Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
bc9ed09e15cb113c0382bfa4cedeb002
-
SHA1
9ebb27a096dded4b76d3f1da509afa43ddf80b26
-
SHA256
4dd9de2aa6c44c0e17f81aeb8bce244761c7eb002d7732fb32fadb801eee1134
-
SHA512
1f35e8e69209c23a27eee5c90a929c5380fba68023d76eb87a049ecbaf8e158ab06e3a97af853916452ed8f1a3c0c4917c4bb5d5bce70c843f96138e241acd75
-
SSDEEP
196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018zUoiPBx:fPboGX8a/jWWu3cI2D/cWcls1W
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 4340 alg.exe 3764 DiagnosticsHub.StandardCollector.Service.exe 4836 fxssvc.exe 2436 elevation_service.exe 4172 elevation_service.exe 4532 maintenanceservice.exe 3720 msdtc.exe 1900 OSE.EXE 1312 PerceptionSimulationService.exe 1968 perfhost.exe 2728 locator.exe 4872 SensorDataService.exe 3284 snmptrap.exe 5040 spectrum.exe 4936 ssh-agent.exe 1072 TieringEngineService.exe 4532 AgentService.exe 960 vds.exe 568 vssvc.exe 2920 wbengine.exe 5100 WmiApSrv.exe 1680 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2294290912d07ad8.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4b8be6b9285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff28f729285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b44e0e739285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd632c6c9285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf2345739285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff2d8b729285da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004102e1729285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6af2f739285da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c82e6c9285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094906e729285da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exepid process 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 684 684 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeAuditPrivilege 4836 fxssvc.exe Token: SeRestorePrivilege 1072 TieringEngineService.exe Token: SeManageVolumePrivilege 1072 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4532 AgentService.exe Token: SeBackupPrivilege 568 vssvc.exe Token: SeRestorePrivilege 568 vssvc.exe Token: SeAuditPrivilege 568 vssvc.exe Token: SeBackupPrivilege 2920 wbengine.exe Token: SeRestorePrivilege 2920 wbengine.exe Token: SeSecurityPrivilege 2920 wbengine.exe Token: 33 1680 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1680 SearchIndexer.exe Token: SeDebugPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4952 2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4340 alg.exe Token: SeDebugPrivilege 4340 alg.exe Token: SeDebugPrivilege 4340 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1680 wrote to memory of 1628 1680 SearchIndexer.exe SearchProtocolHost.exe PID 1680 wrote to memory of 1628 1680 SearchIndexer.exe SearchProtocolHost.exe PID 1680 wrote to memory of 452 1680 SearchIndexer.exe SearchFilterHost.exe PID 1680 wrote to memory of 452 1680 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5112
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4172
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4532
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3720
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1312
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1968
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4872
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3284
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5040
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2984
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:960
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5100
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1628 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5457db5bbc74e37be7e7d5fa55aa3246a
SHA17eda828b9b40c625651997d8c03c7cca079054de
SHA25641053d348bf777bd5e45c371614ee98833b59bd1631cb44302e1543cef9ab140
SHA512992b8d070d95ba322b1a4ea3421c2fc7d9ba986ff0c16e3a3be86d84c8b17173bcbc72728c5a5352e5e64002be389a3e86d1f18833e98962d53dd794e55a5181
-
Filesize
781KB
MD51ac6ee2ce83dba58a19379a67594ea96
SHA1d5e289d22c7d36daa8a8af3a78b44eede94db9ab
SHA2569a2f61dcb0ff5002dae465315f4ad79d70d35ba3da7b031598f2a7dc6cc119a7
SHA5120b3a42fa46e78c8345295de8f032cd722e2d68f3fe0c8f4dd23cb10efde21eedef64265c04cca4617fd55777a660e476211bc2f6b30152b089ba05c2b61189e6
-
Filesize
1.1MB
MD5875d6153add68c101586f1c0d339465d
SHA1e5d5f3f272c671d7cc11200c381840ef60a916c6
SHA256c8fe69fc2f79af538df6807aac8920fd69fa3d4e0266554edcff6072ad4d5f22
SHA512ce96bf2dddc6b146242eda376a3bcd1f1cf2c0f0a65711b562eea71757261832fe7fc664ca0c6feb15e6115571572522a0ead5ef698d8d14c90caf9397ca3f35
-
Filesize
1.5MB
MD510ef12fb31204039ea00c9e2b64586af
SHA189cdcd78b130e0ef635ae0e589ec26f3938c35ac
SHA2561f890954f220d132cd742128a53709ca2df98d816764b467aeda691e13944aed
SHA5122b11fc4febb90e85f413f7f95477716fac77a197dc1192db602634cf1d4727c520884d496ab5adcc5f8d1c7cb5b8e14789f85cd849f4609bc798a022f031f7c3
-
Filesize
1.2MB
MD57d653b7c3048acd8ccef1f59e13dcb27
SHA11d07ae7244fa2e7cdbc99771d1a368437a2dd2e8
SHA256a84d52779e27cba1d15ecbe7546702b67878d3755fc8dd61417444b70423c02c
SHA51281b157d182afa398933e04d96be548dfad7e140a14a0ad4e4b5258328585ddf5b61ebc881eba07f2bd62d425cbf5d77eaec2ac81dc161fbc9d5d2eab244a7d96
-
Filesize
582KB
MD54bc3e86cd6237685f9bc524518cc9672
SHA1381bcadf78c0e58bcd18b1141b7cd95779a4866c
SHA2563bf11b25babc40f6a2d82626d7910593929f42ef4b02a581d81289173cdec6ec
SHA51252d89e3ad180923d53a613397e5b485f79bb1769dd84dd746f498c76c3f942000a93bc108182ffb4e3c28ada333a131319686abfc5c20fe5ac9d2c509c35d231
-
Filesize
840KB
MD5eacf38a60ebccce121113eaf0faa9139
SHA170a197338a6c27505cd3dfed2c5c5294e45e6810
SHA256090ab219361679bb3df34c981413ca676cfa2082801c24a107a57b48dd19d2c0
SHA51272ff8587c757dcbbbe01516ae52759cf2123ed0f3eb414e7c6bf44f5af32b0eac39a0b9bd78d410676809f98423d9179835bdfa04e5d1e91179e2361814c9668
-
Filesize
4.6MB
MD5dee8b8f9f50ddf4c672052e46cd16793
SHA18c4b4ccdff86922dbba007888a4fc61f1461c3ad
SHA2569409882c4c79ab4c99a3695a6b59555fd74d53c4007da57f94dccb7162c1f7ba
SHA51226a4eb1f4034f53a31225d751ca32541f11056914b51fd05e19134063ea717ad0d07fe55dde0aabaa71b231ef115364ca940409497f103e73eb694a03436bc7c
-
Filesize
910KB
MD597686c994ec57bcbdb480d7a755ff2ea
SHA1b2cbaa42a37a3d27ff871261d6ea27f091c40649
SHA25679d19c97f37c8044ab3c5cfa6373dd9afb3e98dc4cfb7364d7e6c28ce1518c22
SHA5127090ca7d922827307688dffa7d6cbc1bae57be2dd01c59476651bd1482a2943b11bc7b98e6ad72b270d44b1d7519addaf1d49490d18b89ead12f885296438152
-
Filesize
24.0MB
MD5fcdf9f881d7a45884000f88eb3d8dbf6
SHA16bf30f20633f1fd6ab1a9fc79bb8515183432b55
SHA2568715e2c61c648c99cb8a9cfb6fcae74a12ea20106849f76353a8188c82c50353
SHA512b03fb0d972fda083204043241b3059d819ac313ebe017bb744402f6b709362243a0813820ffded3e0d3d162385d1cd7dd85f59ef9b3cbe20e3f52f7c2c1c35b7
-
Filesize
2.7MB
MD59c32ef8a6af6bc029a533466d16c2586
SHA19c9c4318c2c38bdc40fe7f7a3d77f7b991c00d54
SHA2567e986a4cdfaefa75714e37f82c4baa2298dcdf4c4e545ca2330fe1b2e9af4d31
SHA5128e410b84c66c8a7f7ef82cc9198634e7e6cd54d7595594b00b77fd23e1cdf1461c9be827da723139e310b260f9869c4b024d06497adcd967829ade9764edce0b
-
Filesize
1.1MB
MD5d625a54d4cda79a5723dfaf50fccda83
SHA1bf6dcf33047256204cb0c847afde310e2737eb43
SHA256ab6c9ddaee81006d0d01c49fd4ca1d44d87cd3042e2a96465b4f992f801cbe00
SHA5129ccb552fa087fa080cc297453ced495e132cd45b5bb4c242deb52229c25779d2a0d9dcb1c4173749fe5cbc12806ee60c4d81a74fc5d05cec00d3657f7dfd05ce
-
Filesize
805KB
MD52ece40fa4cdb1861b3dfe804a927aa73
SHA151c9ae921ce384d243d4a2a14fe921af2f04545b
SHA256cd932ab0c34ef7b5f28a4f349ab69fa269a51cd0b20e4feea0fc737907b5c91d
SHA512a05a091535dd698b7eda6a5962a0e54b62385db1f639a65a1f14a224922f4d7ef9aba10ef5641323eca54223745cd154a55ae198421a68004821f25802f392cc
-
Filesize
656KB
MD56cb99027e292b62631c20121945b76f8
SHA16acafe6ec97169dff27edaae313437afb4fb3d10
SHA256829ba050ee72e30a18aeb0237a49423b8424755cf27c1637cd8d4cfad4475ff2
SHA5125c381011372089cfafc33bfd1b42cb666af9dec9acca54c9d76684553ce9ce2c469dd47bd01c2550b0a0a73c5c3a4ebc7bbe86a91e1550b8614505c369206b8e
-
Filesize
4.8MB
MD5745cca23c8ecc920d68c19cf86929a5e
SHA103bcb5c8758ddd8098775d9e05aa02515a1039c3
SHA25699e9df12e4a4e0c5c6ac3ce3cce7981fa48f2f99337ee65cd15b6d21c6e244d7
SHA512aa70df66331e3309bd5adc7c89d90b6d1013e40271449bc66b42ec1833c854d3e4f5b8c281e3032507e49e3e25695f917388e2c93ecc8c922316b8affdff7aad
-
Filesize
4.8MB
MD515b4343d6471e1a59dbaaf517818b460
SHA18ee04bf69737e3882aa72c34830c66f6175a2d16
SHA256ee9204d84a83c5a847d9ef5ce52eac0095598dafe1f92e659023c6488b3eeea1
SHA51293e29269ebae142af855ec6715e409b020229745024f89f77031f3aed027d408e6871f72e87dd4671f8281e18f1d18762f117957488886c78abe0da12f5eceaa
-
Filesize
2.2MB
MD50b8a4949bdddbf7bb3489d2a4456921e
SHA181745a72009a245001c55dc19660bfc076173156
SHA256c8815041a86500a707d2112297f068ee3ac821c32c8156ab3b27c610c1d95344
SHA512e0143e40d839b7c10526ccf7fae59dbba1ba4668bc5d729809dffe1ee5f7da1fa14fcc6f5a78d8ace778591e84143217919a182eab8ec6ff51d94a3044f72907
-
Filesize
2.1MB
MD593bd6be03e35e5e50dd62832f6643022
SHA1ab582e4314bf7547ca2167868ab66495f9fcd565
SHA2564360db5bce86bf523666b9eb885b11360b515f25c55d5965b852d8150e9b3e1c
SHA512cbe75aee366c03569b7a4c5eb631af55816403aef72ffae0bd1befe6d323a9ce095108b134923f86be555b379f2d132e81cb9366a93bb9b6d032bca0fa13d05d
-
Filesize
1.8MB
MD5a42382491d720c47710acf5750fbffad
SHA1a65df40316a33650267d70bf2d02196c364c1d2b
SHA2567c99ed62bdd0c57966c525fbbbf16304dc51d33753bee2b9f116c7e0f2ac8a18
SHA5122d7b1e8ef6e7ed986560ed2f9012452bdef5a86ba1bdd8de1f1248fcc6a7a487e1e7476d8221c43f43a04e7bc401a9f8a2a1356c62edf5513508bb90c7e368b7
-
Filesize
1.5MB
MD5d5fef6dba9251e306808cea487d2f2ac
SHA1f2cf6e5a0397000972ea930a1e919442bf8cf67f
SHA256b74f4e6d49178a8b7a7c8853666e71d069c6f931f8a89c5a9a474c2fdb16e37f
SHA5128755522eacb051f146684a7ff5a30c98fd8f154d320ca17740b68a327bc4be683dce749ed904717e84c40cabcd4e7ecd71b6d6ccfee7fb0c4f71e2ccd89922bf
-
Filesize
581KB
MD54bf5e9a38c68f6f3fa9cd6b91138f986
SHA1f4118c6e83f4d761ffbfdbdb846682acb576b570
SHA25603bffeebe7dec24917379c1e29510c8b6aa43116d2b12b29dcfd67afc70b1708
SHA5128e61c776c092381df0974b9cff0f5e39a766c34b7ff79bc5aac2ca73ff2ea920fb221f05fa7dee802a4489653ff78a7ea9f995e432f29ea63f842b7c1aa20f0e
-
Filesize
581KB
MD53273b67d409b2e51c634b74bfb8bf37a
SHA139dc3f69b5c1466ef5f19c77ae6eb90b607d39ed
SHA256397b277ef77fcac012832a42ee24349f1d2ad371c8d576eb9fc5424a289a5760
SHA512de899cfd5fc05aa083b58b005e75da144e81de6c58b6d80ae68a292d3668630cc0cc7b157aaa77314ecd652f87a8391aa4001176a2ef388898c9de4791e5707f
-
Filesize
581KB
MD5d95e5fde65bc6d9dbabd993981e775de
SHA1d839100b3de02d698a6261c3cc493581243db78d
SHA2561067139316ee7ea57c67367cdbf6f8b19dd5e8d7334090834c49540dfd48a2b5
SHA512e6530e3755dcf8b0e7282ddf72c4de901cdbb3d045c92287c98856d7d20a900206b349495089f1fece0c6cc899ad1018003eaa185385f038c22b622fb96bac7f
-
Filesize
601KB
MD5ffa6741b6d4345b989b4666f9ee6ef6a
SHA1e72fafd1be4528a55545e7b5d0e021661e983d15
SHA256aa1a43bc6e2a464d1a6cbb653e4130b67ed18df4033738371a818c7b7ff2b65a
SHA5121a7ec93cdcaa62ac0ac435cb31b86a84a6f7e0939e1d646512fb7d9cbe644f3d9783296acafb1f6e9f7317625b0392498298156428d78709a133bb8b8801a7d3
-
Filesize
581KB
MD56efee72958c58ee5744cdb7a09aa3d7d
SHA1fe33f6331e3d94764762bcde9facf451aedb15db
SHA25680e91b9a6815d0812a2d6acf28fc3870b6408cc4d078e3299ed4303c8a951254
SHA51224ca7dceea49cb5b0d1965e0fcd64716ae13ce0045b58bb5b2a7c261fc0fb396eaa4cb7bfe758b821b0208a0d952ac94c76f254c4fb450e76bcfb5c45d2daf09
-
Filesize
581KB
MD566dff0dc26991b1e00482e002fcaeb07
SHA1dba2d4847735c5d7cf256f93c8f4335c2c88cd83
SHA25614ad49d77aeec2270b71151dab39fa996d95c42f40d2cdfbf7f3a6a6edc09fa8
SHA512abc8c7aa9ac4b2d9123ee6750ee3e416905f16be938063cc643e1b0eff6f54fe8206eacd2dad580b1252f0f6129a3f97df500d8194a23b7b25323f57f9fe263b
-
Filesize
581KB
MD51928b9f6367faec33a9f4990b2ca3a56
SHA1a9e64693d83a6e734e77a0df588cde55994e4680
SHA2567811fad3d97d37a8909d8b37572669ff8a018569b3ade0bedafcd7b6268b9041
SHA512bdfb4982596681aca854f27d5c90cda45bd1d1f739b3d419b0041a1ac6b56ce9e4457bf23a986a710f9ffc8ab4b88e249ca256bf88f0993d1c31d5e0b9c9eab8
-
Filesize
841KB
MD58f3ae2d2fa7b3e2f36aa67fba0680c7b
SHA15fe372e69dd24a5bd4e57d019b47f598c22f4e9f
SHA256ac9599f768bffb890db7cbcf6b5e60cb80d9c3d09f3c13f7282f9b6d07cfe2d1
SHA51297f4e6ae71f042f4f9eaf1adbea57a7d3809868925d5857f9a2b006e40af65defed5603e8ce97a11243edeb7bba70c60f5910ad9bc98733f4af3a6cdd36eeb94
-
Filesize
581KB
MD51294f014cda8209bc4d846f9bc634663
SHA18327ac202e0355689ce3e2143c47b21a9f05f714
SHA2562f4a52056eae424c570ed0f6070bdee2d1367a0d20f50447d4941ac4d7a90839
SHA512d43b5d030bcabd8f4197b2ed7d67651b42854534d0fc5474bb2c0cb742c30aa0028b95e1dc2503a9b054a09f57b5a69f0dc71067decb260980d02f87d527445e
-
Filesize
581KB
MD53e8c1a32652ff18a62d99d004e567f3b
SHA14448ed38f1429f43186009f3ef9900e16ca7d7d7
SHA256496861f7676796dd17169eaa8f224cb5deb2c9bb1fc40eb6a4096643969d831e
SHA512da82617bedc3c323f027df61992a5226525b95c84e0bd384e202df7bd31ff5490316b2c9dc4d4af9692189f76991542dec1aeb342d4e4481bc3c36d838640898
-
Filesize
717KB
MD51aece5e96a32036347e336ddd2a5de6c
SHA17327b3311b7695feb2176e0eda5669c06024ad43
SHA256a7a9a94f6481d9aab4d7361287de18a58abce24a5fb8f5072b1037aaca11797b
SHA512e010834375388d21c1960e949246644ea880a1b013dfab6004bcd097be041880b3789ff94d142987d2c227420470cb8e4b4caad53fb4fdd03a8c5a848b0c088d
-
Filesize
581KB
MD5c5e009ef24768639236adbadba06359d
SHA1b4999afdbce97b7ed8762caa43a1545fd5bf14c0
SHA256f03f5e6a7bc6774912cfb8f5b375ba9efa17781aab616f4710c0b25d75818292
SHA5129396f3ceea9169eac066ecb7e73acc5fa401419c317b3d01e0a2e38d72d9f4546ae7c8a321c59c5e61a5c396d5e770a96aaf24346d2420b41a9f4f5e454b3206
-
Filesize
581KB
MD54645e7451be424d3016cb3af300b5c04
SHA199b2a7b6819525d97dc4a4f7a055e8d332b0deda
SHA256a8c6e0e84bd11462ceab451e13a626d28ab4ddd396c4cd2327acda74462382e9
SHA5126bc2b8763a1ae8536275609a3e85dbfb8fe1b8f34301266f79d5503115de016d2fdccd60e1a8416c26e6ca8c30bc0023171df6c0306da1c74ecb516d1ee06cf1
-
Filesize
717KB
MD57ab2567e708c30cb120b7db9a6ee8cc6
SHA124ae927ebb5f5de6735742c9572857aa5df82b3e
SHA2562f6f2bbd99c6cc448b5a6eb6feae0dc4483bc9bf722e0d3b51224e5287fd9f9b
SHA5120e2be18d33cb24a64179470c52cd02fa4da4df7aefc5cbf0c5157e27cdbdc6382f51aa21148b0538e66a9fbe9521dbf57b28fcacad9aec5e7dea0aa1f27a426f
-
Filesize
1.5MB
MD5fcbc1e48c78a638d4a4a1e91c5f233a1
SHA19b26eccc33c16591b2720aa5c7cf24319cf61b55
SHA2560437ddb0fb34c1149ad86034a1820528f62042dfdd5de72f1664e9318dc47d0d
SHA512d44a4e5ae1c3a7fe2780459fbbf9ae5202fbe94918d0664d960a9081f895ef830eb86f6cd0fe30e5f77613d08903116b275c4f09ec48df77fe702337437e0b35
-
Filesize
696KB
MD5c4b7d99745ff8d53d5ae35d84b7499d8
SHA1f0e4a3e15f473df081d76c2a3d7612acf33bd8e6
SHA25629d683c6ea2eeaafd2afa516d4249fe6dee4b00e07124a75c2dcb4b97b00bd4c
SHA512d24dbc484f991d74bd2bea6e258e4d4900da5789bf0b0e4a055e7bc4a78e38e02fdaaae06c986d865f22c3945b7d523ad7f3f11d4f2ec05a6f9dab96085ebc31
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
588KB
MD59d62b0182df40f0af893d160eeb1c184
SHA182eb1614f6f63c648037c9f9a0178eebe8b289de
SHA2561012c2abd64a53df49b0a6fa42893ffdc0e348236343e4a97fd4265ec47009fb
SHA512fb70a69e56f0767ce53b700c695bc8612ce7dd0f95849f4be5b0e871efadbb5879458ddcb6728e423e2983ffa97046fb4d5f6166fa13852a05ec4550e45429a9
-
Filesize
1.7MB
MD512497457b16690040600d44cd69240c5
SHA18f3d144f2ed96734a888fc57c73884cb314fce69
SHA2568f1d894bf8422a8e1037013575d362cc74a1fdb4ae81fbcca460e95ae73bae38
SHA512b0280fff2cd7778a2918e1281ab5995f72650424686121d327d5cc0f159a8f6a12a03e99eb9661c6af8bce3c8b9b4cecf7bcf398e00acda2bb3a51a790c8e299
-
Filesize
659KB
MD5b04702bdde1d85dd9fde3593fd5d21a9
SHA1ceb7e5a0ab80b0cd444b705e1455b28c1f4ff7a3
SHA256dd832343eaf84d2dffe52200075b8c4dcc6cf64cd3eb700cc266ba86081e425c
SHA51217f2aa5020d6a4c8265cd660d183f1a58f011096c493bddf348b959be9decfcddab575bdd9f66392342cfe5cdbd8c18518615b713e0aee6cdd05bd7995adee10
-
Filesize
1.2MB
MD52b6fe538fd5ca81cce0253a5f6a5aaff
SHA114c7cac438ff2bac75b1f6d036cf448dd99f7d5d
SHA2564be5f28edddf90aaad75d820912d4578886baa3a9d76312ff089c0ab8da5fccf
SHA5127a4b4267c728f6bc1c68a5b6a39ebacf33c2f0d2ae8c61a40d1e2407a32cfc7e633621b000873a2da7bb6dc58776395a629764acdb0f6ac02a4ce13e149a2fce
-
Filesize
578KB
MD5ffcb661120a5a8f95cb55b74ab3b86b7
SHA166cda023f9f79842c361c24f651aed4afa9bfd11
SHA256c18980d5a52bca3fed37f70b5b4dcbdb03bf4a9b0fa7b602fd8adb0dd0767552
SHA512199ec9bc1163f231cc1b7ac74d6f5b21c5c6d2e6005d65bf6e382b1d324f9e1e23a05116ece96dfa7dfc72c63bb9fc4257078b43d15bad5e44bd6a481ea01cf0
-
Filesize
940KB
MD5bcae2a86a759683e214bc132629d5f72
SHA1aaba01499cac2ef865df3f74e3d981fa55addb2c
SHA256b31cdc281c59e8880132ca248049af3a8252ba65d02d71318ee4ba75872acc04
SHA512ae18d4bf5b7474063c36097bb9e01eb9b26db873c17db63acb6e62437b5575f97dd0ad7f3ba660fa1bd41099289aa839bb965f44f8f1ae385a041b9fd752cf98
-
Filesize
671KB
MD562dcc97880b36054e9e84174f0edccd5
SHA110b58a045a7edc2896b1789799f04b9bcb2ae1ea
SHA2563ae9cc2a699a928ab2decdc4566498f29ce9eb0c81d4ae75c1e62b65456c3afb
SHA512b91f33ded8ab177e1afdc1cdf0a6c284b49304d1fd5da09c764b1265c414f863adb646fd3ecc9a0b43384f841dc870300f154e8b1fc224bafcfbf2e0c66f8791
-
Filesize
1.4MB
MD56ba282c28d824ddadff3b3e9f01fcaab
SHA14fcc2c1a52edc87750675f7e9babe4f95ca784ef
SHA2567119a57f572e042b8e53ab0cc40acc3325e5cb3702b33259711a920d933600d4
SHA51262be5e41a5d77aa940007fb2739a28dc6e3c844fefb2962dbcff1b75371c3da9c002f99fa379c083ea4fa1d7d08eb4779e6029d647856a42b95539ad7bb7df8f
-
Filesize
1.8MB
MD59be6506ff182f8940386fb5d7f8f536f
SHA108aac6888540271d655a60aded18075dba9dc276
SHA256426f194952916896400d35f830e4394a426fbebec7267c4af592e60ecfb80c7a
SHA5125849f1432a47fc0c10e6f55d73d101168d3dd62ba445bc3aea5fb5662bf06745a53a01486b22df474df2ff353e1e0b2681211560e6ae56c0e68beaa77a384a31
-
Filesize
1.4MB
MD50b812584f37716353137b902aa3851c0
SHA1ba7e1a79346fb6a0e2c93478e03efed5906bbe78
SHA25626ae03b5ded4ee03797bb65df92906ef47b163c40b944e48991bc455383e47e0
SHA512566fdb82b2d23df65b7a72aa3fd752e2082dff96e0cd23d9bd1f8acd2fb7b8e6607e2d6046582e302b3286e2ba680714700107625871b54c8eb272b11f7051b2
-
Filesize
885KB
MD529f16bbd2f2c0b3ba630c5ff4ceff717
SHA10085ff172875d3e73642770e30392b069d6f76c5
SHA25688820d903f4c6be4297d321d119fcf5b62e25d82f43df986fda08c43316d3cfb
SHA5127c12b887445717797113453838b1b41fe9cdf1633349a6e15a7303a0ea356a025109e42d153f1bd704fab9ee6f4395cf3d79910b3c89b2d44778bb7bdd6e3ee2
-
Filesize
2.0MB
MD569b8c5f5dd0a66e10415976e68a906bc
SHA13ec5b6e0e39b5ec78d8db01e00098fd731dcdade
SHA2565e146d091d9c826676b265bd9714ec08bdfc427189c691044627951c481b8285
SHA512fd799e8847e78c20da5b88c85214d0d993636e185ee2c70d0071011f023b0713e7e61fb480ebfd9ddac2611c26bbf0dba4d4782432f9c72175f467b2652b27a3
-
Filesize
661KB
MD59c3fc374e9ab1fa34cba6556a673ec00
SHA127cfe909b77360eca15b3e290ad1721465bf3751
SHA2562cc46cdd3918fb720715e68c2d754b6e48b31ab99492c95cefc2a23a287a7a00
SHA5123f39a7ef161db7f1a234005f4a5afc6ef74f0a92dc5eb2fbc3efa04b0ddf521c5bdc213b5810fa212679068009fe8c694dfbafff29fd99c5100fbf9511bf3786
-
Filesize
712KB
MD562dd4f1538cb723f1374aa172e0f5d73
SHA1536e852274c5aa24137a294d96738edd020a241f
SHA2568b573b64a20038503e680f2083507c1fa256f0d171716a4bf71fa9b39fe92970
SHA51269d17ccba5b4ddbd5c7c335039d1ae5fccf3fbc971565751387aea2739f6bd8cc544e3e7ddad35557ee6cfc46728fc0efdc887a94a622904c9cf5566c593445e
-
Filesize
584KB
MD536ee0cd91990c85a8df15022da963b8b
SHA19da1ef8358fb6e59dee276d2ae8e515fb7def274
SHA2565adb92ba641b2d23a3525344ad873c3cda5bb285134e8974f29df7a54332d288
SHA512169c00b3af1010c87e6a2bc0efefbf0f2ef4abfd563c1e0325b803abedf8af7480932a2e06dd1f4b48f45a8b727a28b47e340a0c7c194ee1d8abb332f733da5c
-
Filesize
1.3MB
MD52d9897604df5143f9e9861cbc1565a30
SHA1c1852da78a8d09bab281cf18e4eb31ee2d94b946
SHA2562cd4b97bdbcc02a5461a5b50fbd8a861ac5f6ac1591019e8b6d104702cf5ed11
SHA512d0e44a76b0552e6110342ff053b556cd6f6fe61fcbbd9cff48497cac19778ae9713dfa4122d074e1dc27f89d700be1d00d1aab3767e0f69db1702bd2f25d3d21
-
Filesize
772KB
MD51182a0c0521acea8726029409a784f8d
SHA19d4c83099e879b6916178683d1a67c56327838b0
SHA256cee150aa164b67901723cdfa6bd4b39916c5ae7823315bbcb2de49057a0538af
SHA5124e88935e1890975288131bcf96fc66fe2fd0ce0eff32b010d88fcda7fa560e29af69e81d5702ec54470dc9d0efcb84567413de658b22e6c831cfadef6ef1a3f7
-
Filesize
2.1MB
MD5db49dd74c8d7920f4208af460005edba
SHA136c577915c8e6802e9b8cbc3e1ad845e45da8e89
SHA25693f8f456c08f4326631c663cc2b8dee8aba5f8ec2c00784120cb92e4bfca0f3d
SHA5127978ac96760d20ea142848c3eda3451b5a73038d9c33811dd7a59b1b9597b049c46eb6b8cd028a2d065cc7d839527c734ea2bf6aac2dec6f505dcc12bd13060c
-
Filesize
1.3MB
MD5fe171fe0b15af2510910b4b7e7e9c5b5
SHA1f2eb9ef121b6cfd032a04d0216290e029907ad50
SHA25612ed2f3bc1e4d4b8d95aa722787c21978149738ea411195b29bee01836f4d88c
SHA512db861d3c531fb403ebcf78a7944f2a4f895bdecfb93514e5d792785e8b28e3124400184effd4f49af18bdb8fc6b5f694cd5781d4cf6355d28d8bf3585ddfa811
-
Filesize
877KB
MD53bddfcd662a0f9e4ede09e38eef33ea9
SHA122017de497b6ab28945b4ab2b6de588824830820
SHA2562e47366023af55728b6a55543d95eaffa147b40518b608c9b8bf1f68699aa9b4
SHA512df05504fef93b283593d1e2b77c0a8fb9022cea508fb63200593634053931fdd1fc3b94b9f86eb2039396ef2d04595dc20eb353e13c8d48349e3b27eec4278a3
-
Filesize
635KB
MD56fde17397e8addf45599b577750948be
SHA169a18c816033a3209b8d58f8310167625cf9715b
SHA256ed256e972faaa3678f1c8bcb52580ec12f454d2976db4239a700263b4131f694
SHA5121c1d8840e8bd510444a19b38cb8ecf677ac3c4ab659ba07f3264cb6096dc812fe7d6128fb781ae7a64adc94073ece190e0864b671f1b958f8bba63fe1d71eedb
-
Filesize
5.6MB
MD5fa2ff880a74ab462e6e53c86438fb9cc
SHA1ad10d7d7778830e458804905d8c3df423803d28e
SHA256699942e6548533c52610c02def8ae7833e975d3dd268d60e81ce00cac726f7ec
SHA512b95690f985fe7070bc44b5dc4d6de1c01f92426a7cbfd95cf02350b8487f9a585f32a9f5a1fd0341efe099d04698c606f970956ab306d471ecedde796265aa3c