Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 10:18
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe
Resource
win7-20231129-en
General
-
Target
2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
cd7b199f57142ddaeca9c24b0819df6d
-
SHA1
4dcea2edabad051a54cbe3dcb7f8992e70c4fc8d
-
SHA256
6e6d1ecd26a0273765e2eabb1f4164cd2d3c61c2ee4a424bed8ea09807f031fd
-
SHA512
ef6d21fc1fda9aaa3af415e0fb9313c69e9fcf57f5a0555da10f97b58966c7a28b75cdbfa1367e086df9457fac233034706395208191fe4c931925320e7a713d
-
SSDEEP
196608:7P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018iP:7PboGX8a/jWWu3cI2D/cWcls1J
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3284 alg.exe 1284 DiagnosticsHub.StandardCollector.Service.exe 3956 fxssvc.exe 4964 elevation_service.exe 3940 elevation_service.exe 1452 maintenanceservice.exe 3916 msdtc.exe 1700 OSE.EXE 4736 PerceptionSimulationService.exe 712 perfhost.exe 3140 locator.exe 4460 SensorDataService.exe 2040 snmptrap.exe 4296 spectrum.exe 3828 ssh-agent.exe 3580 TieringEngineService.exe 380 AgentService.exe 368 vds.exe 2424 vssvc.exe 3564 wbengine.exe 4308 WmiApSrv.exe 2244 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\28f022fc822cf6b9.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fd3fe59b085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000122dbb5ab085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d08765ab085da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a48145ab085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b814d5ab085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eac3f95cb085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003db9865ab085da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c192255cb085da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007af6085cb085da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeAuditPrivilege 3956 fxssvc.exe Token: SeRestorePrivilege 3580 TieringEngineService.exe Token: SeManageVolumePrivilege 3580 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 380 AgentService.exe Token: SeBackupPrivilege 2424 vssvc.exe Token: SeRestorePrivilege 2424 vssvc.exe Token: SeAuditPrivilege 2424 vssvc.exe Token: SeBackupPrivilege 3564 wbengine.exe Token: SeRestorePrivilege 3564 wbengine.exe Token: SeSecurityPrivilege 3564 wbengine.exe Token: 33 2244 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2244 SearchIndexer.exe Token: SeDebugPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1548 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 3284 alg.exe Token: SeDebugPrivilege 3284 alg.exe Token: SeDebugPrivilege 3284 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1852 2244 SearchIndexer.exe 118 PID 2244 wrote to memory of 1852 2244 SearchIndexer.exe 118 PID 2244 wrote to memory of 840 2244 SearchIndexer.exe 119 PID 2244 wrote to memory of 840 2244 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2396
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3940
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1452
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3916
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1700
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4736
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:712
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3140
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2040
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4360
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4308
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1852
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c507ec39ddec8815c2f3ef0116ce94c6
SHA110eb7182ab504cda1d5d2c699df584c3921b9ed9
SHA2569b21652ff85e3f46f3b76929554aca067a44402e04b4f6e8dbac7834bcd123b7
SHA5120b6c913473fdec8b2421a1cb80487738d10388ccb70ca46f327b2e30c6ffde9f73a96b9c6c0943c9cfaf64c970f60f07773b13a31450cd4cbda2abbe7fdab2ec
-
Filesize
781KB
MD5c87810c900531014fdbd0e5e1924683b
SHA1d87bc9901ad2333876c05ac398e9122a197dadd6
SHA256cb845a785a77d55efc44adab85476f66b7e13d9c3a702160e1fd29fbc8a8856e
SHA512d13aae37b7504f629fc1d2bf57e99caceac6856d6b463e08ec55598a391d91f4822b23f9dc9ef0f75d9a52c70c17539fa64ad963210f500a2d657c83dd1e5642
-
Filesize
1.1MB
MD5dc5ab1f6c966e765b94a9e7ceb948971
SHA1b66652ec2bd9c1cdaec5c41e281ae51bfa4f1aac
SHA25626efe8205c6d84c417054959600bd48181f40ebffde4486e85cd01fce1e68528
SHA512042f37bc0eaa329fed9cb3838b79b7f93c1b55461dadd152442510f2df59459974fe730289c4025a222999eaba8e5c4cb3f97ba048365c59d89dd7fc93348ff5
-
Filesize
1.5MB
MD540c44f790047d408bc455b8a1880073b
SHA154c1d1af51c65f5d6632824baf4937dedcda2df3
SHA2567ca14b1535ea5ba1a257addbd8aa958fd3d44fdf49a2cb07ffe09ae14ac0cf32
SHA512c0edb6fa1e63936b8f471267a515df35da03ca3a4cf5062927ac0f180259198c020772b00b88ceade3e3e25b9641439ae8254c078f482967e43618176e69bffb
-
Filesize
1.2MB
MD5603e3cf6b902543b2b731a4f1648ba5a
SHA1c9661a4fe0489823fefff6089502b82c0a0184cf
SHA25635e8ce1b59ddb29c444ef81efb8b75c427274992a5a1d88cfc3b5495c82def70
SHA512f3a51ce228675f866e5361f87642da7cd913c6e08d79d2519b7d782cf8ae009f430ef1d13304b55d5a84fd0b47226013e819148ef5ed4f8a732a87239fec7325
-
Filesize
582KB
MD557242e89585096cd558e7fd75e0cb81e
SHA1659a9d8ac321c12f50bc3cec2f37665f4fd11905
SHA256665213e588086e3f492deac0b5ebf325af41844547739c21332fb40081eeb5a0
SHA5121e5ac6236d3f312a721848e67cd15f67443c42284f022028722497850c75f5233c4468799f2fd9d81460879c7c4a9933e9194e00d04d616e3ec5bfc0c922732a
-
Filesize
840KB
MD570a4f6c8da62ebaad1814693635520c7
SHA110d13d739d7106a546777063bf0e66bf75748583
SHA256588a945ea73483d39a736e80fff3c0ffb557c9416e8031072c821bddecff734f
SHA512cdbd57fdeffb3bc87cece8faa0f8ad099043103dee146a50718c6e87e9926ee1e71e920a37415d1c989a97c38c9ed702dfc6972419acc2133ac76b911aae3d10
-
Filesize
4.6MB
MD5a6c3e8cdf0ffde68b1cd8adbf6300129
SHA16cf323123090ad5f3a5feefbee2d78df41c90119
SHA256a3ae732c2b706d66d8f38ae3cb5e534e4a20e9f1e6747c10ae4f73fd799bc0a5
SHA51217b26b2ca079f0e8ae5bf2dfb98ab08cb02e608ac187b5c8e0878df52bf120cead76606962fcf82d6715083d5e98b2c1bb78b1cb82730a23506c90a76adf3c63
-
Filesize
910KB
MD55302c4b404f2f4ee562b06788496fefd
SHA177207a4f45a2c802718ffcc23fe2841a48ef7afd
SHA256fd4cec12970b7a067fc50195bcd76d5e2ab9673e31b548c518db4ccb5ac41b6a
SHA5120a41b59a5ee07a66af78e8a4a40513068c84b58dc925b6c3f9d095e20565d9a3449b1b3f82b9aec193138b29da4d45ece7454fcf32dd800cc6f2463a3d85b06f
-
Filesize
24.0MB
MD52ae8b8fd905ad6517f19cb1808be8f7a
SHA1b9f122e24d764baf6a3079653179bb5be2f9a2a9
SHA2566a4dfc01bb8710521f518952206ff82340115eb8534e462ea3993d8cce32f672
SHA5122cc2c06f664f4e17ef177a87ffc9091fd9474d00a9d1c5a673060d985604fda9eff76b6de905b61819f71436a69b4114de32fad192bfb9dca20789f8a49f368e
-
Filesize
2.7MB
MD50130cb539bba6bb3449dc0f3f4364cf2
SHA14ae5010fa958d5ce769e0b851e0da63d94ef80bd
SHA2563781dd068069c9316db7e8818cd459a54a0766ad4f54f7178a56f13ba9a92077
SHA512b53c8fec74e6495c4ad24a6e0d1d7290d08f0db2aa9f2bc9cbf02b9a5a44da954176ac6fea65d10a21314a203b1fe11ec78765e0e7d06e76cec245c6d36b235f
-
Filesize
1.1MB
MD50e5bf3eec9daf615c9e45268d0a7ff69
SHA1fdfae3b93efd721597d28349128e69d37a10574e
SHA256846d8c1fc94a87237a4c64d33bbdb3a734f1493333c2dcef49f98bc23627f741
SHA51229e822737a8a06783d32dc3abfc9acf561b9668ff68ada83468179a8bc7444955193f6fa08d3bc202c40a4f1f7c01cc793ad1ea26f2cb74d249149ce2c66b09b
-
Filesize
805KB
MD50a6ed5317d7e67618cae1e34039d3628
SHA12aa2b650f48aefd24cfe1eee70e3f2edc593a5a3
SHA256c65d78830a0a131f70a5276fb2c5f96d4b576c3aaa7621cc4383a389b0676ed9
SHA5125b56f649c9d16c8c5ca2a38662a905e8ca64703d881a0420958d2a2061d717f48b641dfdb21e2fbc5b5ec9524e4050ff2cf2321e11bfff4a7db4612953179646
-
Filesize
656KB
MD5dbf7b57a64cbd9ad61bf2f338c5a7a8c
SHA1c5e9c4a1fb6e18f30a36da206b87f1f3dc347bcc
SHA256e1b75047dd3079ac2381cf3c7b9ba404ad58f43a8833fc28c560d101f9ee29dd
SHA51248ba2d792f9fbd2b559921dcf4649e67de32997a229c75992d8203aa506ce0178d18206c6aa79d23cbba666638c18d385f7ad4aaf883c88a39b0321ca671c546
-
Filesize
4.8MB
MD53ee782ab62540348f521332fe05e30c7
SHA1451897ed2ae4b4570f2f48ecf0d3151172e2a126
SHA2564df33bff9a0f7d531354e819a8a7b278b9e5368feab6e535ff30ab90b5f90993
SHA512a34c061fe626609799cbc575b1153fd80f1d039b7f5e19917287c296b0fbb5cd54a4585c76c3a42a71a556a71646b385b687f4ac61f2cf958ec720f4b840952c
-
Filesize
4.8MB
MD52f64422e61dd7f4842513410343f1c7b
SHA1a2778ecb564691fe2a556e470bcd0554e46fa449
SHA25630303357f023ebcec7da26636802096547d940147978edacee0879504b0c8ebc
SHA51276bcb8fa70f90ecd57dc8b015509aef65f6da0c4a3ab5cc75d3b3568339412180f32f1d2237ba0d762e4ed98b58e6f34a3d7703e48835f75830e58eec7e4c2a3
-
Filesize
2.2MB
MD57e6480d018230af4e5566796c2276292
SHA169cb01e2e6ecddd6bf5f253a489db9f8992a662b
SHA2569699bc15c3abefa59f25af8f36b2ad10c45cfb3ebcd4d511bf5474399837a3b9
SHA5124c440845fa5389fedc8e49434b9fd70608d5d253a399eaba99f444e7bc7715dc1d795ce9aa66d3f180557453c0e7db5100e725a9fd12edc56f4cf65561d4771b
-
Filesize
2.1MB
MD53fe2f7440980fed1fdc4b16043cf6d78
SHA18a764bdcf5c372ee8a58f786a4252c785b8078fe
SHA2569b825cf260ea3c575bad0c3afdcad84483e9148a39aeaa1124204dcd36fc5c76
SHA512d36a140cae524b074c4bd71a608dc8fc91356d9622a5260e23453be73c066149f67bdfa0a14b7cf2dd4efb9c1997c8622cfe9d9a87a703e8ed4abe599943b8e7
-
Filesize
1.8MB
MD5000e5fb6e0bca34014640f2d456ea5ab
SHA147254e8a2cb9faa85161be3c109ec75b1be33ef7
SHA256d08f6f033391025b05b78e3b24fb873a30ac0ade7fbf64c04ca4d916615e0c20
SHA5127b79ae442ef582b9039724b2959c682dbf82f487df257b38be49e630cd127485dda9b543b04487cadd440d96debb2b0ca492d7b12104d9cca3de5eeb16850c4c
-
Filesize
1.5MB
MD5780aeb3e274bff4ba82646a16a2c8106
SHA17e78f1692498ea0640c6209f86ef844d6a114eeb
SHA256846a7b59de209225d0969e22ac7cb5bc0a55b3b3350d350fa834b2b4a73513c3
SHA512258624466be6d8a9c169828866338d5013dba8ce168922391596be9c5cdd5b757cbe67c32ba9662713997f000100545bdab317284435545d1efaab4caab153e7
-
Filesize
581KB
MD5a8624283e809b4870ae9921998285da6
SHA19ab82ff81b269d4005b3558d20e4fbbbc3033312
SHA256dd43f4cf5d3a3bb2b1915c5f7cfb10231a1a9e565bc59340ac2d9dbb054df85b
SHA512a411d7bc540feff35d7af8aae32971c507504c5ded706c3638cbd4e0ea40ff6e8aacca8cc7979bf5e247932c61b72557f12aa54426672750ae5ba0389e0d64de
-
Filesize
581KB
MD5d0e80003041c376914446cf60bbc71f5
SHA16549a9c79bcad6677a1f2bf3f4ad6ea6d7503915
SHA25656f8627baf9d63bdcd112be1d1f927210e2f940a80e1fe74426700c2066fcdb0
SHA51201b15808e01be6ebce9790b35acdf117a929801007e9d74f00e2599593d36c3ac2a472b1c073a3f48b685b5a2ae69e52b0c1b03246a91012efa69fbf6101a49d
-
Filesize
581KB
MD549f8c6c96b4d8ea8755e2659d5385388
SHA107ed558d4462bd9a1478289fdc60dc320efaa7db
SHA256b1ed334cfd01b6c3e2acf699055a26d105ace7cfae4a7d5df7b1014fbd4d8ae4
SHA512482ba623cddc73c7c35a9a3a87ca2d72b240f26d9cbeff591e33f246decf19e9973efafc85e7975909c00b91a0008b0bd641b72aece307e1900443e9d06fb0ab
-
Filesize
601KB
MD5cb5cad342a03c07c493a671dc58927c3
SHA1064247f527e039c71aa0f57248eb6e9819ac60e4
SHA2564cf2ee0ec247e6d30bd90d6c94f303bf88b646f2dac973df2ecd538b9a51964d
SHA512f744add895cbfcd42a7bc13917c1d450d8d9f8f0c3dbe92db9733de8c1bc74a6e1bc91fed617c2faec99b671d6983f51de1be11e3969f34db6ba5ec7fd2f31f5
-
Filesize
581KB
MD5803720d778a10aef83bfd136ed5a2458
SHA13d526e4d8f72ea8a933f478e93defc5772353eaa
SHA256dd8681e3a548b8eb5226e26046a0b76140486845d140d5adfca215004b69ac3b
SHA5126caaf14a1a751b91ad6be2edd8b3fbf351802d4edd52bb54aa773ae6e03a5a5310b10cd15a29706ef6071de1dc51a804c4b8d27cb474f05b6a223678c5be3a11
-
Filesize
581KB
MD5bbef1476f8ce8bd3d3513fc675d31e55
SHA1b3fe10024c83fbb48fea42532dbae8736f2bf1cb
SHA25636a61d89f96e1cc9c9d5fab0e04571f4c3c6233007b0a27ec1848757ff3b8b13
SHA512f6cb68918dbf5dbc9f6a87b34339eecdbd9eda678ffeaa8b212dd13b0d362546a30e02c92a62f401f6a38b3dd69cb88fe0d8bec3affa632ae8de17687de18ae1
-
Filesize
581KB
MD517b030f449888164fad0de965ae2ff26
SHA14226ddecac18f1ca9e59bfc4acca312d3457aef7
SHA2566992d20f6e96edc72099ea9250313e7c7a2725031c3f4f68b8adc44cda3c3054
SHA512979e4cc2232dfb17c86e8f752b37869340195564a818e0c158f5a709abb8ebfc581512da238bd50feabeb20b333549eae2e1082075233a6bd3da7784f7536d41
-
Filesize
841KB
MD5a063dd9457cd6371e1e23b166c58848c
SHA17c1094a1495d2bb544b13cf494ea2fd99b3a646f
SHA256a6c607ca29fe4b12156ad0b1b6f1e355d7a5ead76aefe845f0e8c6653ad4aaf1
SHA5129fa4e1a9290bc26d3acbff2013ea0a680a902ff3e6d2d85f7da17314ec2ad3d7e0a8b41bd83e1b17d57291949170032a0f98d4edf57b6213013c819712af0c30
-
Filesize
581KB
MD51fd83be38604f63bd9aba81a79a2be84
SHA141ec44e04958a618ff08c5b68b12b12334a5a700
SHA256ef949414f124e3bb3c4ced1e1db6d9673dba7035d02d4c4a44bb4321259626d6
SHA51250083498550ac35c6cf2da55894f28553246afd776e367f9769401601accca11ab59b32b86d34ba5c5ccd5ea72080c4f2b1ddf0f40841e288aef4025e0cba9e1
-
Filesize
581KB
MD5d26c301fefdb673160a7c502bba556f5
SHA1851746a76b84e9df6e2e5c7cbe7a23402cd04d4c
SHA2569753d1a32ac2cfc6e2e5c80e9f2ee4cdd4e7c0cd0831597a8dfdca1e420532cb
SHA512e5a2e07673e158585b1e83ca374cab1bd1bd41908187a66de2b9ca65f9992ee405af3cab48fe9c65d293824a20282919c9a4ac1e0cf909b82cf507eff04ac04c
-
Filesize
717KB
MD5696d2475175b966a05690bf4e7ac5ab8
SHA14ec233a9cf653458b8d86ee4724237a1f8cb58ef
SHA25686ac452b00264f82ebb43a5355e5c7095e31d9ef91f56911f281986bd231d259
SHA5123c44621ba981c896ddf0c3e00b0766585c0c298d66a863a2d4f83b3ac090dc925ab1aec05d75ceb532ee52e75bd218f5b9d591491b7f297d44ab801fa6c0b015
-
Filesize
581KB
MD5551dd505694e4201c0bf94f5262113a8
SHA133e24613650a8a5d4b8e8c3ab9b9dd5a4ba8a364
SHA256e0af89199aa84beb55d6b7165a6dfb93a1bf913a8f898172dcacf8cf2d475bd4
SHA51275b7666afa2682c377a973135f116b7d6c6367c9efefc3877108f196131480930cad9e7f049f04ae9ba9209e887dcefa1553f6973aeaa15294f6a420c14ff92d
-
Filesize
581KB
MD5b109d27d2e68cfc31122896523a2bdce
SHA1ae2d95de7b31946b15e191afb51a0f6052211ee4
SHA256f4537d31dbb461b2af2208128c49681a47c17d3c1c2b0efb7163edc59c1b1606
SHA5126fd36ee08fb3429d8c53289acb3abaddfd4c05116b092f270c4e948854720444fc778135d92b926a3b9d6aae65bba51cf5d7ec490239c566341812216860751b
-
Filesize
717KB
MD5f7d516493a2547e635797f2a97efa717
SHA1dff143efa53bf95a4301726eec643672e9f2249f
SHA256c2bbc8cae65586216ece1ec25ffc7318a5e3ecc6e1d0e8ad76bfd2b6d8f764fe
SHA51227565bd1f7bf17bd42abd4fe804320dee1bd01e00191c8aaedcc972e4e4172df75602c2f7eb25bfe85efffb3eb79f2790f6dbe612301e1a7010abe26e8b8b4b4
-
Filesize
1.5MB
MD53acad71c42806d82578907274b02bb0f
SHA113812ac70cf67c2a44eebbf9534be3b0b89db86d
SHA256ba6a46957a707b88e5a0a6042e2a38bdf9e830c70c9b6e2b653b5eb8171f0ae6
SHA51293b1c27d64c7843b640463dfd32d986eea825e67f08b1c5b49ef191d3f763717a4705686da308e31e9ae26cb0f6c590fb502200ce033528f753dd5ff2b9b5510
-
Filesize
696KB
MD50829a132580fb614de3dc7bce96320ed
SHA17db117d8d9aba7758db8c4d936a959906c319053
SHA2562c4e4b8ca57487825083ad9e75828a77527f21c71222001debfa7758bb8c9c53
SHA512ec4e925764da79b078e6f42376a13a254c5a331472863f1acd9526fc3182d90b9e33086237f2a93e95d55b63cccd3a34b7cec6866253d66898eeaa922237b6da
-
Filesize
588KB
MD5a737033eb44d3bdeb125983f9d1bff9d
SHA13aaef266c998cabb320ab338fac309002411740e
SHA256185860e0a57423f22108a3104423c59daedb593300e369ae8d159d62a521b924
SHA51271de037bca81997e528b3e0957852146339414e3a0cb5083b84b8b7adb34081e7f35761c5efb3e44d932b8183a4aafd38f3c32bff3359ba7f54770434bfe2f9d
-
Filesize
1.7MB
MD5109329b89ca50c20333dad1d396ce320
SHA19c9e699cfd27261955bffc58bb1e52880ec89204
SHA256a8e3e6c7f93e7cfb6b4342c5f1da6fd8cdbd3ced89b329801d6190ae06efb0f7
SHA512e9a3ece4c46cd365d1705ecb5b1c90dc417c296d79b19c9fd1e93c59a882a9054599a618ac35f855eb2ea0ad2840df95387c7b7e1e32a8ad09afe5938f6769ef
-
Filesize
659KB
MD582ccf80e2faee4aca8f3cc3bdd5bd071
SHA180af4143c0934d08f1fa2b5d1b4508fac9f9918b
SHA2564da978f7ed68be54670bb35d4ae2c0dd34663310b8cdb8bc68b9fcddf95cd89b
SHA5122d7e955a7697d1ed81db71fa3d4bd41cafc36567a51b992586672e6f909c22e06f9edbf60f7e14b4c6165bdaf79adbe25070880b008275ed59635c79e9bc912f
-
Filesize
1.2MB
MD5c0a1351a8fcb2afb47e70d9992a0ed41
SHA1d4769829a28d551d30ff479e96a8507b933ea4a2
SHA256263e56c6b5e88e1f1cd8615abf9b464a99ba5d9d9a1918a249f15c131533db38
SHA5128d27a021f0d80f66af357ec7c26e74d1120c96a1040251106b0a2b2253d74aeacc67ee72d8ae1256cc325fda566bec9d0add0774e9298b139e642bc04672e66e
-
Filesize
578KB
MD5faca3b60ae42eca2bff079c888c95fdd
SHA1f8da00c13ba9bd7c196480e9743a64f0b136fb42
SHA256a80935326092f4a5b66326e1f8df3a79700203979a9c62bae7f0508eeb2fa79c
SHA51239503d7394112398347741e3d886f70d118fc67a94c995617644311cfe487f71c0110139acf3e7e9124270dd6865df7515e6454bcb52b91ae0fa1c865c11d596
-
Filesize
940KB
MD504ef4f11c5bccb0c63c0d5bf5d8d19c4
SHA1110440b0761de53e247bdc40840c92fc8f7e9ac2
SHA256b9145733978b5138515539b209a08d2e2ee3d2556a61dbd8e63b9b8885cd9e38
SHA5126e0add1c7bc96e377a21bf11b127c900fb9212c75e8aecb36b991830e85687ee9bd6b75ef444d14bf92e8edba787f42df91ebedeb05c46736c059b8b4f2dde08
-
Filesize
671KB
MD5dce5a588685427c34f52dfd1ed608c15
SHA14bdffbd81333640b16353a6cfbd4a4eebf72fe6d
SHA2561bf678df4623cb6f0e7c10ddd8af024c8ce1c95df160c4df5e6acf8dc860d43e
SHA512dffd6327089b6e4929d079a10e7e9e0dcc47c1c0a11c4fddc5ffdbed2edd1ecc894e221b4469acc81327996dc4e2e17c50013c376551a0a34f608889525b2ce4
-
Filesize
1.4MB
MD5fe9085201e67b7c30efbd29d89ddb8d7
SHA171669686bf97c738590404eac8d2a596ff68750e
SHA256898c07e4a520a6f087fb7038e298dca4abc59ab4fc76c3793c58a084e7348408
SHA5120fd390dd1848a290ba65dc462092bfcc9a663d1f9ac702f13b5b46c39a1f5ccaf9436439e45fbe8e224939d9668c577edc2d53b2c77d14fcd6e3149e315031f7
-
Filesize
1.8MB
MD559604c5c26f1ceb33c7fd9daef79fdbd
SHA1b38b14286fbff5e201a433cac3c5e2a919f843aa
SHA256d0c91577b313cd5301c0672989d9dcaf665ddb553e36c1eb2ed3bf8fdcde5f48
SHA512024cf9f9c4599c6d636bb8eab0770996bd1e68e3cb7eb9ded324e2c7e1335de79c80d03d06a8708aed9007c9eac582c304e6b52bd4946cc3d054f3f751f719bf
-
Filesize
1.4MB
MD5e436e995ed741f1411db7e9f567d9ced
SHA139aafaaa6ad18b539c0fcd5222c03920cf2f0923
SHA256f5085663bfd1af5e09f4668888a307abff2bef10abf4ed25f9ee3ead5df85eae
SHA51232f672e58fd5caaf73f9b489c58fa8e034c3210ce55438eeadc7c61d531e9a9f427f950fcad2edf6d048ae29ee3c5614a879101c461573a7eb91f285fa810ab6
-
Filesize
885KB
MD544f50213a450dba9d7d1f769a85eb11a
SHA1cb792aa2f9321f2eeb13ac0f34e50a2a5724a5f9
SHA256e7f341627442065844903738913c374aa4c69fea79d7b8e45a968333c3e80fc4
SHA512cfe162677f94e3223a3fdc45e6fd7e43f16336cf2a1d8e47238cba9422f7e3625d3d8195708d20ed41b31c728958b04358aa59aba7786200074604d56cbe7827
-
Filesize
2.0MB
MD588f0949b9f25ebca6ac04305782c2fed
SHA126ba45ebbb3c5e4698d689ee0d183949f873dd94
SHA2569f94f55b09fa0b5ef22563de81b81347e302ec23bd5d6542efe9a1051c45e52c
SHA512a9e64baf0174ef9556291936d9c069de90e410f0a7c17869eae8b9d6681ff52cb43569544d03a5fffb27467ce0a702d85e9b2e0d11b1fe6bf5ffa5bce2035959
-
Filesize
661KB
MD5811048920da720687e11f62e972bc0ce
SHA1dac9fee0c5080afe2a7322cea1fdf3548c87e92f
SHA256916a42c00c2d8fba6a7306f1bc1f9d4596f0d8f81e5c9c904d160633523ca441
SHA5124131fe819728d4d52c0c67d2e5ae69b001a00b95ad1cd5d6f7122570f92c2abfedb2af2b6ee45ee8e044c46c987b39b0fe693ddb6c3a9fd625ca11332405bf47
-
Filesize
712KB
MD5d835e957ef1c1fc802c2b02a05137ebc
SHA100ff85f958a88213c405222279f5be6d76e15d0b
SHA25641f074e6dc13888c962d8b6813fe6ad21abf0f69ed26845208850ae47c10b4c5
SHA512c989410d2962f210ad22d82d79eac685a9e433d8856561f5f04da9e77fab0cf5be3a664b79e1134cc4d3a8691a4a73684ac3fa79aca4b8d05b0c3a1f234c63bc
-
Filesize
584KB
MD5c9ce8d2f292dece6ee73d0aee540673c
SHA1742b368673d37506397f981a9d44ee31717f8e0a
SHA256ee104895eda638d7b8d9465ad6cd3ce8fd66cbf210f187359ac22708c076f678
SHA512f5a6e45120ccb1dcbe18ebb3375fa615f12adefde6ed01b37a331b0f8986f66f97f7cd97bbd16e61e842b92c4a29f37141bc79099ab741a575ba5c5400ca0c4a
-
Filesize
1.3MB
MD5940d7f02d2eaff5901c3cfbde772ba7b
SHA1620ffdf89814ed9c60781774ec4ffb73b4bc466b
SHA2563b473db96fe2f55303846d25552880dd9923548c9efb9ad57ce719bd10f41fd3
SHA512b0020723dac229ca11fef66b1c3e61b53e016f811940a3e1ce3de3b656b97f73b70513af9f9fcd1de3bc8f07db99feda63a8a87b0c1cc0c517da179f74625ae7
-
Filesize
772KB
MD5f10e3dbbd66f6cc9d7ec8270df33be0c
SHA16857ca7dc2662bcad43905a52785d29172ea7347
SHA256eba701181519e0a96fbd75d71db475b21762f41851fa05eb2ce1fc23fe0d42b3
SHA512605508eb55691c13d718e6ba144d26ea5ccc4c05dff6763abd7f5c9b87148ab57788c8b314e3ca3a197254f86ee5b934150a8fd3301803e8120135c3b820928c
-
Filesize
2.1MB
MD5956b319286041c370353397ed32ff8b2
SHA1cae7397991a7792b40c84648a29a6c5feeaa9a96
SHA256b44bb5fab0fd9391e5efbfc4468d9cd84823bb83de826f3d5a7a49be46a66bda
SHA5126624b9ae8004e7923140af80a67115650b756d7e067a6f6046cb1f03d0167c350d4b0b2ee52a093a39eddafb38c939c96070c490f629929930e15ec64cb1da15
-
Filesize
1.3MB
MD53ea095c186e0fd52bc008fc595e70776
SHA1dd0694f0b2fea5e95467db4c32ac1685f4896153
SHA25651262030c1450ee2ce9b7fe37ad5f35ec9ece17c1a2c845ef539b61527c86636
SHA512b2345b9032341c329d4facf8c190a04b655be2a9a202556b55dd90c1b8c83363361300214cd92a00a38586edc48604f28317fff74a5fbc20facbd44df934e409
-
Filesize
877KB
MD5b00bef096c5301188d03d688983d03c8
SHA1c318443d07d4073ac53f886b147081222f2a266f
SHA2563e00aaa348b94deae5927664b22ad2b1ac4561bc36e1e10767f0920c5fedf83c
SHA51211c8cc69bfd08df3ccdbe5496ea72196982a3bc91a771f76af1acd7b8f290466d96a6504a330d00fff6583bf52d01b6dcaebf9e4565e71ed31973da3ed879442
-
Filesize
635KB
MD5a35141aaa8fb0a5a506225ce145f257b
SHA1b883f07b18e4baa6e658aec46194eacf9491aef0
SHA2568ac1c5b314d3fcdc29c543aed4888c8a89d64e90da702205ddae2a3826ffdefa
SHA51220192dd9525de24b60da62a52c80e54e3388f7f434c334ee70608c4601a3968ab0094d296b7e1b42cedad3fd6535c217e29817df6b6b873f0271d9f89e2a0217
-
Filesize
5.6MB
MD5d7643a12aebb11ab81887bdf7bfdcc3a
SHA1c26ab0ef725a8cfc4e1d7006fdc1cb243602ede2
SHA256b62e9f591f0ba139528ed05a5736191c45e61c302064f476cf5f50d54d0c2875
SHA512974590fce43b9d2af8568c190dd5ddf32f34e1d6a61497369bcce4e4608cf99c89b8d3854ee6cbe96186abfbad2c03006ecb8eb6475706db7b41309fb3ec0d8d