Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe
Resource
win7-20240708-en
General
-
Target
2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe
-
Size
1.3MB
-
MD5
5477d7df4b5fe2cf39a8738493398aec
-
SHA1
b4c0e10a995b0203f8813d4c8fc438b5e343801a
-
SHA256
8fe2e0a081f2af8ecaabc8ddc4a8988a093ab00d70e279eaa641a2e993fd39c0
-
SHA512
5be69bcac81257ed6c326d8d7ef4a6af562a6da5b2f51a3dda052b39d3fc402c4ffbf342f33625a8264293af1aa62589c17727a6dcf452e22223ffdebf95e485
-
SSDEEP
12288:wtOw6BaLMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3XH:+6BzSkQ/7Gb8NLEbeZT
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3252 alg.exe 1828 DiagnosticsHub.StandardCollector.Service.exe 3568 fxssvc.exe 3716 elevation_service.exe 2404 elevation_service.exe 4072 maintenanceservice.exe 660 msdtc.exe 1464 OSE.EXE 676 PerceptionSimulationService.exe 3808 perfhost.exe 3244 locator.exe 3176 SensorDataService.exe 1008 snmptrap.exe 4168 spectrum.exe 3912 ssh-agent.exe 1056 TieringEngineService.exe 4756 AgentService.exe 4384 vds.exe 2784 vssvc.exe 2108 wbengine.exe 452 WmiApSrv.exe 680 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c6fc9b50db05c3ba.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\CopyMeasure.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000068aa29c336bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047118d94336bdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a36c2a95336bdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e6eec94336bdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009da5394336bdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeAuditPrivilege 3568 fxssvc.exe Token: SeRestorePrivilege 1056 TieringEngineService.exe Token: SeManageVolumePrivilege 1056 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4756 AgentService.exe Token: SeBackupPrivilege 2784 vssvc.exe Token: SeRestorePrivilege 2784 vssvc.exe Token: SeAuditPrivilege 2784 vssvc.exe Token: SeBackupPrivilege 2108 wbengine.exe Token: SeRestorePrivilege 2108 wbengine.exe Token: SeSecurityPrivilege 2108 wbengine.exe Token: 33 680 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 680 SearchIndexer.exe Token: SeDebugPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeDebugPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeDebugPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeDebugPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeDebugPrivilege 1168 2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe Token: SeDebugPrivilege 3252 alg.exe Token: SeDebugPrivilege 3252 alg.exe Token: SeDebugPrivilege 3252 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 680 wrote to memory of 3824 680 SearchIndexer.exe 109 PID 680 wrote to memory of 3824 680 SearchIndexer.exe 109 PID 680 wrote to memory of 4584 680 SearchIndexer.exe 110 PID 680 wrote to memory of 4584 680 SearchIndexer.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-20_5477d7df4b5fe2cf39a8738493398aec_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:840
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2404
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4072
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:660
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1464
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:676
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3808
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3244
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1008
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4168
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3912
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4324
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4384
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:452
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3824
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4584
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD555459915644e204b9efbc01aae8f13d6
SHA18d2de1773186aa49489495d16f72057a6f1393fb
SHA256e8b18e6364c10368fafdee915a8ca98c0c0383e2578415685472e4222cf15a44
SHA512cbd82f55fbf2bbf0c3c6dd034a792503f872b1f8dfdd1ecc691e03daf6d271b982d5e36e2cef223e773036b9afbf29d21502dccd2baf20b5b4ed1bf6947764af
-
Filesize
1.4MB
MD55b016bf5b918b8d6a5d163559e789d5f
SHA1e24f17e2e37f62187a735bfb2cf298d66925311f
SHA256a63a3cebda528cde16859996fd02867817efd5bf34bfee2efde6579e14c15b24
SHA512dbadc1c35309e9f7acedb1bbee6008c9e4df88afaaf86ef6dbdbf490e04614a4a7bae9a6d02dabb8c6ba5087f124279cb90edb75fd6d112018e147837e9b3b93
-
Filesize
1.7MB
MD5a50bea759c9338c0dc315a4189afa9ea
SHA1bf3135973cd05c30163458b14aa4f8dc494c55c5
SHA256d883b92b483a4fd1f390bcde721516f85bc15395a34a012cd5b01c460f2b321f
SHA512b8d506922094eab5b370a51caff8cb04e98ad8394c27a758a2fb11015c49a5cd53d1b7125eb449200efa6dc5e2c19ec28be037315eec20a90cd0fb1aa8e1be06
-
Filesize
1.5MB
MD5969b2878e3164220e40caeb29621184e
SHA15ea292bcf54e07a7d28c1f50784b09d171afe89b
SHA256defcc20e4af0c2805a42412d42b4921d1b1f6f893f697de2c400536051f80029
SHA51297925b1cb76a27f73f7b58f0fdc2b498c77489351711b5afbc6bf55f235f465216cbea2c1064f415ba2bf07cbbc059014627c6474a4b6ca5abc3ac89a5fca0c0
-
Filesize
1.2MB
MD55691ec9d0a504abcca7b8333ef9b109b
SHA1422bab114ecf2df083fbadc6160b9bd71ba00cd2
SHA256074c163e7084ef23b8d051fcea552e4e444349c614959b2031118c02287dfa5b
SHA5127bbe37854efb59ce964e181f8f70b150bd58a15451d8c9b022a843b7e79dcfadeb7376d9a737c30bef2ee4dd2bef693f661a23422202516d9317b1c8843e5ac5
-
Filesize
1.2MB
MD508a80f335d26080e00875179bbbeaac0
SHA18e731026eac97af08082d6424c745816bcbfc5cc
SHA256cb0f4e95a8913faa4031db14f5883cb17ec408a2436b1ad86c34a1c5c93195ac
SHA512d5d01de425246d4e64611856c2620d2d33781e33354e420319e54df25bcaa0f0349630b4790dae189df6809a1d331323a66bc5fec8f302a098a1876e8b0250dc
-
Filesize
1.4MB
MD5d583ad2b4b882ae18e00ed2049f72250
SHA1f29ad31a79bcdc1dfc75fb4848f88d22a9507613
SHA256bdbb59d8182a2e70061b1a180d2cb6c43c214b8edd688e1ab5832d50cf86d583
SHA512694dd8f7f93910497d558e118d2ad7fd019950845b8f06afc16ee82892120dc8b4398b23e0aee1e3d54e1854e580ca1a23437dfb7717eafc113b436a757ed6ab
-
Filesize
4.6MB
MD56761d3d423336665e000f34206d3ac82
SHA16c12bf7f546f8807f1d1ce9193586958e5c2f33c
SHA2561019609f49f1b62447196171f453b1984f8818a8de5a830d3425b6d81d85a868
SHA512be0c5f5f7b02cf6b98770f66d37578b82572b4bea342fe22792d7a8202199d08e8a490ce21c2740d38ecbc4d44fb8a3927fcf0eaffc01a3b06f156024ca523b1
-
Filesize
1.5MB
MD5485fa7013f6ba8adedf76f7685e0cd4e
SHA193712b0a86269fd95f2d1b36e04d71681307ee25
SHA25623b6b6a9dbf40824ca5ec6e3cb62af94125cfd8040d6693cc8e7c1407116d38e
SHA5127eecb02233f3f3519c79564de6a7a9085ef74498de2e0ce81048222853005018494650b8b685fbeabca7d1c4b7babb6c4112e6a0c94a418daf15d8f3dda51cd1
-
Filesize
24.0MB
MD5c3bc78e9ca3d5d3cb461ba58cab903ed
SHA19eed63c580b1fbad8b8f580ea4832113c65544f1
SHA256cea80d04bfb39810525ed5e7c4e11f1183d3102ad9cd5356a5365043df807303
SHA512bdf8d33ec5701350dbba9d28af22b528188d99b837165e102194b8ed2a168794cf7979a124cc17e227a3b6f0018a80f0c86c72f380a550f12c78416e5c812a25
-
Filesize
2.7MB
MD5d8fc9e2f7ca7d780ea5f9c1e6f56be6b
SHA11d24b593b38c3a88a365018cf8eab50a4f4101de
SHA256402bf725e57638de51c6476ba0b7eef76d87edfc56ee37ea65a6551a8674baba
SHA512d8eb2c89b7515ba077dc9a7b2019f1de9cab7a6f2c6c2d6cfb008fc572d2c7ea64eaec15dd14ec7dc908fbc40eaa2cd6ac882f865f3e3e147b297e11be4a28b1
-
Filesize
1.1MB
MD5176b29c6b4ab7ae50468f391ff88a794
SHA15fd93b7e11b21226f98160e849ec6463fae6b867
SHA2560839b08953faf989361dd243602c326ebcf349839c542e0c2e15406f63448cfb
SHA512d8b1923baa7d3a6fcaf27bf4753544b75e28790ad6ca1ad0e96900e56560051e19d751e679cdf1b84aa95cab83e4f24e269def580c31546bfb5341cfb37908d8
-
Filesize
1.4MB
MD57f52204079035ace182da1103e703647
SHA1efdf6dc0eba886ca16276bdac8b8a45ed84d82c9
SHA256e522bd45934bed5db6e67de1b114df39f90ad1edf6f182086d3fccfc80155f79
SHA512a430f6d9d14a874df56955cb1d7a925a9e5dccc7539f8dbb9cf3ff2a4a847192ed00ae63a99aed0f278074bc69af4dd58e94876b23bacd1aedbbfcaf40156389
-
Filesize
1.2MB
MD53d31cd7891e8590275eca37988bbf915
SHA1ad63a17966129f1979d4b14a56e8f107c1270895
SHA256706a83d92ed3aad8eb9830ffffa6235b852bb2c3451d0d32407ca8c98654f41c
SHA512c8bd1cba4ebfc7c7e6066e57fc645ea896dd9595468962c7754e9c459f7e84fce951abacb19677dbce717c1ae373515cd688b888c2abf7b38f8ae1602998cf03
-
Filesize
4.6MB
MD5ccb70825a783b25a15933b740f1ae700
SHA1287f02487b9e83db148bbe088abcfad8f5158f96
SHA25692f29fb179c9a36d4a524ecf7a559c585a1fc8d4ac6503df6188dfd8f9e44c06
SHA5125c1baa6932d1e6091a90328e812938e19f622ff10d92ddf2b21f5849bf84b2accf3217fcccb695b5053b2cc6fc5ec71fbd3e25783b8b08fcbe77e5b43b416d08
-
Filesize
4.6MB
MD5d46eb84aaa90dfde1788939b77ecc9f5
SHA1cc79ba7d417dd9f473bf2da32244bbdbebb0803c
SHA256cdc56bd500cb8144060c01d91b4323a4f47780d064214cd69202980452b916cf
SHA5128b116e13e1db8c6a7a0a4a169d5740c5bf9034c66cda33bb8a27b0feddfb572ecbc6a7a9658e678c3acd8907f876a4151a5ec93ba2431d2fa610bb7d50c5c97c
-
Filesize
1.9MB
MD5027dd4d13c3ccc41a5a5802fc7c53dd3
SHA1738d078b4a92e0c4f824b8197d0cf2a23b606730
SHA25667bf24fc18cbf34227347aab3374b5f2bc8c00f3cd158358f83c583150ff4816
SHA512030ba85c0786b989c9958b8d1d100a7912511a8066c2e3be2642f60f99c4bd0e9524790accbd7d0a683fc68691dad3f43b453ae713b57a90d3ed2cff35a028ca
-
Filesize
2.1MB
MD508b49223d3c0a4edfd033bb252760d58
SHA1edb3011887c5a9ea44414ef3fbba1ae71ec89b59
SHA256287fcd750623cc2747a608c9bc4f98011549e150985d60cfb327abced67181fb
SHA5127c98ad4840da3f59dbe3d1623a65a0451b426afab62369ada6a147e3833de601a40a1f674ca3a94ce91bddc769f92e7ad5f93afd3576c451d7da50a84e1ed35c
-
Filesize
1.8MB
MD5af8ad8da5311bf19340e70f8f89b0f11
SHA18ce9e6faa6d552de3b025423b0f4daa3f01b365f
SHA256dccae36029a5ba78a82dd3ba3d3843d55a6ce1f3d5eeae95e78f027c0660f811
SHA512f0cdb72a5d8e914891a767cd822fa66e24352d8b8caea70a9ef014c44ec2b7584a55e283ad71289cc7f63f749d6855a683147940a1f67d70e78d3d29cc1a1c4a
-
Filesize
1.6MB
MD59ce3cf0c194e5a38bf270be60194f73b
SHA1916ab46c2b25e3133c9534fffd3257e1f5b7a117
SHA256e50f51315a57374ec5b39f00b16049990312e2c89037e8deee32770b5328ef5d
SHA512d8caebb95aeb2dc51cd0fd24c72379a50f6843c0b4035ebc8ad147d83b09633b62b24bf86b64efb5ed09d6e8628c76ef4423cc98b385f78bbe88db3089a8d156
-
Filesize
1.2MB
MD5a16960de894ca249aa15b659dded684d
SHA175194b2321f006432542386272ce634501906e89
SHA25617467ad47fbe653a0d6a4b2f3a17054d51095ee0861bd16925ec2d7f502547c2
SHA512fe320eb46ad0d52c2bf7df2d301f19579326771b09996623e0ed9cf0152103f55d4768977e36bad68583b18f0db072db49f77da287c29d12d6530fce84ad0121
-
Filesize
1.2MB
MD5e67846e342c470753e45df0f45968c90
SHA11d7449bf6dc17cf31e1f76efef53191dcdd1d27e
SHA2567ac4db7d4076aa895094f5dc1fa7484b4dd539829dfe8895f06786e88cd67597
SHA51233201b3f1a67bcb026b5bf99704375ceb0324b2dde6fffed763486a6ec46a394b411bb2ab7d9dcafa4c94073b1ce1bc7fd436b9ea69005fdfe7b729824a575cf
-
Filesize
1.2MB
MD5dda7aa880a2775d9a203b528b01c63f9
SHA15da63a3da14a838a66a06e771ea71c56e318f631
SHA256e227ca741341028a8c4582d8014ae3559a6c746c5e8ec06ff079c47a25ec7b05
SHA512a340c2f383fe631739a9334fa9e8a580927a41634a39eaf5683f990b386e8541f89e1f242dce8b9f94ca181c457150f23b5b8dc37071e3172cb647ce8ebeb173
-
Filesize
1.2MB
MD5e81b88c7fda19168b76279effc1fc342
SHA1d7f540208a19189439b95869c156e47828c4db46
SHA25654309302bc56e79ee7c3be2a796599475de12816882fa229f450ef68139c4736
SHA512c1d572aaffdf10457f3a0527ef9d9a015997ef2923ab38956062943ffb95112b843288335f459488b88de79fa5969db8a182ec14dbe1a4979c11dc61cff6fafe
-
Filesize
1.2MB
MD519ff47519f38d8ae39393fa62a6dfcc9
SHA1f5ca61a4f3836f93250998f90cb5e58525fa08dc
SHA25690f757ab0e035352c731a037d163a3e574b9cc754e92e79f003042baf7698418
SHA512601d071515f6dbe8793cd696b4e678f75e6029999d849d81bee8076cd989d569241fdb6d083ec71382a3c6f63b61264cc162f01847a90e9da112c5e9b69e5aef
-
Filesize
1.2MB
MD521ad9bf6f8ef0762b85b1253ba48233a
SHA1c209d2eb39e558eb16c26d9dffecaf609087cb9f
SHA256b40013f303da6fbdd331fa0babe64cd6eaf5e75d74f6c97b221af2a5c0a31020
SHA51232925a8aceeffe19071d2d58f2757e799c827546d78971c52c7767999f190c07a446790a2b9b388d1909cd43e6a0d2f0907ada6625dba1e3a7f9a09f93f3720c
-
Filesize
1.2MB
MD5d649dd310b516d7af55a36b37c7dad98
SHA16415c3379316bde1d9871c7d5fbde2777615bd01
SHA25627c7eddfd5b0e836dcfc5e7e84feccd4f2935bf3469c883c1f348b3e55866b64
SHA5127e4484d655fa24cd3a5de643e8b164f13e6cfb7d8d52f99788192f44357f868d9417c13988b99ef74e1c78de3e5a15b2cbb9db9d69da324de53613bb0997831c
-
Filesize
1.4MB
MD571033ae3811377b0c8e8dc4821d4c89f
SHA1018fc93347a726d1e917be8cad847a7a30bbe424
SHA2566eb8337a240415baeb0a9452742312241b84ebdc9e42c37786fe406d77501bff
SHA5122f4dabe707e8c12bd6dae48b9419f50ac3ac17ef233b49a919c7f921200446d03d4ed8f82cd4f3ab2ee9190690ff8d571ba2a08100cde0b0757a9ecdd4f36465
-
Filesize
1.2MB
MD53820c7a010813cb2719d15ab546ddfaf
SHA1145c0697f6868f8b70d674ebbea44ec90afd85f9
SHA2560b50d7a003065fd18e39df1993e9b6c7315334b9498d306cbab2a6ba84a12dd3
SHA5125766b68e70a5038602602d4de9c08df33c9487187a6e7e654684c17fcc3d7e7b392babc2f7fa6baca4ae1109bb94ddb09bef2df43396dafbe46f7b520d9a32cd
-
Filesize
1.2MB
MD576e2f1f4d1ba62bab22b6b28ab2795e3
SHA188a194160820195ad91cad0f05b45e56799afae6
SHA2561ee69024b55333d33f0e8f159bf8fb618f9bd109c1476cfe85255da21cacd5f4
SHA5122f334c92aa1e9701f00cf20519d5be027d0a252ffef2614517b03e8ddb08c71200c3f17beb3e0e0903e40e1954f8566905e85bfe1d62f53b471887b3c8be57bb
-
Filesize
1.3MB
MD58d4c6dc82c1596039653b99e30893866
SHA16acc0a8be8826de7328dbc2977f62eaf77d9f4db
SHA2567c073bd973bfce520d7c499ed0cb230e1c76b5f9943a369bc69dcc687bc6ab05
SHA512e98b4fe717197ba63a0ab664c8e4761591ecd8d82dcfac98b5b4e60d83990c728543fd5d5f5d8e68f0abd7fe93de7751bb2cc07b4a055d9d0df26bb0ff8b693a
-
Filesize
1.2MB
MD5836658154c84999783ea246f72f88494
SHA134f25fed70dfe482df59e29f4caae04b75250233
SHA25600aa68dd9b78ebfe758e73f866f191ed4a77278f39445fbec7ff4c77b10636f2
SHA51217e9559a54bcee21a4174a6a795b7b2aa6c5158138a3bedc972c2fdd60e49f071cb739343cad1c90637b919b798ed74e9a6525187be77d5d8828582cb7a49604
-
Filesize
1.2MB
MD5751dde81a1ea89be28bb86aa23c5967b
SHA122047c390f1426c3ebc73c7248d98c146610f5b7
SHA256b13131a3146bbfe18af85c748d4a75862ed5514ee9577a2e7b758737ad5dd7bb
SHA51253767bd848ddc1ec0bd503907aac60f297f7612322cf4b5e0129a5f560cd1cfa8f30698bcf691af4f6959904fba3d053bc69e3918dae5609a34c4cab53bb846d
-
Filesize
1.3MB
MD57a080e05d4611db8b154c26b74d41eb6
SHA1bd06d39eebe686e88c72ff74adbc4e71a6cf5a39
SHA25667fdbb6fe5d6bed23ffe7750d1b4a89e429eb7ac2e4abee783573c48f3213cfd
SHA512c032135209fafaa39ff6468fc29d7b865fe82a29c8a1d3cb1607064bcae1f060401c8f36b582f0687a45748e91043f5900dde2ccdd5ffd5565d00a2821c0fa9e
-
Filesize
1.4MB
MD531b7c7ab4a04ba999efb2ad2b3276ad7
SHA15fd047641fc49b2edd6531f7569463691c2988c8
SHA2560f559278677c3005827431fded52edff0f19136aa9ce98b81a52c3ffa82b6054
SHA512e9b9cf699a01db01645b67d04aecf19d922471780140f5d9ad7b7ca5a2dbd5bea6930c8de7d7b74fec377287066b85befdbb2c4c8b7020b6b2056f364db8430e
-
Filesize
1.6MB
MD56617b672c3174d6cc8a076fdba000817
SHA1d48e389df75de791bd8d1d8b1dbcaad80bf6c74f
SHA256a4c8597c717852cc21d7448eec1406a712884fabaf8265b5b68a781bf6fa865d
SHA512cd2e0336fab04ea4fd437416b0fb5beb55cc3f25a53355a46e992d02cff6a6d017d475635a9106a0c12d20ade29dece0b3c1992ba66ac54b8d66684c30a2ea9a
-
Filesize
1.5MB
MD5695475c1ea57ef151372c3212c0768a1
SHA1ccb7be2c77b103ff6a07e3f93b444631f1b5c8eb
SHA256a4384723540c33a2bfed13dd24b34818a22877e67c7690066d45fe895bcfbfae
SHA51289062cf8d6054ca3af81b7ecd5d5ba4d4c4dccda586ecc27eef76d236559c8718b638ce177b3f1e65acdc3d3b97fec39391c5ebe17613e3b99fde39cf239aad0
-
Filesize
1.3MB
MD58fc7bf68b9429ee454bcfb6eb1999e5a
SHA14069a2dbdd07374f0b67146fd9ec3878ad4891f7
SHA2565eced4ebb1d9d5f00e3fef12b66609abc3c955c5d6ecbc6430ae38627b7255c1
SHA51210e0530ba56c9c03556818f565ff6c20775c0a36deb284b165e1de743cbbd6e18830127431aad59b8c1a037271308d65e0df7a655f54d83df80f3ff06c134038
-
Filesize
1.2MB
MD57ac3245c3047f9c80b68cf1553cc6f26
SHA133a6e4a1f281d449b098a8946a52481d0d156c0e
SHA256ed42d7d61dbb6e8a94686a2f499f4964db744e9d5c13f1a2d9d97493ecf01cdc
SHA512a795fd21139f28739ad41c44f5e3dfd6a71f765ab6a010a318a32f54ababdd9ec4cdb7733f941f7e7d04379f1e36e50703f1703f155bd7c333d0871b7e652d6a
-
Filesize
1.7MB
MD592c0ffe0ab3a36256b25acaa2deb1828
SHA1a9e30753c908259ecccf9be52637ea9489a38f19
SHA25689f06ac1ace2ee0f2cc701559b94962deea62b3cb7e3932df0fa4f1b6386e278
SHA512a167c65c129c77cb24cf7edc6eef32b68d1ce72b7e0a91ecadfcffcf4692479e7d559b6228091e82023ced27a2be87a553b131b8fafd516f101eb2cdaf9edff7
-
Filesize
1.2MB
MD54b16adb42993a24e99d218497ea7b778
SHA19b787cf3e79dd80c41de03f617f91ebe472b1621
SHA2560f5197bd351ab08154a1358c1474e8b165403ae08243f9696f005eae9ced4456
SHA512890aca48b671d72c959cc5179d83f1005a16d555b9d947078285cabbb1815b49de707c4bec00d9b65f8f95dc69ed67b77a288c1ea13458893c1c377ad1e6ffd0
-
Filesize
1.2MB
MD5eff0643b9e271971e096ce205469b36f
SHA1f60365c8556aa18c19f6cb28f83cfb8347022f19
SHA256da8492ad376220ebf0fedb0f9c4acd99a4f4c9991c30a705b34535c1f855ecee
SHA5126bd4dd7f786bc23fb74ba3bcfac1bf58953f447c78ebcb89ecd4b7064c4a6fabeea3589c60a9a98f71006fca293540ad4457d7c2259456c00a1c25402305cd2e
-
Filesize
1.2MB
MD5fc8f9d116cfabaeff6fb50b5d38809d0
SHA1f2678e605aadee6bd66b1b71e2e3422f9792f4be
SHA256cea5f9d5321c554ef9b705c97a40245b33a499d3193b4ec9169088e3544fd62b
SHA512b47886dc52c227fd7a6f79175e5ef7794a50610452d18ab1884684b7b5974c329349c40d25ed9d6926f1ff8529d0c895d1f07528e3808a49d574aaf35009431f
-
Filesize
1.5MB
MD5eb3de8ba34fd2aa4a0a6ef51518c31be
SHA1271893b35a4330ee7705d5a14ec144b142e06916
SHA25645e5094f9992ae9ea9d6517010e144cd627a78afcdcb2649e8a3e35626859453
SHA512ad5e75d3d6bec236bbfecfb2b7e1929bdb7617175f1da70bf1450baecdd9a618e89bfd758cf018c9d96d1ca8b7c89e05889b2e4db102bb0aa7dcaafdd2779c6d
-
Filesize
1.2MB
MD50417b09bf1709585f0a89b38fa3b499d
SHA129009a639d074b62085f8a99398dc5d5d62e09be
SHA256d4de745ac82b8e946491cfdda77428a90842ede31df3447fc6919af4eaf95fe1
SHA512e4fb4dd6fb36babf3bfce56c961fd748693f088b5377e0638082564ed715022504bca995927654584e52b2c601fffaead90c42367965cce0ca66d80c9583dafd
-
Filesize
1.4MB
MD526f91370e8baee3d0d54c55bbefe6d09
SHA121fb984a3992644a293d29d1eb9b67e9c685ba70
SHA256c0969b9522b22f373bc055e63b7f20ecf62586b63bc97318466878260bed937a
SHA51275008cbce6d18ac68d4717ac3ea77182f00ae6b742ea69b3e635d42da10990ef67726a432d0f62c3c74ee905f13549162c07fd2d44acdc966efba1232f47af78
-
Filesize
1.8MB
MD5969dbc4404cc6a756d60c25ed6337473
SHA1c2a96399abdceb75ec660e63d594c7660e88a438
SHA2560c0509892773a44b92b57adab766fac75e716a681afffc4212b2276c122eb71c
SHA512290b8befa7158f03c8e6a842174b7af85d4598bc43884f0d32e56b4c26812679b4f40eeb8cb6f0a6deda40dbcb78b4e0ca4c99ccbde3f4a32968a0cad491f4c8
-
Filesize
1.4MB
MD51e108027f15fe9be60c1b806632182a5
SHA1417dcb3bab01b97f61cd293f2fb5999ed027eadb
SHA256c7a44e8a5e8057744e6ba291bbd9139c84cbe6266f710aad42f067c94e749b2a
SHA5128be8bc089f647c3b28fdbe9f47ad8f993232a70341aed7f5707942f021fcc0982bd005e4bd72860e0a3a722cfcce0bacc6e5e82b2770d279f39a2392389b4378
-
Filesize
1.5MB
MD5199d1b7f27aba051e8901e206f4db9ff
SHA16d43800db7b72a84aae4c5c6a78d1b03816a2922
SHA256bd617e73cfff684cf4e889b0391c2776b569bbe04dc61045aa2bc539d84ce930
SHA51276e63b9b3a9301fae852c3a6a8665e867478182fdf3f41be9076c6184b3aa2610579acb48e267aa29649e869f3330970edbc312f66513014643ae85fd26ea032
-
Filesize
2.0MB
MD53956062af6eb3da771452660fd079106
SHA1746a2809f0919b6cf2246075bb4adcdfe8c29883
SHA256ae72b3ac1022ceec217cbf508381febbd1ce560e4fdb35b9f1638880d21c73ed
SHA5122c91a1ded617e4f59023bb1f7b9fff21bef4bc306dbd019502577efd3ead99de07550445fbfdad9e193e7ab127e226607e51e51dbafb1637fc99371366ebca19
-
Filesize
1.2MB
MD5aa82c13b49674dfc9e7b5607be8d3482
SHA1c5fb9dc568d2d95c16eca592a8490e8c84e021c5
SHA2566395743a0661766be05729d8c3bcb696b10391e8c21e75998089fafe69c727b5
SHA512c525d3ebb1cfa5d85994139ebd9a23a4b102567c5a8126f0e1992312fc27e3964ba496e5411b2555a686c6acb671a59fd0590b660b9381e1f4ea95ee041235dd
-
Filesize
1.3MB
MD54222557881d36098fa800fae9deef249
SHA1c019d1907da8e3551821fd7521497f934aebb1e3
SHA2567bf45735685b47bbe58c75c0a0e3e4d85271ebcf4f8363da4c067936263db465
SHA512aeaeddc591e1ed7752f5706a88641193ef94dd848cdea0a2a5ecaa2179a6bbf3483c5439ec0f092c734726f11fffe61452da9eac0ed976cb5e1fd0aa477376a1
-
Filesize
1.2MB
MD5a1b7fbed03f9b7b833e3e054a68fc5dc
SHA17b8cd4d5e6c932dfc842c20d2967306a20c09d4a
SHA25612cc1b53be3dfb094b60d1c70b980f07ed741f9b97e5da8905d386fcd5665639
SHA512ea209078e918b58ea33f100a2cc699598417d28f0bf10a481a11ce16f10637bfbb73073145cd94face433e0e90d8802b889a83978df2f32e136e4c4337fbdbc1
-
Filesize
1.3MB
MD5f384f064e9755fceb8ce30368e038b14
SHA1b89d7a81069f72f8fffd5a808c3a075caef511b7
SHA25650f993af80be9a77bd5d8b6c5718fddfdef9f0720c443db956419dfdb6f36a13
SHA51278b987997be666c6afe9812f88146e8ffca2688e74aeaaceaed8cf6d249bc9478d624644db128a42b9a33939af45afdd7ff6e9c4cd541d59805cb442938c92d8
-
Filesize
1.3MB
MD556c4375e34dfd83096b310f01be547bd
SHA18df1119fca0b84f8b8163059e1436d5ce00295c9
SHA25683fc5f9f079fdc07cef1d02336ebeea4d0e6b98a7a3b0f44ce279dc7f0ac1f30
SHA512a5acc3792012a92d3b4f28281e47ed63bd59d925ea23b635a104fcb4a073a9a1f74680ca526a957b4970490fd2130b2625c57dd9bb1df7257300c09f26066f85
-
Filesize
2.1MB
MD5929a930b18dc668f048a6d220edc4155
SHA150818109bd135efd0eb02bc186d5ffc4278a108d
SHA256046b7777a57e99619974be06f78fc1812732712c91a52221f1c43b72091e1d50
SHA512a6ec321fb76975aac30cf4bbdc51ddb679ffee60c3f17a3dcdf6ce3b7b694ac7dd8c8f9b0686b242b1903b734e6c4b68f9b4e0bec5015905726008eeb483c232
-
Filesize
1.3MB
MD565cf0b219b55cd18249c5bfc1c114881
SHA1eb7106f3d682085f56b7988895109e0bb3f7fa98
SHA256ac8c529bc60435ffd0027e049af287223b6e336a4f13bee28c420a362ef9df04
SHA512f0bc1b4c646ad2a0a48a1ea8cebe0f67686332c8df6fae10e7ba2d913c35a11feb215212f999396934584e9bb94c3944c645371e98cbf27c17738dce917750e8
-
Filesize
1.4MB
MD501289be552581e7c27bf8316471cbdcf
SHA1156271013b3c1625f92711534aa4c5a670c9c47e
SHA256697dae159b2b474dd0102d096f57aa5a505d90313b62f76d0b8f746cd24ac7b4
SHA51255cd27d2feeaefe38248c322c549b25806ce605175182cfd39b176aa829ca4702e41ed18084c8b11991536534211b8687f8a9bc0bc09da32b6cbf518d2e8432e
-
Filesize
1.2MB
MD567c8dea64c0fc75409670a5567471762
SHA1f616b2f1bf378ceb81f10a1394c457c379635bfc
SHA256068c942398004f9cbfec55915f5c0947ab4693b778030924b667a1aafe84a071
SHA5129522c15db413fbe3b409fc2f2ea1f4a383fe868f11e62101464c1544ad9b47d669ce315379881c757c6df4d9e67b41484a0e3562b27b968fdc2c26fc3139208c