Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe
Resource
win7-20240221-en
General
-
Target
2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe
-
Size
4.3MB
-
MD5
c700bf326c94aa97955a648139c08bc7
-
SHA1
970c07cab9a93b3683ca80f87547fcd3120de423
-
SHA256
a87be2e98f039b2bcab1ca696b7a929c5575a1f1dc05857a29910a2d1611a698
-
SHA512
b2f32078ef34b45410588989045cf3af6dbf967a6862401c9138e809aa78907d66a8d8a8c8791d56625c76ccfabd7f5bfc64b930c559dd94a68352ead919e788
-
SSDEEP
49152:PJABRjHZHCHglfiwz2wkCPhiwi4XWwlgZKUxT2igHF6c9OtZkNSsIpoYKk1a0A:6NMHglfPzrkOiw5lgDx2iB7qYVa0A
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2028 alg.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 4368 fxssvc.exe 4756 elevation_service.exe 3288 elevation_service.exe 2452 maintenanceservice.exe 1096 msdtc.exe 5048 OSE.EXE 2948 PerceptionSimulationService.exe 4920 perfhost.exe 4040 locator.exe 4156 SensorDataService.exe 4928 snmptrap.exe 4048 spectrum.exe 4228 ssh-agent.exe 2616 TieringEngineService.exe 4908 AgentService.exe 2088 vds.exe 2536 vssvc.exe 384 wbengine.exe 3408 WmiApSrv.exe 3732 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dc33d94a12041754.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\vds.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{C46D29B7-FBFD-4C6D-8549-2E7FD76C9A02}\chrome_installer.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000389ee15a8c74da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b3aa45c8c74da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad13165b8c74da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000177c7d5a8c74da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ab7975a8c74da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6494f5b8c74da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe 1720 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeAuditPrivilege 4368 fxssvc.exe Token: SeRestorePrivilege 2616 TieringEngineService.exe Token: SeManageVolumePrivilege 2616 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4908 AgentService.exe Token: SeBackupPrivilege 2536 vssvc.exe Token: SeRestorePrivilege 2536 vssvc.exe Token: SeAuditPrivilege 2536 vssvc.exe Token: SeBackupPrivilege 384 wbengine.exe Token: SeRestorePrivilege 384 wbengine.exe Token: SeSecurityPrivilege 384 wbengine.exe Token: 33 3732 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3732 SearchIndexer.exe Token: SeDebugPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeDebugPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeDebugPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeDebugPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeDebugPrivilege 2608 2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe Token: SeDebugPrivilege 1720 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3732 wrote to memory of 5964 3732 SearchIndexer.exe 127 PID 3732 wrote to memory of 5964 3732 SearchIndexer.exe 127 PID 3732 wrote to memory of 5988 3732 SearchIndexer.exe 128 PID 3732 wrote to memory of 5988 3732 SearchIndexer.exe 128 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_c700bf326c94aa97955a648139c08bc7_magniber_revil.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2028
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2500
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4756
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3288
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2452
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1096
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5048
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2948
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4920
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4040
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4156
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4928
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:376
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2088
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3408
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5964
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:5988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD500fb5eaab30069acc5ff58bbdcc9b6bd
SHA114c925b55a959ffe8947b69a492264612982807b
SHA25663d16e92a2cf64eafd78d2f86e48a3245239c6752e29c8cecbd7c929f699b1aa
SHA5123d9131ff94636820bac738afdbc2585789838ef6347019baaf1ab932a68f2f7d5256f2ae5723ba1db6ea138c4beea193da8782cf98c0b6b838c3e65f2a74b52a
-
Filesize
781KB
MD50f2533651e0a68a20d95ea85626f49f6
SHA1ca38d3f7c3b3c9af2f109ceb88f4280a04e05bb7
SHA256e622a76fcd28f8fbe0d21f0672fffd039b74f15118c060687b06624e9985d81e
SHA512dba343b095c60bc8fc49b4cda1587a2c16f8edb4ad1b1c92d658a70c35535139a45ef7e1ea52eeaafa5e67ccddfd6dbc419615eb2e0788e619db60c5b3bd311a
-
Filesize
1.1MB
MD56dc2dd5a2727714b8ecd9ff0a513615e
SHA161250073151677a8cdf1c1306ac2f67ed5766fa3
SHA256c939a7511b1fe3bc05b3003f73b35fdf4cda83ebca4f9fda86db9ac95d8c49d2
SHA5128616644c84300fcc2440d2d4c11e6f1d7718649b7d076f122154e684c884e0163f0034050666f4c47094e4b093d13e615b80a070a099a6fd8e4ade051efbc592
-
Filesize
1.5MB
MD5adc02f5cc030dbbbf88b38db8423ce8d
SHA1d7b0c5cd5cdfbb819a946f5fd71d5d14cc44a52e
SHA25660c51500a87c0fdd0c3371243d03d78ac5a534dc747a08fd5fc10bbbd3495f4a
SHA5124caab425678ea9e517c400589da2c376e021c74e20cb6bb9323c8bd5d7a59c297d1eea15a0f79fd73850ea323d9d395c66bd4802573d03fd30252451b420d9a0
-
Filesize
960KB
MD5948eaea4eed5b1c30c39fbbc8ebd3a26
SHA1e301c055452c159932a0e03f0fe7b80e67185d05
SHA256a18a2d665dcc2912a473a6b33257413dd7909669d4a8809a774dc073b73065e3
SHA51272499182b7560dfacaa96964f6f87fa548b8a9d7249ccd8e142f8d9b4798a5ca55795c2d5fd792e0313eb72f2800ab25a10045f86017d34168196012b02ab835
-
Filesize
582KB
MD5330057573c5fa464e7cdbc64063e38fa
SHA1ef4ff7200353781fa69ee0a959d7225f47505239
SHA25688b77f0ae4f958eab245793578a53af70afe42b609950cd4d94497120423e0ef
SHA5122a49f8010041843a137f5404e246d30d101035a8c9d63b1c12dfcda33febda7de430abf7eb3b265d49237a512690f9570e7ddbda53f883a462471c8f3fd8aecd
-
Filesize
768KB
MD5ab33da034f7870c1983bf4561f83863c
SHA17c92971fff98a9fd406ecb45f24311ecb8f9f566
SHA256d8850b81dcacb4240c1e93d812a8cddca5cd9083326afdea7bb88105416275f4
SHA512c219041bf2555e675d48f3b561f5ff8afe0ffcbf5c8935fb619d6b158bcbd8e014ee2255935b2064236e90cf292b4fc8416708e498df3385f23c4afbf444861a
-
Filesize
4.6MB
MD5dc16efa582cd97f42eccd287dcf19d48
SHA153d600a37de99f00b1014b3bacddf86435253ab5
SHA25606346af0bf604598befe3020f6d2c7ecdfa1bfc79e41bca6b166366af8bd5f63
SHA512cf7dc978d50a41697f9769fa60ef2e197a27da0a447c168e48622f30de52e569a0a1a9d57fe3e6cde7175924530276fc37f378162cff2d1b0d772b5b0c45ed1e
-
Filesize
910KB
MD516ff83ef550dceea9cc314a6bc79b6d4
SHA1f398759e8d69b06e74b66f78711705715e7255bb
SHA256536435520e904cf36cd625bc791a7c9eda0516d9503b4df20ea0e518c462b31d
SHA51232c49261ecc1b0af8657b8a094ce5514d2a26a399eaf6a1d02f88d0be5dd370cf06384b46a1b32f29b9bca44c8d013ea23e1f242c7219dfff4734f2fa3451a32
-
Filesize
832KB
MD5b2100baa38be84672e9cfe8053b4aeb6
SHA1a3a0b9adbb3d834d4c375f1b7665af618e3ade24
SHA256122d4ed47c91cc8a4d06aa85bf7c0105fe8ce7a82bd21ac6a9c3c1fd94e962e4
SHA5124d00a38b8f59f26ab7d68b87c63fdb1d0e86765f04d61dee9cfc500ce37adfce0f5639674bb7513fc781439d2a93a63ef2b72d18e44e9f2dbe8dbed7011f4eb6
-
Filesize
960KB
MD532df4f57f0889001df65503bf175eccd
SHA1de4a14076a7a33bd403e1c9a11856b915aafa26e
SHA256bbf2042e96d228899996bf19db50391e0f92e7b78970945e12db513e6580adef
SHA512dc50691196e51a0be900713472e4d5d3f5323d5ac2907eef2ef4dcdaac8279f8358fce6ad25ad93d63339d6ddeeabd17aecb29a771eb950ef71cbd599a9ee8cb
-
Filesize
1.1MB
MD568a32638e887d15f068793d8ed7a262e
SHA1f2ddeee5f52456e52f8f38071506729af744657c
SHA25652bca394f732f007fa8819d64d2ad1f40085e8e54f754f430c745773aaba7f67
SHA512ed9ca20f7defa0793dd123437b70cef5c36ce2d68691c701bdea24dcf2115f9da5380d08e696b0ae9a52df2b29258553678c9a5cde9f4e3a1fc6ed4753f52b9d
-
Filesize
805KB
MD5c41ad98a1db39bcbb905e477421b448e
SHA151874cb9ee9e2f8031fbef45cec8c55f23c6faf9
SHA2569ce7ebcedfa45d13d56736314392297b867bed31031f9f0e511d7574f66ab1aa
SHA51210963ac7520d68d6b605efedd48666154d795aff9e14bcd3121b352a7e9d3913f93b5559aa8e2faa737c2d156061259b4ef878c7b92cb4effae751537f80c940
-
Filesize
656KB
MD54156cc17c280496f5e77a95925c9b57b
SHA1f670bbe0cd112d5d49fbd755d9c930b42efe4ba2
SHA2561930508e21c1fe3f0d07b9138f04b43ccbd12f40870b7021ddfceb4a53706835
SHA5127d26fd0ca856c46ba7bda7ab729ce65a975d884c14f3c3c7deaf1411ea9aaf28ded5babb842c9e8e2ebec546daffc58d5c7fdf10fc4ed7dabac203870618f164
-
Filesize
576KB
MD5d015ab51e70dfa8f8d9d148b9a0cb9c5
SHA175a7ce99e515a127d26609a1786ecb82f458c567
SHA256434db17b45a46b2bae2cdb9a05c77e04ec366d25442084298534fb5dbe95b2c6
SHA512165ba9178de879af5754c3975b5bae637335cb361e8fe0ded0035a5c1b7d5c7a99698a516440a52c39f1192c27df414d4ceae4ca3998df8d222ea6248fa1e55d
-
Filesize
704KB
MD55b31a52d542c700803c2d6b1411ee22d
SHA11cea5e8b60f28f3659d9af8e32cc6368310b716f
SHA256fb61d465a8c6829e36c4f2b8ad22ab87e3eec2cb1c7bfd44e6490af18a71d475
SHA5121e7765fd112207a851278f05080975760b510d2d860fc021da756db5f97d35ad506d1073e37d1f869861e791094c288256b73c1f125bc916bbd6c1931d54f212
-
Filesize
2.2MB
MD5c0cee8ea37197cc78f79ea813e6a13a8
SHA1ae2598d6c8036a4bb622129c5aa13c5a63d5d1ce
SHA256e7bdcd2bb4e59a6de75a4909597a94cb2f1042c69bc76995b168e64f434bcb61
SHA51238de0b118a692668814bbf46ae2f96f06067cb444cf6269e8af2b2871d0069dd232c1be9df75d1fbfc12b888ef8c15c69fc9d52280ba402999e44a254c7e34e4
-
Filesize
1.8MB
MD5e7ecf4639212e3b7873d9d395492b84c
SHA1ecbb152f66b83d66ef5dab628b5ecba7a5e58714
SHA2562f914118a7cde3bb438b2e2b720eb1b3f10264d34d7755b39c0c3242bb2497fc
SHA512cef8714e41bf06c644fa6f8eb5526591ee88e8b8a8121165dcccceccd2c552fcf364ba4fc98cee5e369bdab860cd6250d401e3c5bd6eab71b18bbabcb399063e
-
Filesize
640KB
MD59231284ca2666b2ae267f49caef25b3e
SHA1a14ee0b2c2a3d45957dbf9cd3e0909de297b7332
SHA2568cb9680912cbfe467220a6424a2466fae2a089f33c13015699c1127f765d3e6a
SHA512947e646bfe345ebd778dfd5bc3b33972268e14cdcde55939b017493e768aa852ce9e8982b833b0d27afc53bf998522eac6501c5a8bba712afa9535b64c64ce81
-
Filesize
1.5MB
MD5bf21cb1364ecae88bb7c861d4ac0fe52
SHA1e235651e9e017b00778abda676355b57ffbb2c2c
SHA25684db40c248a3ae3bb60205465036427299258e87cf0467a2dc6e5fe49786079b
SHA5124569516bbab2b99a378655d4efc5cd6a991b905e463bcbc635f3e5a30375cec60831fe9189855d8e3dc2657cb8f9c329740c70f7931d74a1418420bfeb0f9a8b
-
Filesize
581KB
MD51dbc6e1bdfa23b521f4ed911a92eab13
SHA1079c8b5a3837b358868acead53a75af01005e6c3
SHA25693ed85b99436928d700f0cc4f83a89ba00c3325ae5dddb698fe069306f6c8f55
SHA5124d1978d7eb03554871027b22cdeba15d30e46ad00efd154f5cb37671cedee1ce728aabbbd7c96ca62a2a58a0bac607eb5029bd98b05aa4a85f698bf0eb02515f
-
Filesize
581KB
MD57fcb5fb7c3883e560812d167661649d5
SHA180e8296fe18ef5e9d424dea68af5141ce9d86680
SHA25621f04a3a35c8fd70dc32971ad677109a6a83e732405f2fb1b9f077a461116123
SHA512bbb8befb7366fca26765a9a6732788644012a9260f8984f57b7e56eaab26073b8e2a279eca25c4ccbb572cd6719fc459b70cc5221dd74426666db5f7a59ab0f8
-
Filesize
581KB
MD50391948bd0e5e9f49cf067b7048f7670
SHA1da8ddc279b6a866d3792c25f6c530bd629c52720
SHA256a27ab43180b268ae42d221f542bb6a092e1ccc04ae8930aff7865b029e2ca41a
SHA5121d83519de845bb8533e356f7c83cd36856a0d95146c1b83c514c872b5449f39181026409c3379960201a1a6696a1fc31958bb66215645d3dd68b356483258ac6
-
Filesize
581KB
MD520713683746679cc811e4ed138f71d2e
SHA16a97cd38c697f1fc016a7bb59b863e44692c4753
SHA2568724ad0fef105d8370f69754537d66fffaf03f88415530dd1584cd26cde2e79a
SHA512356ab6ce79db1d5727d66a8362450e3b1a485594a55287919afafbd68fa6fa254dc962a6bf92fdde05515cb6e0552cead6c429d1b1c31681e6d03fbec76a725f
-
Filesize
581KB
MD5301f45ab87aa0e8b5d4a80ce0c10b222
SHA1e51dd3f4b252c20a5e035548011b353897585908
SHA256533e4807369d96cdf9eb76cbb98c439b569fb81f6766e8bcb7e15cb4130f2cbb
SHA51270134a95443511766f81a39b92e595f5d0723e917e6923202d485b4c231aa8508804df700873dd8b087f7374d07e6c754588ee4159e7cb63dfa1558d3e9fa7d3
-
Filesize
581KB
MD51a5dea2f741baa4959f2c864c632e66f
SHA12285ae94d688ce659ab06339c2e90a8d47de4f36
SHA256229c94ed1f40738f95f3637e5f9a22764ca707c208b29bf8c3bd97d34e3b71d5
SHA5129003e6581d8870ae0a3450c5cc9f6399315740ff9f6199ba7d0295ce319712fe281f8856443ce90b08322942d2e35015d42a1622c70e796f2cd45926d5726c7f
-
Filesize
640KB
MD58edb74372bbd219c49fc531ce0f4cd2e
SHA165426847c7663d147518b1f6bd3f2891d1717531
SHA2560ffae8766f75132b19b222aab2e0b3701fed424d8e00cecdaa787faff4918ed2
SHA512109e9a850c58d52fb8a85a3853c12f9471d26e1e82489e7da6449f34105ca1493673ee4b43061a1f4ff6c173f45ad098e1ef111e1afd4dca800777b26af856e2
-
Filesize
581KB
MD58db13194304afd9fdee107ec289a3a7d
SHA153427e4de29bbfff4c599f537a12924f9701bc72
SHA25616b40fd892f5d643a7f58d04d45c33064e35d0cf07a93eea1db3a9e245ced977
SHA5129635d4c4d83c71fb2b51133fbf3e0011b85b4535d300d807e6db369bc69686f6e330fa9d404e6ac7cb80af69b91c4b10a21104b3f380c02d6c61ce443524dd14
-
Filesize
581KB
MD5ab9ae235f27d92cc45e4df3a29390f31
SHA1d2dbf9f8133e68502b6a02c0aba71ff1c281629d
SHA256231aa11eea84f80b64f33d5df2b0dc5a03b57f807c9d6a646b8ad3ab42e2b5de
SHA51212bfc3df406845cce2c61cea8819b31d4df601ab8c79366ae6b50696244ec4558cc084f56132a59a64ba75e09eb41be3ff4a51677e1895906657f8ffc8ba0675
-
Filesize
576KB
MD5313941f3d32e08edc4cb83c21b610ce2
SHA19660c0de1f1e0091f285c68b71381cb6620fd1bb
SHA256281fe9a43a8c74b084189966998016eb1f8a9daa1856037b658f4c8fb53a7b87
SHA512a9673b741faaf5acef0f72f4ed813dbce71e45b1f06d56d33534706190edfe574e162d159dcae28e7ae9104597f587c07ead234490f7059ddb02ed2ea3d642fd
-
Filesize
576KB
MD5ac34d2f781ef86ac0489a63deba2fa89
SHA14d76b06a45c54a101b74ec26175fb7492ce228c3
SHA2566141eed33425f25329555b5a323664459429c0dcd9fda97313104ab42af847b0
SHA512e98a5e6a18f1e59c674777073cbacc6a7b2cb8829c8dc423a3e4b4b6c01b299a82b81dadf14226d9998ce0b471c85fe3b7e733ac8c94c3de1115fe3f5f1d8a2b
-
Filesize
576KB
MD5b243562192d782b02e0f0f3bead42947
SHA10e97f96fb890b3dccc2290f176f8b98578e37a38
SHA25614be598084e2ce921c60edb66e97b9bd825ae4521361f1fe5dd7e403322b14dd
SHA512f3d9eb85575f0a18cf583691df25664eeed25acce10169b1eb9a6eafaaf768b2627536d28f80822118c5af321b6efcdc6a73ecdd590827b14f10cdee48b3b516
-
Filesize
576KB
MD59ad7847a3a8b6485b7e970ba05b9cd2d
SHA129e9e0d51e9bebeb0256b67e3134ef9e11b219cd
SHA256d3c73816f6a8d6f9e25e32112a4d641ad9e7c2f33db9ab234ed7de803f64e395
SHA512f300ee3077ee8ac6955b20928ee02b0f061c73e8165f9ca48ef955581daa5c6f2947ea6635d39b225fe7421299eab8d1bf51a067334aa65fdf9adda689229aca
-
Filesize
512KB
MD5bd87989ffb87fdea70d22a39be11baab
SHA1514a8ba1b1dbb4fefeb8d30ab93bf0beab2c77ce
SHA256a2a7fe61d8b099bb4b4c5e20dca9bcd3d11de375ef43c8779d7648668ea26fbe
SHA512848fa8eccfbf7cb348e0ce28646bc9ced7a80d22a54c62704469bbc36e08d42f11eb01c650eaa89978439d8194509c4a98f573317260bd3b47437b8e75e4e88d
-
Filesize
1.5MB
MD5777cc63adc8b41beee30ad3751df37c9
SHA16e869830cf32a5f413f7b90b6d43307e5b6d3a14
SHA25612bb6da97ba24d976dc6cd5dd51150b8cc9aa45285b394b01d937cd122f42b79
SHA512a94fc40016c4d7fb108ba63ddca52bcbef4ce19194050efa992a823396b044502946e87654e6a5aaf55b17f2108c59760e840bab33ce3eea90c1ebaa1d4eb505
-
Filesize
696KB
MD56a66213ea3e66ab84bdcdc751ee1c7d1
SHA1b8e00dcce94fe8a15a867504a2058896816bde6d
SHA256784707f3f8e6faec44d0e33b30848f6fdb49bb557846f70c83badd0de891d5f7
SHA512dc39581124a6fe74476d9a6952dcd126588f39f0efbe47d3c5ee8657c86448d82abc03b4de822ed459adb7137e3aefbd8a801159f09a1a8403a0205f26d3b694
-
Filesize
588KB
MD554a7c90bab73348f17287a2d9013196e
SHA12326a52af1a34d24ebdfe6549feb3c5d8ed5a052
SHA2562d04675ae37413e05c9a620ea7251f2b8809b1771a535905ed9ba6af9d7d42cf
SHA5122ddb73b994dafcacea1ddf2d79a211224aba50ac17b22f71adaf9ce42a2fbd795905bdc867928599be491e23d5105151cf71566ea5ed89832af555460ce51ca7
-
Filesize
1.7MB
MD566f219aa986a599a9b94706bb3f948e3
SHA1282ad372f6fa297ed135ccc42047915b5540f1f7
SHA25693536aa6f1772b3cd8fb48564d1dc4552d69c8879f91d4663251710611b97c95
SHA512ce0af69f71991b3915c06d742cc58c2faa996b014fd41c8a3171503b5ebefc566fd0030d51d775a01acc300479c9d0d1c11e06c8005fc3433d786b3ee89f73c2
-
Filesize
659KB
MD5ae6e3a2ee15b161009d6b6ecda1ed0fa
SHA17b2bcffc981a9ebd860f3df14b2a9d0b57c4e6e8
SHA256f6378feb4ec3217b55bf71cf695f2528cf9b0cd9257d37888ca1d0e55321a3d1
SHA5127de10853006ac61cc50618936ec453effb15a6f471ff5e9552a71afc61d5f249ea99e88b079ced8500f2e15fe4cbe30e0aa3cf502e1658926dbc59da487cb1d0
-
Filesize
1.2MB
MD5106cb6ffe92bde4827525d408bf46fd4
SHA18bc1de2312b1aab47f2e96c2c0a151597332b0ce
SHA256e029abf6b79ef90420dd0a60aa62caf8013782707bed60d8da52c957d9351565
SHA5121653c440ac176135c6561105e50300a13bb7d7d118ac9020084c3ec0b20371a798cc85b9e3f681829752fb4d46db988edcba33518e9bd44ffb7aafb3d1f21c98
-
Filesize
578KB
MD5f5499d0b4041ac2a7cc497288324bc0d
SHA11f769791c1e23d95163dc36ae00546ff8ac45dc3
SHA256cd6d420fbf8991e246108e84886432c4f1e85124bbfa9b8a9274bdd9412fe8a9
SHA5126dfbaf388e296d21ca4d899c80b6efa331b336143dd2192ee9f0724a7fe16a05766fa9e0aedc001b6c4883086a2da73904391798d0ac1fed0d9309e1d5769c61
-
Filesize
940KB
MD5d44cc17e8a7840bf5617e2ad93015775
SHA1c49c85ebc2297c815610df78045fd6337e4e3f25
SHA256478f0c33a1edd495a9991cdbd5a20810ce5e99908d5f5f1aaf0cf60e7363847c
SHA51213900c55cd49af58d1a8881365871d442fa9274d5dbe89581a6df5ff651ded9b299b14dce79b5eca80aab850297ad46ba7d33c592b084a22e4abeed48c56b150
-
Filesize
671KB
MD5d042eac5c8f295c504ef31425ce120d3
SHA1063a7df0928c32ae9ea15789ac8d466fa7032e18
SHA2568925f25169f06c1b427e070ea6063aaa539fbee56755f6af8ea6d6c3ecc51b99
SHA512b5f81a5167f31200ae3700d5012b5d3e484b65010529982bccaa3b4b81e1a74f54863f4f2c14aeb04e9e1260a1e2ac762455137fb87e3ce5f311c212772e4015
-
Filesize
1.4MB
MD55ab0275a715ad2f79e5dadec25211f18
SHA19dcf1585dfa36f4432aa3f60ff121160643516cc
SHA256150f4c1198c54a83a267a0e3b9fcefca35c1afcaf2bda1432008f4b67d4415df
SHA5122e8597d2df5358669b385578f0fe1faf2178a97302a1b3a3d78167b09c6b8fec1595974e889b60859d19c26bda290aaf45c122b03f9a1bf341a903921fb216dd
-
Filesize
533KB
MD5f0cdb9079a9d09ab425e557cdd3dd30f
SHA1e23ed5b76aad6b34c9de8b4d9299ad7ef6747746
SHA256255266e80ca3b474da3ec00cc3fcbae6eb15605085be711e5391430d86e61b12
SHA512daf8c19e1d6c2c17c93816363b695ebdaf5c2b9fa76c4f89805552edfa5265011b70de5ce8bd689a9dc8d9747af463628fa7f2efbcb9590fbf10ebbc7c216a56
-
Filesize
1.8MB
MD57477b6d6822ea0d6029e00c39e769c5b
SHA176f357f3aedcad3898c2774529192ffd10bdb6d8
SHA256065541fbf57bc3184c8e7ea5c561d44fb86565a6795060a0f4d62ada95d5ac68
SHA512c045ff6eca19593a4cd78a0aaa75e08d595c40c93bd48a60f51154229a6bfc394cc86ad33f52decae94742e55ae9bc8994565413136e0009ccc79b8e6a807add
-
Filesize
1.4MB
MD589d714f5ef5e82bf6a43ace8062527a1
SHA149be39abb48892930dbfdf56e50324b1d8f89a9d
SHA256ffe5808692067ebc9504284b71a822411ef4edd8959ca40acb6b41b86d9157ac
SHA5123a70159d361a8b9547d86f7cb9111e2ceb340132d6c258a0f39470d780181a579b0cacaa0cd9dfa94279f1e179b90fef8649be24a5a955ee2601f0eea6ce7c25
-
Filesize
885KB
MD592dd1b2acec72456fc1c0f3897a592bb
SHA1b6c7f8ad2943c5995df1f882595dcf1aa07e2f64
SHA256d04d3c9a4ce688c73cb20afc7684a75cfe55bbe9f1f93a0db8af74747c8f0358
SHA512034d69e6204a142ff2ab4d4f5462d757a345bea78056507927f0892a81d876ebb39c88e5a6f122500c6fa37ebb211fa8cc6a868fa9428fc25860de96c2885066
-
Filesize
1.2MB
MD5b3bb912e9ee440bc9c1dfd83ee53ac05
SHA1628d3b5a345fde53fcc1a9189d5658c2808c6605
SHA256590e43ebe18c591d2b9b5c253917c8ab1dad98c032962efcfa20bb4d9c2e2bed
SHA5127a5fb5faf92126e97eb5a74163e4f3ff6060f346277f71686be86d8f583aed5635c730ed990a440f773ed34351102b6437d21a0aaba39f8f15e068b164703908
-
Filesize
661KB
MD5543d93d29a7657167e049164b84bb61d
SHA1306510be064a53763e7ad8717c3312def7a2830e
SHA256386d43bae083ef7e0d50ac32577cb3dcc02b60539fdcd1909b14addc77ad4a44
SHA51223553c171dd36944897ec2f0dcfd0cac62a12ee9251f22d7d9e90a609f5f1d7ee4f645b256c5c535cd451339df30dcb01904e93a23527d2557bf1e3ed9c0f017
-
Filesize
712KB
MD5797a3c6dd433b56772599621c3b03757
SHA1a253e17e356a8dc14ccf89f96bc056e4c971e87b
SHA256c9b4af784cc9aa84e912b4ddbe28fab4c07c7817f672bd9ec58ed3a2fea43571
SHA5125e3b80f8a0f1c28d5280ab95507449ef8f932de205a3de472f430e53e3a46be136b397e0559967d3d3ae09d5fd1debe4f1c2976efea6701e5f06fecca61d328c
-
Filesize
584KB
MD5afb8b098441f5c0531d5fc6cd67eff7f
SHA14ee1502750126d6df75ad6f9d0ea51c7a88646b5
SHA256084d12a4a959e45507955b0133a0ff22cce85c3a388b85808d95452ad80477e0
SHA51283aeb898d073472ee436d6d1ca4c3c5efd28259c8a7fa4386a822545bc7171f37b282e4033de37c64aad34e87d7d8800ba10be5044ee0a8e902079bb35826ecb
-
Filesize
1.3MB
MD5da98391984e5e104de4638164670b975
SHA16807f272bf303603908188bea03479b0d6a32372
SHA256e36e37ea82f4e68ae15edb1024f98d4774f53847b120d616b712e291d921f77d
SHA512eab3ecdce10d72c189603df7d08be4d732a60e5a8f4fc3a10fd057b89b2277722b2d0d627da521c55f41fa96919e962c9716536942b9f488787cdc6508ccd641
-
Filesize
772KB
MD533375eb92cfae788ec4ff3d1d32e0134
SHA12cec3f869f5e335f577cc1a04a2de5de7fec2246
SHA25665fcb1c62401dfd0de2c3075ec0f4fd488b3d93bd6a43d12f2732297ffe9626e
SHA512390c2ab15ee9005223b952c01439ebd7dc5969b260a9ccb99df1f4cfdf9154543dd0462327d30d6b153eca0b4d742d9ca30298218d437b8c04f325366eb2d11d
-
Filesize
2.1MB
MD524613669df586e7b0c3bcdb81d1f4c77
SHA1691fde773cf85b44ecea7bcbe3778100d6c0fa85
SHA25668994d6a2bff3b4bb460408529551e5dad2f0f52ed1bb300939fc547d076a54d
SHA51298f68d61698dfee6b58e522ba9fca2cac292905e97fb25528ff2a73d676659ac5a720dd927cf293248b5c700cb494490fd4e7c6d58ef3467bd438e70b455aa12
-
Filesize
1.3MB
MD5d9feeadb6e5c275926695df18ed3baae
SHA1e47172386fa7b0cc1e4a2e314de6a76a59d66bf5
SHA256ae3ac9159f3c0ee9e3479e20267b0185b3ee417e0f6f88b2c252c67666b169ba
SHA512e405a6fc6f94af3f29710fa12894d6f03a3b85e1c629064262424f71d9236fd0ca589e0888e76198dbbd0a439faeba99d7e8d0bd66ee53b1987414e317a276cc
-
Filesize
877KB
MD5bdb489086201603db77493e9202f32bd
SHA1e4eee6281cbce5053aef4f32ff09cea32be7c6a8
SHA256754a17a9aa415fb6b88396b31bdff8abfadb21394d3e93642b8cc184872becdc
SHA512681b40e9acc821655c9ba73034f581838dd30d1d281ecbc5b0e7a858ba7c7ba36bd8176cdf226d2a24ced930daf9234416fb017887e56d5949dd64d2a047d578
-
Filesize
635KB
MD53408623efe24d42abe65c1ae99df03cd
SHA1efd2c0c41644fe07700770a50ce313c550ba1755
SHA2566ac6e2907def7e1f3aadb0e6d1ace44abb48b5a505add2782d9d6297ba081929
SHA512d762f03529ad3a9cfe14447c6e5fb35778e5a3f33817910f90b4781fef5f2e7f7cec7dcfb3a7edbaa420317e81a4235023afff109801657efa22377cb056987c
-
Filesize
3.2MB
MD5fdb624f2afdad3811c9c88b8550e97a1
SHA1aff97fd0379a256c49bd2986cb52dea6f094ee30
SHA256cfc9e8d13f2dc20641d5ed6c3fdc8e08807758eb83b09ce5844d17ff46b1e766
SHA512716fb35c470ab33447cae7accbe2f63ca70ffc99de331bd6f29c85b1cc2d17b674f62564f73e956473245a79711c37bb599f8acf9c245fcb6cfc5de9a8e3ec56