Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe
Resource
win7-20240903-en
General
-
Target
2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe
-
Size
1.3MB
-
MD5
7cb8c83dfcd1c756fca932452963cca5
-
SHA1
5edbaaa6e9edfa1a6b442513f61f3d6c168c27c2
-
SHA256
f66dfb2933ec97a49c1ce6b195b3d557b414c0393176bed0d7c1c7fb6e88be4e
-
SHA512
eb413d6a99053193ffd66ee895ff659cf67ba10feca37b5943026673eba5ed502976a7c0ddbb99517f67a006e5fd58f8ca9a68c64a2b839cab1645d58f135523
-
SSDEEP
12288:UtOw6BaeMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:K6BcSkQ/7Gb8NLEbeZ
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 464 alg.exe 1676 DiagnosticsHub.StandardCollector.Service.exe 916 fxssvc.exe 4248 elevation_service.exe 3088 elevation_service.exe 4880 maintenanceservice.exe 3108 msdtc.exe 4252 OSE.EXE 1344 PerceptionSimulationService.exe 4812 perfhost.exe 832 locator.exe 1736 SensorDataService.exe 920 snmptrap.exe 3224 spectrum.exe 3948 ssh-agent.exe 1748 TieringEngineService.exe 116 AgentService.exe 3016 vds.exe 1044 vssvc.exe 2564 wbengine.exe 4432 WmiApSrv.exe 4600 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1ccc8fa3db05c3ba.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dddcb369334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006637c3359334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000599b4c379334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c47661359334db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa8e9e369334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004936d9359334db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc8dbd369334db01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeAuditPrivilege 916 fxssvc.exe Token: SeRestorePrivilege 1748 TieringEngineService.exe Token: SeManageVolumePrivilege 1748 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 116 AgentService.exe Token: SeBackupPrivilege 1044 vssvc.exe Token: SeRestorePrivilege 1044 vssvc.exe Token: SeAuditPrivilege 1044 vssvc.exe Token: SeBackupPrivilege 2564 wbengine.exe Token: SeRestorePrivilege 2564 wbengine.exe Token: SeSecurityPrivilege 2564 wbengine.exe Token: 33 4600 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4600 SearchIndexer.exe Token: SeDebugPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeDebugPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeDebugPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeDebugPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeDebugPrivilege 2708 2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe Token: SeDebugPrivilege 464 alg.exe Token: SeDebugPrivilege 464 alg.exe Token: SeDebugPrivilege 464 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4600 wrote to memory of 2624 4600 SearchIndexer.exe 111 PID 4600 wrote to memory of 2624 4600 SearchIndexer.exe 111 PID 4600 wrote to memory of 1220 4600 SearchIndexer.exe 112 PID 4600 wrote to memory of 1220 4600 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-11_7cb8c83dfcd1c756fca932452963cca5_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2044
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:916
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4248
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3088
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4880
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3108
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4252
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1344
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:832
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:920
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3224
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1068
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3016
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2624
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f97170b199d568e94b9d7f1fb737bb2c
SHA1aff1929f8581410b2f47eacd1a19fcb504326fc3
SHA25632b92542505d5d437e9290d12b890a611b97bf247c409314d5891f5029f3ddc4
SHA512e3e10cc7c7e0d965bf527328481c767f3f8037be49c877070c3359b9a45432e1cba02fc54ecc1893ac6046cc717144c5480338f05e70e0157bee0ac93359cf98
-
Filesize
1.4MB
MD58a1f0bf7e28a9270b5c176e2059c5172
SHA1a7f40d22013796fe3fbb7093a654d5ad756971d1
SHA256d02b4734f2d49fd74479075fdb638fa6833a2411689460d4994e04276d2e90b9
SHA512d99bdd2d6be3eefca995ed3872d12199e9462db8385cb73f58ae1af126ea32ff22fbf390cafcb604c8394900d1f159f8eb1e777415a6b1104c84ef923d8b0d43
-
Filesize
1.7MB
MD5539b590bc9cbf5d20ef725da0c94a0d9
SHA15c77f2eaa0d170395faf65091781b86d18dd6ead
SHA2564ed18acf72fbe935fb6d435365c383e1fde3e0d632dacc08635e0a86f2b30399
SHA512bd4f7eadea311c7052419ba774b5c4dfa71a15650d14424d089f577ae562ff89ae22320ce86ec70348376ff102c092053987d4503e28595afd61f60703e7f327
-
Filesize
1.5MB
MD5e820552b968da20d01ee4991727ecc1b
SHA12a3df3ba56719ee1e23e446affe1ddd0604d3e9f
SHA256b52aac5b242f11ddf53c602d7f6ee6a7a22e397ac51f0717db4a79709df9254b
SHA51214daa9ad0de45152d2383f27190a6eb63d1fd3c9c956d534a312793d05f343f6ddbac69ab80aec0acd7b55203c350420b245aca14d6854cf74ec4189b4ee597c
-
Filesize
1.2MB
MD5e948058b34e413932c4e95a70e5cfb12
SHA1a30882eae914984cc58189ee4eec06200845e1d1
SHA256578548b9daf641b3c12e229bb44e9ad19e8ee9a82ebf3071a48f8a5323d23607
SHA512cb77df21e14c6166415eb2db8c6da4d56c1694ac508afe43cc0b60432e3f926dd1c20f9df3c4e94391370a69b34dfb3d777874e84fa5ce72b81a6a6dfc072412
-
Filesize
1.2MB
MD5f4e787f2d57769e5c5de60726ef9f63d
SHA1944ac0befb1b89645cdc9916e530391e297dbfbd
SHA25686f552ff8df5785053ad0e90aa75ab1f9be77ae978a0905f66041b96d762dc94
SHA5129d6c9bd7049a38ea61f97af79dff16da19653f7253e297f90af35b47049f425cf495c7c6c7a08ce161901657dac385a06f64c58f29f2e35e0766660c76f0ef8f
-
Filesize
1.4MB
MD5317cae2eac47b7eda3cf5f9474a2831b
SHA1bd3fabc6759de969c50e3cc4b56c62e054d3939f
SHA256605122eee7fde1deb11e5b05dd93187e45290a638f07f73171c35011c50b0b52
SHA51221cf8ffb6b046ed757cb03d92f7af192fa8925041315e6641eed63395410173676fa1067864d1f96e116d16ef2356e0b171de65c556f3cd81c51cd85b042bd61
-
Filesize
4.6MB
MD59d74161afed560c9ed48c3982184dfe7
SHA130e4302bd3c2de08f9b8d81263c4c8db9ca1dc2f
SHA2562c532a56d4625af196a24036634f57344fcb2f045b5aa25c4d47bc1b47318f89
SHA5121c49b1aefe43d161b9fe6edbf2c55be46db0f2972f486cdb4d12f57bb89eefdfd7e2eab0367a69736a3898385a13b3e79f718baf566c1fa3533d249750362f7d
-
Filesize
1.5MB
MD5705a26ad9b38fd90777523c718b4a0ee
SHA1b4807e26c122528db928d32857934da1d9b47632
SHA2564a4788df879415b15e5a711b8862402537c26fa2a3400729f60ae941563335cc
SHA512bef905d64b5f2ba3e1b705336d4e010a95c7e9356ca6d5db1547ba0432926280143ec5072933b4213800b9d125c77b4846c5acce6437e326dfb96f9ff8623452
-
Filesize
24.0MB
MD5486f3dd202a518697806e26f33323be9
SHA128dedf3f4f0e1c878c7878edb34fcbc3b619fb6e
SHA25695d51f5bb3beaa18017e32f3d36663fcfa60283b5b2de55522cd48f715781aed
SHA512d7f61b794f6efc0d0d55b1b5fa3b59ee40b2c69374617ae245fe3cf1810a335b486793d5b0c44b687f662d3d381202b90bf7b55bf61015a6b5f73b0469e07883
-
Filesize
2.7MB
MD53aa21d9904a44f09e90ba894e6682274
SHA1d4241aa24c9d79c9a1ecea6906a01cd3469f552c
SHA256f3679694e241371661416729da4d83308919395babee3fa05fc1a8dd82cb41ad
SHA512c51e91d4d94102b030a803323860b2c5c44042a005532c8ffc6f9b8982bd8b7a2210b5bb13d191f26d72dcccf8032f70256868d2f70f5418e44b57e2ee3c70e2
-
Filesize
1.1MB
MD58a49062f409fe1ca6c6f2eb0ed0193f6
SHA1b0fe13e414876a740695705fef408097d48aad82
SHA256ac3806b426b01fd4ef9afec2e615467794247d198a9c730ffcaaa4f28b1a3a99
SHA512cdab200a4506fe1b93084759a201ea1151a75f39f3c407ab09b31433a0781e073d9277d03b64a8cc6de1ea51dabd7033906731f427a1a2922ba65a55d68fcc5e
-
Filesize
1.4MB
MD585ce52fee5d63ffb4f7084c509579802
SHA19c6f7072e21f432f316bb5e8d87a3ced76bc0a94
SHA2563ab167d86ef81f67d3ea7eb6eb54493c83085952cb5b223ba37340db7bd3ad6b
SHA5125ed9e79c48c16f79d30d62f51fce115305c8ed694ada78d66e5b92623eb2b3a1ca5b4a2cd0d704384d0834aea7d1f4ad592f05c42ddca6f91632f9490f4b39a3
-
Filesize
1.2MB
MD54c44c2fb6a346d3750525bf598843aa2
SHA16610b77271afa29d5e17891be0d5b862f9c2c3fd
SHA2567285d54e3992084043a51fd329a4a5b0e6bf0cf6443a2def549d0c026f236e89
SHA5127ee0504e356fd6a58e5a32df235daa8e489e14b75a9193460e3ffd84fe419e3c26424a5d864c2427bdb4c0bf020ec34f21dc3ffcc94ead9757536ddabf67cd29
-
Filesize
4.6MB
MD525a026ba470339ee83fcc905a295dad9
SHA1e1c70f85bd7eb911ea4e38e4d80325fb45b42462
SHA2565e3acc5cd05ce776bdd466b8d59ea38a2912e0d7203b32ef1f7fc03bc764632e
SHA5125ff379f8a3d69659cf1d164247bf51acb878a179f9d825b93090ee6c5cd53707c72781dd9c1dd5c24b7c62e12e7025a88ccf8a201ba3e8f28bf88336bdc832f3
-
Filesize
4.6MB
MD53521212b374728e00ff24c4e2224a28a
SHA1aaeea7bb888b3304b184e60260cc23c9d7bdb275
SHA256a83ef66394965281fe6f3553fda0a8c4feab6303abddc5e363780e9997abf13c
SHA512dc7d5fdbfe38af43fbf6c064cb39da7d46ec46c8111e2a55ca8a69e38294c878748cc3b9076bbff08fe9d6b8cb17f7aaf7cf9dec204457241d22c6bc5b59d10d
-
Filesize
1.9MB
MD54bb6fc4353c6f12707a3d35a3eb06b06
SHA1294d56ad8faf6372cd3d84ff179ee19d578ecf0d
SHA25658f9bda13685d1802971a72dff28d50127ad86920e318c30b15b2e1644f4aac7
SHA512746a6b27a9856e9d5d05ba04cd4454c8e6d1fc359fab7b25cd3f9ee0e343e633df26e0bdfc2286d64d8e77c5ad6187585e71b8145b06ff82147cd59cd89c5082
-
Filesize
2.1MB
MD5929a1525329d6aca3c704bc10a76517a
SHA1fe392877e9bf9324bded3c48a0f381cf65a8a5f6
SHA256a19e5119e0c76e0f71b49b7f3190b59d277d3390542f70ed0a037574683bf52b
SHA512e10b2c97f68f0f01ad4bb6699a89d0f14ec032ff8f8fce29731eb7d073986b8758261729a2d74d384c57d51e3966efbfd58e5cbe15a67aded78a274b64e276c5
-
Filesize
1.8MB
MD5ca225a1f5374b480dde3a75870451155
SHA1cc989e36afb2a298f1600768e305d5e05dad45e7
SHA256d194a067c61a3ff3d870079703f20c9d1312e5a2d0ea37538542a566bf9d7861
SHA5121d208f64df0c0025ef032715c8b4053d5ee9fd3ac5903a0202543d29c4208ddfa83fe3f443a1dd0c8aea3c147de7e9286e9953a977af2e88436da0d14b37ae07
-
Filesize
1.6MB
MD5e2ad2ea50c0a3c61551b49a5a6b52dc0
SHA17ec68866cf1427e5dd443f248d019dd1aa02c0b9
SHA256f16ef9c98c446df3b082160c5a7b7265fb2b9f0ed72daaaf20a4c4a08e12e199
SHA51215c467c98729de37675501b47ac404927e1587bf9419a385958187e8ec28bee18a38077293fe6e719d04d8e5f206d7ccec520289d335003ea6146d8c8f3447f6
-
Filesize
1.2MB
MD53eb8d82a6c6345d6bb555ae0950526eb
SHA17b49dadd4f39e6610f42793ea0ce230864105cb6
SHA256c5ea2520b1a12fc4811357cf6c46f892ab598ad8d07e7ec7438e9e61b6955f37
SHA51222a978b71581b175f5d81a3478ff5644624442833c147cef1c8084dbf2aab018b1b463f74a7a876537fe414c6be27d5897689b8164f2e52ce96b29351fdac017
-
Filesize
1.2MB
MD562af441d44f2b4124cbd6a06e4657535
SHA1052dfdd8192d16d273ab82743165e446dffe284d
SHA2567adc8245bc88e80ff62014b5f51b9259106e67b75aa59b6ee02ed4b181632890
SHA5129c7f73b1d10a26d2df3437197a99e436ccd37c7017034e2cea32be23a2928ffcf17ddfacd7e8a4c4af0289f8ce458982ce33caf327f9070022796b247cabc04b
-
Filesize
1.2MB
MD50a27b1a11deafc61ad75b4e83869df0c
SHA1dcf4e585b676f25079592fe0c604edb214b4b554
SHA25677e4d0dcadcc1aaa7bd6a252d4fa7cf4f59964fd1f4d4662d678679c6a94a683
SHA512c3fed759b9c0bedce1be9c587e100462019057bc235f42ea92635928b503f1e63657582c9249c0dd39451ffd9e5e0a9cb868ef6f084df73785eec416ecfb8c5a
-
Filesize
1.2MB
MD53bd5bdd6ab529a1c68cae8fb43cea05e
SHA1f0d062a306b584376a3e66ff8a116c09b0ddc46e
SHA256eac3bad97ccc479d693f9df8d8c5ad466f4ce5e5bd6ee6e69c69cd2ca58f7e88
SHA5125496ae76f9f0cab216eebf481ff6231b924a2e777304f88ac457beb20aa5ab8de1a0a217b56ea53894ac32ddbd55fdcf287bfee4f7c5e5a5357423f922bae4eb
-
Filesize
1.2MB
MD5a4e5f57af5f24b6898d33931476e391d
SHA147980752684a5f94e7a6c65bc6508edc86731332
SHA25698d769ef7b763507328581626f802a07dc38958774c54b664033fd0a5f303aa8
SHA512ff153378ff218b669fc17518114a1683cf6a16737fa9869d9f8d89c580170ebfb02475b4b898cdf75b676057da7bff8bd7774ec072c7ae661e3f820e07d3546a
-
Filesize
1.2MB
MD5d37c2b18b7650c21caa51c7d9438581b
SHA136aaf891cac3b7fb6973304f7ed526724ac5664f
SHA256c3028bc202c97a54486ef0e5d53d6739e943c738027dc59859c1d8b05e50557e
SHA512bc6b6a4e5a3328c211181f55a624e8af261d80de650d7f0b4b9ec2bfe2f5fcab0a240ea67f4e252c233a15fbbe33446ed33dfe048e3fc86133c5d78affeadd1e
-
Filesize
1.2MB
MD5ec11e5d3ce2478364b4835f69f4b9aa1
SHA10b262a2ee629486cead0f0369ff6cf7742b2723d
SHA256956cf7f1b29cfdcebbd304f143cfb3328f38d216e0b4355dfa3154c95eda8a6e
SHA512ec787ca908cc70cb13707035dc5de1d0636390e66e5a6c3325b44c16b2d5722e40260f6cfe320835a18da6bd1214c9c8497b48e5c3e0383babc00ccb506573f0
-
Filesize
1.4MB
MD5b0ef265db16d84f9fc088f680a88cc58
SHA1aca911fc7ef2f7a952f38d1e3de1654571120510
SHA2564064612eb1fda07f72afd2c096012ef7868a52461b533331b2655b227d0bf656
SHA512897700da007643be83f54e9a8f041e0018b844439904f16556428177964ca00195477b76803eb55bfa21814bcfde4d090b17c7a70d77c132e279141478df991d
-
Filesize
1.2MB
MD54e10b5fbf8bc36d353e265e9eae8e44f
SHA1243aa714561514e59b604288a8b264d0249502ca
SHA25654068f7d10e941ed639388f917a3bb882d12d3151696eb2a0a457c04bdc84358
SHA512fc5530f80550fc9aa27df378cd4212894c3c4d6118fe78f9ce5df316f066e4b60d134c3d7e246a82ee5b5bada8c485f4a6bfcedea87a9908d0d39e04cf9a2ac1
-
Filesize
1.2MB
MD5e2f57ec59ddf117300a09f81695172d8
SHA186ee06d3747861ec8be725288246cf72321eca54
SHA25631463b0c109fad32e79efb6813b785de30ec9fb088ebb587392dbb94df1dfc4c
SHA5125528af66220f78a0981bc1f5aaa97c9f90016f40ec66eaeb645c5487f138cf2991b6084d42d7834c5c256796f2cd557b4e6992e59b6ab457f54965cfda625e38
-
Filesize
1.3MB
MD5b5bd458f34aa778fdeeafe784e2d7868
SHA1b56fbb35fbac85852799214e0e7e30b1ed944c01
SHA256aeae857340130d30db0251dc6a272d3af86d2f2870d046fd0f66dbb669da6dc1
SHA512f9c0eb766cca681334d8a98795f0a16c9a2503db257f42701c58b18b0b321ebcb112d5b8b3f1d2bedf2039aa0d8a4f6459aa7fbbb80b6eb7e70ea51b9612b8ea
-
Filesize
1.2MB
MD5f6f90235259ab52490337350315391a1
SHA135cba279a70cb2b9d4ebb9676e389d61ebc709b3
SHA256d5bd4a3c453cbe178dc6138eab71804f0e3a1989f137dc21ecdc0f6f8fbf136f
SHA51251369489bfb26faba01906d4d282e23d55d0f849d5d0186b7de1ef0f878be093396ae86c0b33b6f96b6ac0f5109347422899a153d06d7b769414704e82e36385
-
Filesize
1.2MB
MD5287320917527dd471702aaf1c0b9a5c6
SHA1eedb1c029c6ff74c0b5599e1c51a7bef5649ffcc
SHA256e889acd2116c12e5611b235820ad31a58166654873789c35ef515f52ea7ccef6
SHA512a9484a7cd8351f8c58818e2104cfc88e10c55a76ee589fd0fe1b73ae8e2905bd838b5497821a9c9aa697af75ee8d596ae33b62220c9a0f657490ea5c5c97d7a2
-
Filesize
1.3MB
MD586daf73272d16eaf307e7d347805030d
SHA15a1df40fa503deccd85aa4e5dd86684a09f24237
SHA2564c9abac12e36d9dc32cd068df2bd2ab2207d00e78ded3f0527bad681a19c7f0c
SHA51237f04c829b5dd1ca8d0a89eb1aae553e707bd48c57219519677bb2d1b23291387809e5913f95d936d73f4ee9da0490ea8d9d75529b36a2d6f4b7fc5c26f046c0
-
Filesize
1.4MB
MD5acc43b654c258a27b9ceabba8c17beda
SHA1fd28c4e4be3e9aad1999ea9f7284190d47b7712e
SHA256c0c6a4ad051c752c2cfe7305fd8689b6558845388f4301415f1e98ce13b428ae
SHA5124215ce5edb8b439dbdebcca4ab999fd501cad915dd5a74cbc1fa0bde437405c76a3317fe164d2e1489e3755f7e134b36be1457f43d170f4dd5aefec9b7c95346
-
Filesize
1.6MB
MD50394ba82c9a048f0633f848337176135
SHA17fc83e759ec760169058a41eeaf253c127d17f85
SHA256dea4028428a02c04982e3125dda4d62fdbbae91ef34fb90266648da1104b1a72
SHA5127d1ccb2bc43df47b342325cc7baccb149736e51196601421fd934f3181a73a6746c163cbc1b877cb436515e02793477199d62ab62a82d5cfb0187f32ad64fa72
-
Filesize
1.5MB
MD5f12bed09992299736baff77b7eeac4df
SHA1907124afcbffbb401a17063c6626accfef99902e
SHA256787c77e6baec0901dd3e59c540ab3dd2bb0fbe09a92b98205ff35bd5066b9ff6
SHA512012b73091d25baa0ade1b9fd5568abde4e989f6dd8fa66286b689394a68334d58dc83901123fcc13169e3be824d1abf5d543ce09049dde84d9ad3a11183255d5
-
Filesize
1.3MB
MD53457858ee5ce05b7cd9afa0a03e533fe
SHA1d75bd0706fa8a52b8f6b78ba67441e98c9a91247
SHA256da35407b3926ed40425815b0af97f046882c9455971691ec79f8acc3248cf390
SHA512dd08fd43271fababc341e9f8162f8945d4e7c2de8c22fefaa1577f993dd7c139fb40e1ea58dca4a5d916275ae82b0d1ca3f2a07c451c14d92d5c0fd4f39d9c3a
-
Filesize
1.2MB
MD5417080ebc0203ee93959ab0726d9dcbc
SHA1f28b91ed044ed6a992875aac74cf6f347a7ec94e
SHA25644cbdf6aac57c12595aa772f5db905d2e4687ca80e6e405e47af8ba675c3db50
SHA51266b2c10c13188044c6f895620ea3a5c1f9cec87634d69409525c019b3d8adfb01df9c6244b0647739a460e5da75f7ef0fb1821b2150ef8429ef3675ee15655ad
-
Filesize
1.7MB
MD551546cfb02ae35c976c1f5a0f09e3e7e
SHA1918e3c54adf5fb6095a57bd214fd612d94373349
SHA2569f0e6459c663c65d7fe16f82861b1de6ed2014b2011902cd306e3a2f90dbf144
SHA512588d95cee1953df461b5d8c7a204c9e268971659fc534fc28544065db587bb62d71965ceffb87c6125507923fec19ab0e6c98ecac2913a909d951c0e26729f06
-
Filesize
1.2MB
MD5c36f534262303e8510dede69211d5b5b
SHA1cd02bb844e3d2ec63cac0d47edbc7c0d7e5c570b
SHA256a3b5e89017159fecfc1fc92069740ad7689e3f56a84e8719ae2ed2add621726a
SHA5126058f0bf95695e65d7edb4d5461a1280564cad60cb1e2ef1175ce10c50923807651f5fe59b35fcc062e2a9ba9faa1c2d94e695e564b02a52140f84077f941614
-
Filesize
1.2MB
MD59b0d09c36e8fc930b2c58338fe912498
SHA1d11e041f35ed57e5751cce76c8efdebf71e58ec8
SHA2565572a1c2923de9da090a0b79282bf4a0e30659a22ffc018f3201e741d8aa2b51
SHA5128e1b2671a256b3223f7bb44de3ef2e0c16a394ea889447f239c03f349e910118983e9051b976f06c03800dc4f13821a2a85fc30a7c7d013ccdbf722fe793e567
-
Filesize
1.2MB
MD52b1f32ab71db6d66b4ff1932e85050cb
SHA1756ed6b5e9f10c998944b8e66bb43ada69f1008f
SHA25670508f259c366ad8e4ce426e4a2eef2ca81727629691a9fde7e56555d124f092
SHA512ad19f62b75cb847059d7ab052888fbdc18316f233d5f7f75aea81c5a08b599fcc43f1d2287609747491be89e1403953da2e4c0dfdd9a3d948ecbbde432f16b11
-
Filesize
1.5MB
MD583f33631b0b9b7f448f308383c569259
SHA10732f1addf7e4774e8c54e613e5dae838e057dc8
SHA256ed26f2bb711628e8607dd27fb1470f7325acbbb9106546a74d3d965b4fe3ad71
SHA512ea75391bcf177dd400fca050074671b936296ad275788340c4b5536fef0fd527acbc30fee91ae74ad9b214e5e9d7455ca22dc5e1dff2dba879adec9a770e2b89
-
Filesize
1.2MB
MD5ec2f375f8d013a70b65cc933b7df33a8
SHA1ec078b1edda7ef6c976d3f7bfe3df9ee452ecd17
SHA25660a8ac97c326e9f69ecc0158fa1a7b38298968028b13599db813a4b61eef10d3
SHA512b74a35cc58343cccad622547d807cdefd5bd85077b72deadbc79098c29466d7d2262f88d53ca14742a3d28f7a47b2f80add3fcfdcf2e3f571cc8168d1162f065
-
Filesize
1.4MB
MD5ac431166171ea6e1985e3177ec5daf42
SHA16fe5c90ccb2ba2b722797be2d87161e3e7870e9c
SHA256b5f78d1d807b51ee6f52363c4073382781c3054d366f9acfc698a01914366a70
SHA51221033762f94667a3bccd86ec830e7f4ae7db5e697a26a506b9319e17cea9a4ab5f85dd4f57770f6473c3fde7633ceb4e65034817ab43f55183d08b8cc23d9758
-
Filesize
1.8MB
MD5f8783f1d7e06c336cb5df86007a945ec
SHA1a4153c3db0baab6e6d3de71ea10fc895cc546188
SHA256a4fde91f109fef6c1f118fb96dd93e365a342a5005f14944a65240c82d11605f
SHA5123888bda6787ad8551253baaecc97bff7381fc60639c82b51a9ba989e85833c5bf36ce113fccd6e6505dfc01446cc5d0b8479c793c114b199162cc712b1c227bb
-
Filesize
1.4MB
MD5686f100a679b34fa2e30702e4bb122e4
SHA1ce8acd28ab7882638bfb1a80ab1605e9626133a5
SHA2568d9399d780b96dd23b5d53430dbd074e4d16e1477a9367a93aed2de5a64d1e14
SHA512e2334157b16eb4617ede0d8bbd538c0c7ddbc37c8a6dd7bf1e84576170ac31769edfaceb0bf287e1ce92d1d203796fb0f3d375402bcd38f214ac574064619f05
-
Filesize
1.5MB
MD5ec165aa7cd11f9ad8f2a93d19a44168b
SHA1fea1aafcc1103ffa6c7c5cc92d7edc5e3bf9a259
SHA256111bf99f13804aa5922b32723f3d74d0340ea35f02738b697e5b1041a62f4463
SHA5125a0fde6304760a822e35e1155e095802c2e6714f6bd90e3659502aded88b254e7c51f3cc4d14bd26b717b0f1797e21928d392469979d1e104b5057373cc0360b
-
Filesize
2.0MB
MD574ee0c57d17f72eff43fe36c83c396f8
SHA1e4eddd6312ef5bb982714c01211fda4736af53d5
SHA256328ca99fda861588860a14f2f1b7494be2375a3559e97002374d6e0a0c979de9
SHA512be2c9b748168abd87ddb49b20ae8b9e218662d00d82d8e30cfcca43c831ce30fae0ca169336a99b0dffbb23b98cf66b2e445a03d336d0471a702337de97b36be
-
Filesize
1.2MB
MD56c5a3a64497f97c339ed10b071dc3a46
SHA19ba1cdda560aead512bbbe2012c054ac3d0e708a
SHA256b06b9b49d9942c4f802f4dc04f0fee339dc549221e943d55eb55de884eefa9a2
SHA512118c8365604fe91242dc111a04dcd40b7c02b082897adca5b23e6409571cca69bc806e63fe800be05fe17e2623635f772e68a2e4ac0ab1131acc36cdd6828e9a
-
Filesize
1.3MB
MD506bc1122f5460ca196d8e2a9d301d3d0
SHA1625a07a42481b48f954fb275d866dbfb69e969b7
SHA256eec3027dd3905e0482dcc0aabf165820ceac12220eb063fbf53f76a4de053c39
SHA5128c2bc45201a688becb4a548d16a42474836b52a8870325d0ae40bc0ce8c016373ecc59e37b038bc940b42c551495c46a035423024bb678410265a123ffdf9280
-
Filesize
1.2MB
MD57c5c32b08340e1689a1bf6968cc4d355
SHA1963a710473887cfb119e70f90cbd90f618f077dd
SHA256b6c01879235224149d33f63ba6d26f5fac2a0f76ed3614222674b17bc8658377
SHA5122fe0aa71b57a988aa45dfb7ac0bf38a09c2e129b8bd767952d7436ff2721730bb4671ed78fbedf729a9a9632dc8504d6569b4b840b86a5bc9a702e4137c8e84c
-
Filesize
1.3MB
MD536ad7daa01da8980bc3eca9521c0e253
SHA142dcf4ea297ec5593b03917ec9601fa4d8232ce4
SHA2562d3259c0561383b9805aee66d2ee4038e94881bb5dd7aa132aedfdc7d293b95b
SHA5128c9a004e51e289307114599dee77b72ca327a94f9d27188cc08c0f659783cbe6d04f05c2dc2def9638875acd04361519da1bbc0b9529d62758b0a969905a9254
-
Filesize
1.3MB
MD52802dd1bc7bad3d28f8a3435be5ee876
SHA124b64ed391ee60b46d0929cddb67747671e3c222
SHA2560a0ae975e60165355b91ab4a51a182581ca4f674af372ee5d8a31cbb12358a80
SHA512a587b0b94797f52fb0887d43b6d702caaf0124c1299b827e3e663ba1d3839a4590b816468ea0390b6a853b3e7e240bdb719fb53b64669b389d3dae4f71d28d89
-
Filesize
2.1MB
MD5e313342171d0213f16a123355a44aa3f
SHA1b04ce8212b6c53792105c56892b7582e3133b3fb
SHA25608229242b7fcd896100e411121f9abe15f3efd5ae28beddd86d01612241d7a4d
SHA5123d686df1e7b3fb7748c3f2a9a5eca60729782f212551f1535811a6016b0f9c223226daf138f467744f9f81f16979c33a281634e7e0f069d304b1fda820ae168a
-
Filesize
1.3MB
MD5d00b972365f19c4ecbb8d05adbaa1b1d
SHA16867779e639eb7ffbeef8a257a9ca868ed9beaff
SHA256dee64d35f63a606c9ffe261bc12602ad42d0b81ec86a9bfa0586578c0c60e2d7
SHA512b963e9eb47792c520437f0c7138e91f0d193b7905334fa020ebc08863b7c87c026a96a3e2927fa625a64a7beba2defbc0ee79dd27aa1a3b0e5522706a9501d20
-
Filesize
1.4MB
MD53c5c3c18d9e100d634e5279afe410ef4
SHA1a9a90b98f9ae3cf210e388664a58cd0586f5a2db
SHA25600d51beeb73fa13e9a123ae1b30b69e6bc0f8c375fa63b97aeb09507331706db
SHA512ca46ae2d9b5f257fd8f030f823e22cc774093aa80f5659b32a5273d17c0aae24c3343af7735ea49677dbf03f2e232e997d4859c25f6ef843eb7a35c7a8dc2e56
-
Filesize
1.2MB
MD560de06420771132e5a4f5ba3cb643ff7
SHA16d461c913670a7fea8c2272601ea1df28397fd66
SHA25659ed12dba30d55ec1033ce92ba367e01df6e1758e2d969b0333d607e36892d7b
SHA5129f7e52b1efa35ed5d2f88cdc082f06096741757914cc8a84dc81fc93b570312d83e68d4defcce0f4ad0f4d0f22c54aceaa45cedde1613eb2f36ec3b0361e7113