47c26
SHA1cde199821533ae7d19f38225115821270d59de11
SHA256b0c60e7582ee3c054733653040861e9fdb1dd082bed9188788971ad5038b23b6
SHA51273ed710c92b5fc4dceeac52ec6b4a84c316f6171f8d2fdd587b1f16477e98b9e5e64ba76270772f038d8d9cad7849d06862d9b100473de490f653b4fc6fa9e84
-
Filesize
1.9MB
MD5be650853880543ef3a8fd8b1d1311902
SHA1bc0d31615c2e88c0397a8bce280b9dc5ac7973cf
SHA2566480fd1accdf914ba51bcbf88aa6891817a42bde540603efed7dfabc3be1a3d7
SHA512404499e13766d03e424aa3a06f356df827f3204abed22121f1d074307ebaefc08f4b47098e75ce99e72dc45fb1136abf12effa4b57f2683454b3fc5c9aeafded
-
Filesize
2.1MB
MD537b32dcf606d920676b3fcf044a6d23c
SHA168568686f6f4dce4a781960e8c7bb8f7d31f4669
SHA2564f4e7764a6aaeaa212085edc4e4df3b4e762459e83b866c5dc9cd941335b1ba3
SHA51205e57e82501fd6c5dd9499235b0cc84f766836171699b5e02ddfe8728d7f2e95587bf8de6ab8a46b4f996e49b49c7a34db3eb61fc4af094c6d2904467430327c
-
Filesize
1.8MB
MD529021be972a7f794724eecd05d301af5
SHA1af2c259218e9d1d874b7662754e2b9ad9f5407ab
SHA256dedf34c8129f5e6be015857a1c0b069e949aefabb650baa5455e6fd2065efc52
SHA512af98dc3962d5bd9fb1de600079c1473240babf68e5a2e89aa43d86e8dd167f44c19588f791b988e53fbe2d0a88fe52034675dadcec8683c7e89f91e0a987b5aa
-
Filesize
1.6MB
MD50c54a14431b49b88d9a8c1ee08302515
SHA1f554f38ea879f202bc3397b41b8894a697d1360e
SHA256aba170769944cddef7f4f7a6180506843d8d718a35e9ebfa2d38f269e2426f4c
SHA512c7f375ca8628a8f828d474d9878e7490a02cccd5a01c7261e55d298f4b6e2b10d56ab7765540fa19467040fe99942f924f7c562de495278a2e39c40dc45f8577
-
Filesize
1.2MB
MD5acaf2ea5ca307d4b8ba47d4bc1fc9637
SHA120d156911b3faba8585ad75a653b4802305ffdb4
SHA256e071f121e5ac87f4a3681c4391d931194e16acd51b3e4476b63e9d5ada5a1eb2
SHA512d586d4a684547252d653788e94f66f2d71b5be9fa783437eae918e662990f786c9a2d7eb4e939b5ec28d1b83f9f0a797539a84adf72a7975df89de3f09269776
-
Filesize
1.2MB
MD5536c330e80ca925452535c0e72e5664c
SHA13619405b67d72e571baff233b8cdf027c7d4841d
SHA256b65ffe50ada05eb6094ce1710d8c448d7fb001513594f7b74ec7da48788b3267
SHA512cfda2c6d9eb227a77a383f1dd8c52b61b7599b8b1fc535417477d9aba1766820d8f7e57f643b78d82c7edc77976a5e0a8b41479c01798ff1e6efa23b5efa77e2
-
Filesize
1.2MB
MD5c44f7fea1f5df519ee2799d7f3b31dd6
SHA1c6d75cf2f55b3c1fd5b64a6204bcaa76fd05cd7e
SHA2564c032d6c5d6b9aeef56b061d53410f60c9c30bf1c187a453452dabf854ae1b75
SHA51237129ce26d339022e03540ec691fe78217bed3b5d6a9c666ebe956117b9339b48daa3e50374fb3347fa25cd6b3668b3c087ecec4ef988fed990d09e00c638685
-
Filesize
1.2MB
MD5f059691d43bab6554c40e5d476091766
SHA1d996ce44c9f81d1e9f21c3806a6f348cf6c4b3a3
SHA2562a4a24c3f57f24df8106eb95a8d32da4d8a2d6dacb7dcd1b3c70470a5c868037
SHA512b90d915b2bd3de74f158c8580d53c80361901d2275e75835b4a2dd1528a2f37e7ef46464ea759f9f6761309d999c10c9fb063fb1adbf5ff27b253ca7e5c1bdf6
-
Filesize
1.2MB
MD55a12346fcc1bc27c45a3d85ca8dc9c55
SHA1c67048b0db4d98533694081e0e642148828671b4
SHA256a1900d13279c4306f3013afdb155564f77e35d1d8c8c0e514344b024afd9230c
SHA512e9ed4bb05c69b41c3dde1169e8b7f96a490e8506a61c9bb063b1d19b91392ee7f82fac761c8068d6b426c3dea8f84bbcb4c0a8d7f62bc006a63b9e812560e131
-
Filesize
1.2MB
MD5e4104b48213df9861ab90a9ca6cf5a92
SHA1029d8ba17d12e0185995560016e3399a083c783a
SHA25663bd0c414606f49b6d0487f48c668136e08037572fcc935e0e2d47eb42220741
SHA512b28fe349213121423df6e4f807327d241d5e7ae43a7036923bc349357c64e57e89f04a908a1621e00f51089bc2d23cab1f7666e12537eb06d54d1fdb5800a5c5
-
Filesize
1.2MB
MD534baba417d5e1f8dbe6eb83487483d6a
SHA122fbf11b7cc6e85126307ed1663de73b61bb09f4
SHA25681cae2efbcf89f38e5a371e4a6b6e6413da1a61bcf279bb2fb70cd08079d1768
SHA51225e11e907f24e93946372cc29fc1e49a159f5c5260aa7e5403ab93185c393fe3d8412f3ce4299d43011a709dcf657e851ea7cf59d9b5e3c49a79ba320bcfbeac
-
Filesize
1.4MB
MD5747259362364d12efcf8aaea934f2969
SHA123776af47774bbf054c0f34d2e2f896a18139ca4
SHA25670c242f93a504015d0024baa13000394011f2105afe0e4b29ceed5e86f454d56
SHA512c45b1f86762f627eeaa9cc5feb667d83b2f908c94e978bf22f0a3f229652670acfc1f132093f536375d22dd241fe63084dc6be04314336c36a4a2e66b0734414
-
Filesize
1.2MB
MD5f171122cd809e7fb94d25aac7318028a
SHA165df5f840e55fa5f8ec71b6d0f67b5751611055a
SHA256d1ab27b950945f45f0d1eb15db1f8213d38af8a2c6297f2f57b029369c311f6b
SHA512de8fa8363a2711f5c31dd0b26c7b3c14d6a8ab908722301fe631b844fbc273655d22173a224f0105dd815645c737ee1449bed333734c9b2eada292de8807c558
-
Filesize
1.2MB
MD5e4d4ccd7ecb6cb49cafd080d75ff0f08
SHA1e55983e680ae24bdb1f93eaad749595dbb793f5b
SHA256eba1759bf2611990430ada54e569708e9b611319cc261e5792cd19793510cf7f
SHA5124dbbf8acd71a5b966121a51dd4b238d86426996d38ae243fda748e927da90596741aaedc805eb3df1a3c7693d8ed0441482432c5284bf628aafea45b01822526
-
Filesize
1.3MB
MD5dd309e56a1f811d1206b6aa862c428e9
SHA132412656c74264ccd98e3e52549e5c62acf27820
SHA256ec581b1e842467e58570c579bf9b359d110ec17cc67462016e22b3a512c7e051
SHA512538a0cb03723d2b964d7a6b8f99e81085ea839fd29410ecf9a297a1fb38a5145cb83ae253b41543b00935825a9da97fdf9c6ed11d945808da234dc547ffdfbf2
-
Filesize
1.2MB
MD5b7966fb8d67896109adf5263d0b491d3
SHA12b5575dedd903764cc83469a9e8a0cfe194909d8
SHA256706726ac26b49017cc9628afad34a3dea369fd12bd79fe32e68bbd8f236996d4
SHA512901bf9c842e22d59fa4ffaf20972ef24545e2640c313941076896fe60376b55f07e1d259eb2c74e8420a803a4c7ef40d9b84514eed86e011cc7e418be4192344
-
Filesize
1.2MB
MD546a26dd9d9428ed38ea37b75337504ec
SHA14e88386f565dd91cc643a4867c8e1e37b392ba25
SHA25643461ec0455927f8e7c7902442422845d917b3ce741568aa6386430d61e9c256
SHA5128989fc31537e675bf8a33f5b1f1c46983cb1f642217835481f6def1b2e4a6fd163e0fdc91a6785d2b1eea88df65a843b7578ba8468b313a3c59a6914e0f173f3
-
Filesize
1.3MB
MD5aa35158a54191d3408b890f14a18fd39
SHA12350d19374a84fa1b8f294f93e3061752a0cb140
SHA2563f676c71342e4618ee3c331daeb337b7387cbefd107f1c76e44ab411065c73d4
SHA5127e9abf4e55cfcc1de01b9895dde98dbeabab4c125f0997868ece4b881d4248ba814c14d9a81e768dfb856d22fa5c58cfe1a28e5cb1afecf3125778013a40e8e9
-
Filesize
1.4MB
MD50cc5893fe37d8cde4dc3011d56affc51
SHA18e300c9b53dba8be3f60e0162f1f7cd51c71e74b
SHA2567f2c3dfb51b579f5fd9bf191931508c496f60cd2e381e9075bdb95e8fce85949
SHA5128f2ad95d6a51c6e89259f89e3f5243ce2218ff27650440d46591718c6af0785ca72d3c1e24e750db2d33b0eda4ac55437cfc9373f86578f45307b8ed92b7506c
-
Filesize
1.6MB
MD52393e4deddf3babfe11ff91a21548a4d
SHA12c899d13c59291416e2b57fcada1dc5b1a28abf7
SHA2566cba5b522e6b5a2e84b2391dde36ef7b37ed535ce6ea661b15cda7330886034a
SHA5126686d7bb4b2a259473a7b02eb750feb787e57dc8fcd458689312f2e7585a31bc6658b4c806f840ec5fe95b4a7d7ea8272cbf51dd1e7ddc50cdaaa5ac85b47235
-
Filesize
1.5MB
MD58b036913e84e4f1eb8489ccc082800fc
SHA157e784159054c1e92dd9224b6e76056bca1b2334
SHA2562a83ef339ce7d510184acde553f9254a27d5357a2dcd4f7213ed98686254dc07
SHA5121e4522dea397cf24135431928ba56235e4b4c696e2fd6547edfc7094ecdc09c1213f47b1139d6187fc2349af28d23b22bde9230fa16e8c3e25bfadac931392c8
-
Filesize
1.3MB
MD572b5719fcb5da5f1422cdfdb3a7ba57b
SHA12f1df402752f47c85466174acfba79ed83717f89
SHA2560b7c73935d969679a4abf0075ca2005d0e8c4e5bebe719b9d6946a4aa62c3f1f
SHA512d10b33bd7a8bb219e52d74530ad6b70aac85921fdae154583f961df89f9892be41a6c8de74ef164a0c749e8b933178ddad6e62b2ef7ddbf56dcc5113036827f0
-
Filesize
1.2MB
MD5a34dd4ccfdee151657ae20966cafa388
SHA1af2b6c33fd80d547987c7887808d67991f9d2d1d
SHA256cada0c360494eda33dd03e48b0cffed27d3d3ebcd34166ec04dceeede0990ced
SHA51276b83cb792a8fe2b3c88c8c098eb252634df48de7b20e3608e53de3bd27778af7b9153465721b41a1df79d1ada8d102667c196d191f95eae94139def9cda6a40
-
Filesize
1.7MB
MD566309c2e51670877031d2971a25e9452
SHA187f99cb8321ded16d7ea389419d97c4e993b2595
SHA25634f689baa3778550940c65239c5ae9bfc9bdf4fd234836774bcc74ccab27b45a
SHA5126b9f9b75313fa105e7cada27ae9f55e80dc5022ce4a12dc436e7b53ee9ecd3cbb54861916291732162b6b892f66bdd7a7830bd01419c8bbd3d630987516e3b08
-
Filesize
1.2MB
MD52462eaa9a2185d5e78a91860dd2f0b3e
SHA1bdb2de692867b9a946b58002092c8d7a02c7dc3f
SHA256a7d739257e1f8b40d582efea904d4d45d8778deb2f612794ba538981843c5ed7
SHA512145c9029e7c49afb6ebadc2e7b00bde9886c2bfe3bb74fb6ae6829ec46b80275fc61e0f9eec7f5bd48dd001936eef3056b8cac21f8e53d3cd1cab32986364739
-
Filesize
1.2MB
MD5ce5390e82338e1e9d098f3719f4c79b6
SHA16112fceadde6040edfb2a8f8e9fe73a7431625d1
SHA256b7f268aafb6c20c1a5b2acd662bc554a32fe2e33e41c47a2f91312f7f07cc007
SHA5124feaa1bfe91c563b3c18eddf92801ea5f7bbc67fb249bfa6ae5e6d0577ab112e9da50f266abde033636d6cfc7dfe79affa090ef9e0d9f10ff2fe7bd60ff40762
-
Filesize
1.2MB
MD5bf302e79f3792e99c32ae26dbf0859b0
SHA19e499ce32219248f2b4a7718a0ab2fdd35cdca38
SHA256d0130c5e7a9d79a9600af6da6735d348650f7aab33fd2ec023bed2aa26930b60
SHA512354870156fa0010a8bb066c56d2261cfbe12569a268c9d2e6e6029c1c809b32ce823e9a2aeeff7f8a651d30337fb703bb0280d58c4e126ad263374193906eec3
-
Filesize
1.5MB
MD501b0fa3375ef16a9c18f788d2f53cd71
SHA185ce43cee95c631f165e9a9a2ec532d3914034c5
SHA2569690a2086c20aed773613b11d6823f76b620af8f172680732fc614a2189ee738
SHA5121cfda4d25e12c4f8307ff9d55ec4ccc10a4844f6ee547db23031db66c2097cb4b6bc657cccb4b3ad93275ee5d763230167c4b2db83c58c328a98d9176d54143f
-
Filesize
1.2MB
MD50c1ee1f05fb4ff3771a3560ecda4cbe5
SHA1accd313bc43c4be006689b627ec284afa8c29a91
SHA2568b710af05bf7bc2de55140f61f0585478b8c26f71c45e944a6f0bff3e8755eff
SHA512d3607fa3b5090e9a6284b092fa1e12ea241cd13a90c2297cb87bb33d0346b0893c51259ae958680cb1bccc056abda9e9bad47b60e1fd7e61b406874f4c994b71
-
Filesize
1.4MB
MD5dccba79fcbce49dd3faee9006b3eea44
SHA16e27efe8b37868d3a499261effbcc04d54aff504
SHA25678f0869a1db9c9352729115fe9081f7190bae0d3b18e9c7126cd7226d24721d2
SHA5125b867bf561157359beaa751f0def990498414959822a8453cdb5f0fc53388174e2cb13f3d8c50e19f5e6fb936df7e2f9df01568f77fb01c883b7b59020ce930b
-
Filesize
1.8MB
MD54110aa916a34d7fbf52f3cd24a984bf5
SHA1f38539bb82cc18e69e95edb6b888bd20994cebbc
SHA2567f6ce29dda86f3111c964d422accabba24e53a51acf7cddd1382f292e471e6e5
SHA512c965e7418f361c050705828de0ed7b8fb388e3a47f533ea83457d2cc55e8fb51a7ab38f1635995a0e3a9187dfa916c5252e90a3c7243f0bba02a3a7597f1eebd
-
Filesize
1.4MB
MD5fe4bb123f25d866c0192b08afd7b0234
SHA16ff3b21951c53ad44e6d1a33a93977dfe2b409fd
SHA256960d0b7def3998fcef31f85ad380c69d4828febe354865a741e5bb779216c08e
SHA51298131e3bed8bf8d48377702732be5fce4f6cedbb03bf49439a8620bf61d5a6cd56cb6a26a20117dc3ba8e62729cd2a7cf10fa6ec3198135a44cc9c969808d576
-
Filesize
1.5MB
MD5f9ce502fd0496408c11c8e978b096ccd
SHA1f6fe9acc452bfaa65815819b9f68fc9357ee3e33
SHA256488910a5bd1e370c1692be7b00e844e773fa056b621877cb6c39bc013497f7da
SHA512dcbadffebd3293f4e89da1af0fed8dbb8ba2627b9aa75051ae2d83f636a4027a50c7eb77cbc0382ec5006dedcae763a07f6fce5d2c58e9bdae5340fc271efee4
-
Filesize
2.0MB
MD59f63421a20af22bf9a2227f7392ee6b9
SHA125f6b720d8b53dbefb662a9e90b83fbd618c0994
SHA25602ffcecdc222e4790e6a3edb8f66d815f9818ebb1fd196eef11cc2df53ce8559
SHA512259e021bece4285410f20c09c20015c5c6d0cac8693f19b3e48473e09de6a164edce71f94c8eafe73d6194ef0ee32656fe82f1f5e7f7c76b56022f4e815c4352
-
Filesize
1.2MB
MD5c1582ab1ab1f374b35e25d7d6b95f340
SHA1ff8c79c89e1d7f2d2fbb184b79c2a39ed77bb274
SHA256fda6e2b8f96624c234af5287a38516e1468753171d8e2b6c0ef8adb7bdafe749
SHA512037919930f59d0ba59e03ebdce99a5dc25c771d8bb0945b6266b0995bc359c4f29b40efa30c244a04504ad596333f955b8e257223a6cca27a9807aeddc3629df
-
Filesize
1.3MB
MD530fa9f50189b9c2f3f9ae8f724821f43
SHA1d70ba24bdb7030f6bdd8ad5719773bad31314e61
SHA256c486242a36501cea84a72ea4930428b9f66116ee8f6c2afa8ac5330f07df696d
SHA5125b6a1d1777b6e1ae52db5909428a17242ad261e4d9a0e485e19a3ad751fa26bb2a5dbd43d62a3dc41d336821fb4b804c8a15e39d34c624dc38a18da6fcaa1472
-
Filesize
1.2MB
MD579a07bf745803897a6a897fe16dd9123
SHA1e0b14d2a91a28660856f41ab4b6e65adfd3dfb3e
SHA256425e3b7a77c05372e29a5a27654531fc6fd44dce15f1ee454a43f59ecbb49a84
SHA51297da827280620c7d1b18da0bc363e40da81d70c8f0a1aaaccf95b709b69876696a6d011455fe3d59f0f47d6484d7c800a9979e61f33011e458d90f07f47d2dde
-
Filesize
1.3MB
MD5a599d51f62f074855fc9dd55dfa8ef99
SHA18a17d24ecd8d58cd38c73fad3069737d5bf1800b
SHA256292b62b75301f97305d4d731b81e44b81a323086d2a40a7fff08932bd29f41f9
SHA512d6fc275557db093ebc7f467020c656355f1eb4dea5153a09a732781c1ae3313e91457f31542bd1f3f11eccae016123afe1784a4a89adf32b8f7c530c9e562cc7
-
Filesize
1.3MB
MD5b22e868f9b9b430e87b5f15303bc874b
SHA1f78fb4a619889123f33282a7a619530561b3faf9
SHA256d16c9b840d263963d168acb11dfda943b1b7044f3021d85efbf2bee843869b0a
SHA51202444f912f28aad8eac1a39b4d6629dfe82e5ca1e2655124420e4daa7528049fad5269f91a3d65afc64aeb2ebac27693087323dcbe0264f6f26947deb5efad44
-
Filesize
2.1MB
MD5d6834863a59418dccf600337d4282e99
SHA1e00eaa3857d1640f7d751ef5d5bc6eb212de42b3
SHA2562362356079e491b166b481d034f9aa8496b93d9a51a9db710a1d3ca5913b7ff5
SHA51252ad4f4aa38f143fe722c952ea862689c7307e69bc72bea84193e8de99459f2a5a40d7f731abab2d86562011a85ff7eee56995814c2f334d177f863e886ff7c7
-
Filesize
1.3MB
MD5fcce5de4fb7fa34610a53869b9c6283a
SHA1a7afdaa47754425737e0d0d32744f46834911d29
SHA256412b66a982458774861a2b0a3f2701202ad075d2a49ccb990b665f7877d08706
SHA512372a41a5d7037aaa2077969657d40ab2d315338271ff5f521db1e46357a832a01fabd4eebf1469893a3d5d07613122e7b47aec24a93e955071c570fd99ddb322
-
Filesize
1.4MB
MD52b4e4e6665fa2f7acfe5da1b39f8f8e7
SHA14d6b0b8b42851191309d040e9c9ca6a8f9d53be9
SHA256fe3fcf11b09cd09f72d16dd85442eb8636e24427c19759a90f5351b23012f4c3
SHA5128abfa64c5f78c5a2fbbeab531d03bb5c3f6a54bd6c9b18d452f112a98b328310380240f0a9ac062cb82013fa1f32e051875ad72563b8702572b37f68ce5a5a5b
-
Filesize
1.2MB
MD50416b42283f992ce08d5425b928c47bb
SHA172a6f6d4466bde4be46fafafe4a0f2c2f0daf99a
SHA256f2e848be8721198b23aa63f1ac1f997a27ab47c291aa4d025bb5d327ce4377e2
SHA512ac15a4b6c54977d6ebfedfa6d72108b616eeafd935e723718baaa82841a1c6efc1fdafa09ba12b454a56a1c804a3d258c0dd0bee7fdfb9a9b157e6571bd85885