Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
49fd5408d3ee1cb489f1ae99a470c41f
-
SHA1
1b427f363614dd390a6fb32d80b0ce9b455ed474
-
SHA256
57c77203d652e29271161fa8a32d47ac569d548c731105e73971df36e0885170
-
SHA512
e7529039619d14c17afd503ef8043da6d0dd60fca36fab3ed8887ffccdac725872904cd4767e48226b3aa955f0b991671783bbe332b30cbea4221f37bcf5e289
-
SSDEEP
196608:zP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018n:zPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1716 alg.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4300 fxssvc.exe 2216 elevation_service.exe 4896 elevation_service.exe 3096 maintenanceservice.exe 1348 msdtc.exe 3032 OSE.EXE 4760 PerceptionSimulationService.exe 1764 perfhost.exe 4104 locator.exe 5036 SensorDataService.exe 4360 snmptrap.exe 468 spectrum.exe 4236 ssh-agent.exe 2264 TieringEngineService.exe 1772 AgentService.exe 3512 vds.exe 780 vssvc.exe 1160 wbengine.exe 1656 WmiApSrv.exe 3956 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a9fa7f568ed1090.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015319fa2fd85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee357da0fd85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b9cdca0fd85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e412ba1fd85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e3642a2fd85da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020fb81a0fd85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aa42da1fd85da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087cfd7a0fd85da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe 4576 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeAuditPrivilege 4300 fxssvc.exe Token: SeRestorePrivilege 2264 TieringEngineService.exe Token: SeManageVolumePrivilege 2264 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1772 AgentService.exe Token: SeBackupPrivilege 780 vssvc.exe Token: SeRestorePrivilege 780 vssvc.exe Token: SeAuditPrivilege 780 vssvc.exe Token: SeBackupPrivilege 1160 wbengine.exe Token: SeRestorePrivilege 1160 wbengine.exe Token: SeSecurityPrivilege 1160 wbengine.exe Token: 33 3956 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3956 SearchIndexer.exe Token: SeDebugPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4848 2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4576 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4064 3956 SearchIndexer.exe 110 PID 3956 wrote to memory of 4064 3956 SearchIndexer.exe 110 PID 3956 wrote to memory of 3924 3956 SearchIndexer.exe 111 PID 3956 wrote to memory of 3924 3956 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_49fd5408d3ee1cb489f1ae99a470c41f_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1716
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:216
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4896
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3096
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1348
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3032
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4760
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1764
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4104
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5036
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4360
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1648
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3512
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1656
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4064
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fd89f25f14c7e96db6a73700d425c8bd
SHA132bff8a31cbd2db98b5fd9faab9e5c43c50ab4dd
SHA256bdc67ab47e02fddaf2c4b0459e2b4d9a8921f61ff40a74cbfeab40173be74aa9
SHA512e763ea3ce84ef640a554ecb6ad0d787b155d32b691ba11e32db8196ce44a5479606dd565e9ec31645c2fd7680dd6bd40b0a8c115da3936b22d4e0114ddc108ba
-
Filesize
781KB
MD529286438ad796da542984aa958304be1
SHA15d96c923a5b274ba2f0d862d7846822817adc570
SHA256f976597b4926a7d038d63fd21005d6b502a95e04bfa1e4c7eaeb536ff0f1d39a
SHA51277685ff2bfa7d41b9a4c028fc9d9a7c6dee4d8fa9fab183c39de55caae6b161f268773045328c0949b07426cbf18a9a0fec26c071c6c73375295b25ba544eea8
-
Filesize
1.1MB
MD5292061795c137adce026124d10da1122
SHA16ec70d70eab30271591c1774f43926fcfbe296d4
SHA256cdbbe8d2f11cd27d00b51d1acf668395a39ce927b1757bcb39f3bab6b5e97d02
SHA5128c9c960bc473b1942140aa4bbe99c396b7453da17314d1081bf4cb5314991dda7cd03bc88c9b54ab63bb6151650e6352548a9d54c11b01d7352b541d3932195d
-
Filesize
1.5MB
MD5c4ed604dbd6fcb51b136ccbd1bf0bce5
SHA188083b97d3e5924934bb05e49769d14894c06960
SHA256e87fb5bec77b8bb7ea037115d9762b07e9729a960a37625d4e211f90b56c3aac
SHA5125c49ec848261e99f980b6d1089d49e2865d67da551ed3b4b0fc7db6e5ff3f114a7348921e15e4e4a96430ecf1e57a36a2efc1cfca1ba85b81c597793cd7cacae
-
Filesize
1.2MB
MD54d669f351a72ff1012315eb0dee7e534
SHA1979a801d4e5d4e88ef77b02327bee68b792635fe
SHA2561d8b3be79699a8e22bb774b8de3cfd8500b632bc80662693781a1878529797e1
SHA5126323aaed727cae6bf35d57841eb7a7580ca3fe6286093ee8f6e11f92b4cbaf2af5609e24724103f096646abd674930fe6261dd6de444f78dec1585bdf176a802
-
Filesize
582KB
MD5ab9b71e055f0692f80460760c42b1313
SHA1f2afa4138857b01a3c24a3c2590b16c0746cde3d
SHA256815432bd814dacdc4c31e158cccd7103e8074a3a2ff2fc875b884d40cd7814c4
SHA51293367ba89d158d4f29b0a4b1720adfa03162a525d4d93d83b7f0fe40d0b4d69831a5104bf90d6130f039638358e16b0227b4d4d92f8474a9079d7e41968410d6
-
Filesize
840KB
MD53c546d80cbafdcac6df7e8704ee75c91
SHA14964ba8398deb60037f68bdf14712698cb566c3b
SHA256740c41b9abc025f7003e10ed0470069ede626594b71d61787f77a0a27b56c253
SHA512fd6f98cd92fa79723b8061ff09dd0f258c3443193cacb322a13aab709e79f35580cf281213096b6cc861a98e7dcdcb4300e08ff5701aa8629b9a63ad12f9e4d6
-
Filesize
4.6MB
MD5605358878ee3a675cf3de0f9375ee106
SHA1afee34ea387c79125a73860b7e8b9014e0ce2536
SHA256c935b7695cc9adb7865bfc72bdaea6155d13adb209fa0ee46aa88e0b2e38fca5
SHA5129ea98c2e9b96140d37ff16fa321654c00e2ac6d16b5b32f36c63f574f2ef0a5141f08167eba75a5a59e1055e71b95a01eb6c9e9b37a01f257b6663c1a6262e43
-
Filesize
910KB
MD5b0985f39b6e6f299915e22a19cb7e7b5
SHA1848e9dd2aad0de154dcfa90176cde5e343a787e5
SHA256c93a9187b1ab0dfd3d01bdb8f37b5569c103d9e30002a08615692ad19737b394
SHA51217a96d59ecb6f7bf312fa160a2ba0eea39ce16831f797a94e9a812d4146ea6cb4ccd5b1c1375d10881cc192684fb96b4ca3cf4caa2964c2eedca1e4311162f62
-
Filesize
24.0MB
MD50f9ca67d00d8e5d04487e8b42b4003c9
SHA149b4ed14b46f02224f16015a29d37f1a8a991572
SHA256b82a7717cb710c0097d2bbed42bf65111708df02a3ae5cb184af37fa9d01e11f
SHA51271aff05590cc8cb94293594f74626ba811180b13d606824e712ad1019a41db83eb371f4b6c778947cef2765d24f352f325aed77c239c4b2be5522382f288479a
-
Filesize
2.7MB
MD5ea305022f690ed6a53ec0713cceae23f
SHA11b7573263c4cf8259677b3887e6adbada2965d58
SHA2563b2eec4528d3cba52a09dbd8b0ab6f6928a1cf178bc20c1bad231cb032b23ed3
SHA51206b8476b96367392f8f8c306d1c462af319e4db5ed1fa2b7f4c552216752bd2f0a31d190e14ebca951ee4c0b8030f26e4b39ed33c1e472cb6feaae6e980f572e
-
Filesize
1.1MB
MD5c26901d8a512ae90c2408d6788e55b38
SHA137da5a3595b54d0f824ec354018a008ad73882e3
SHA25620077356048c4af186a55b7c06ea794925ce73b941f188e50277fc1b76fe7f97
SHA51232ffc1d3a04308103975d523ec9ae1a81d9e27b25e2b905c993ed230a62630fcc470b0788979d0007ae84a61701e82819f7c7114f90cc09753a93abc7d871dc5
-
Filesize
805KB
MD51118cecdf035cf917d5a27c856f2ff36
SHA10170f2df375898a96854d13ebe0993579f8ea95d
SHA256191ff43510211afb59f54342bf2ae6ee06c1694dec63eaa9a219071ba1530c51
SHA51235b81373e15b170b6c34504ed114d583f0d610f2d6b059af8ac4965e04b3d84a2eb9be66410d1cdf0a13b7058c0e2f5ab55ab393c23f9a2ab7e3c140a360c8e4
-
Filesize
656KB
MD5ebb6018ebbb6973ccb8119d80777fb11
SHA1628547789c05955839df0460be3e82504d6df758
SHA256fd6417488da99879cb3a271f0d60bea473b8d2ceec76e475cbd4c9d55c76f871
SHA512c780d6f829785819250f67ed4d03869e6070bf06034393da55583f8848570015bcfa89ba21a3430bda361f84747fd50498f6e91428824c5dced1f51277c1b22e
-
Filesize
4.8MB
MD5e6facb02011c9b2b0ad678f4224ff802
SHA19d572c793061eb0c13d610f06230a04239424481
SHA2564cd293387b9ca8ce83351eb9aa2611734a293e6390c99d7b64a8393afcc53923
SHA5120a57ad59928fecab3f36f5fcbbe6213792578b436ea5bb4a5cdfbf872e63abf359c7fc0a0c0564f3eb20b978113d341826e6939bacf802657dcdd474b6831ab4
-
Filesize
4.8MB
MD56c343ff589742c5f55c24391a31b1d6e
SHA18d9ce92499e01ca2f35abe63901575b23d8ff06d
SHA2562f02ade571cfc6f102cf2e1218bb95ea40db75244d5cbf788643ceaf03038de1
SHA512a50645265ed4fe29b1691009de731dc4077edb74d87874ddb8299f6f193559985f2d84a745549732945a4de695aa4a0d1b1dd4d6f4b29545af2e5760a636b9e9
-
Filesize
2.2MB
MD5a5bb8996a84cdd12e3ffb41a0b52e64f
SHA119b3f5098a7748c7bcd503a3f126462c19b2c317
SHA2566671f309db31b845af96c83d8964b8087642c310b62045e08602827f87fe1a26
SHA51205f4449a5fe51e16942ab3e8a8f6a056cc42e6640e74f78902de6070675dae0e9ba782b7ecb256e9dc22293849ea7eae425f18b86e0057861ae908d2198f4230
-
Filesize
2.1MB
MD5f492927605e649ce6a8b5a199d26918d
SHA1dbd3d9b03679e0b80258b86a7a6461d3bf41f6b2
SHA256b8a317302e8802eede7e745ead581f6d55c8633c9a59eab98c41aeea32860509
SHA512348738905c6bb38c04ef3b526eba27547241091e8e32ce362c3eddf1e33834cdb222d7bbacdfdbae48cc5d18912272bff31c070426f6691ef73482efa774cea0
-
Filesize
1.8MB
MD540cc89fd6a7b2660b41fd1bc2653be22
SHA163d4e0c2115edac9b2bde9f9b7b57865035efa12
SHA25628e2445546de1965e0dbc94e5da8bd01cebc329b8c6400116723d5b714c5cfed
SHA5122bf40bc13c121c092fea3f78d3acf53d1b6005106eed61fb1d2185b2d658e715e4c23df3d4aca4e64f23f1e922c24c9c2c36fc6a19f986edfaead5a2fd69cb80
-
Filesize
1.5MB
MD557f29960d24072667c1eb356d78da79e
SHA1cf1ebd7a4224b0d9c945e85b29d7c1eacd6c25b8
SHA2561c5cc7690525620690c00ee8dd2e33b003758af055cb9e481e4a3f57349be618
SHA5128bceb3f5c3c638ab15ac523ea999bf4e8d72e52426210555eb620ebda44e4bec9b3861d03dd6611b297689955a48cb3d694b0d1fdf7f290d501e7ab172a7087c
-
Filesize
581KB
MD5ca95b2c688cc2983d51eaf75277dd400
SHA1c1a0ecbf7a10a27dbf239cda0cdce853858f578e
SHA2564798c1c18f56f21eb4cac2eda592f28ac30607e769bcea93f824f022fa28c1d3
SHA5123291ec4da352b3ee70c244a35c2707feb348695de58ade57fc9357f540eb3677fad059f513ef09f2d695efdb19fc36064bd215715254f463c81f164fbe221c99
-
Filesize
581KB
MD5d7c0a875457b4a2843f0ca0f9e78611e
SHA10e0684877a7e056787cc9aa6a26b44ed5312cc9a
SHA256600d420cbc5b7b8bceb563ed45c9207f5bb5542161229d724887e6cd409fe13e
SHA5126fa97fdfceca3de009f56e5968487250aa14301c0484c21d8916bd9e436e16e041e32c9e8b9c7f7123b958b4e552f013b7992f027f71b02af42a2db5901be04d
-
Filesize
581KB
MD5d31b8c3f27da68b3977455a57295016b
SHA1542d187c031f237238121305359f69a1eb085e9b
SHA2561d192aab2cb84e43044296c69935b552aa228fc1754b449ccda95f278d128514
SHA512a7408517af53f9bc09a52a6ab1dbfeafb42f04e0cffed99e3bb13f54e3db31a7b1c8b76b304e189e767b382fca628b6661e78a88f17d1aba2482983bb34a3d41
-
Filesize
601KB
MD54596b7753a1735e60a32a90fb93c8add
SHA13ee3335a07cfb322c42043ae623b032540871798
SHA256c07c2987f080f1e6692d66589d06cf024e2133b1865ed453d354852a83fba83f
SHA5129d1f67a835f7cf4d02dee600045f7da23624d9f39f889a668090cc16fa84495bdcf5bc9278ee157053f79fda6edfa2583051fc388f633c4517cf08bf6c566976
-
Filesize
581KB
MD5906fd36fdf0533aee7d38c97319e7901
SHA19c65c346195056e838c782be5ed70fc99cdb41bb
SHA256d1933cfc62a6972a09af06935f8f02902c5690dc25d1401646b582779454b0b3
SHA512149e85be696416a977b22f6c519da7fa053b69f22977641c15cefc0f513a4b20d4103eb599523dcfc65bd4f7e00323c9c2c7f62542f638b20ff594a7894f46e5
-
Filesize
581KB
MD53e0db7649be20e04917e9dc0a4013bb0
SHA15ee691afbf01c9b7b3e857be43a1c8b59c5712ac
SHA256643a9921893d36d9357758c721255804bd3de2182ac4f7b1bf10716602eff4dc
SHA512f42b13ae37d6ef39ccf39c5a1361ec9f10d1b4f14824ba9555dae07fc817d5894c347ce6f99b476c526c4ea0e5605d32f98d02ae2efa9900ebe84392ce0e0241
-
Filesize
581KB
MD5684e9b0334867692ef228da0aa65f4e1
SHA1db488bf8e2a8d2e50cc3513fe2cd116542ce58ee
SHA256605cf22f0e4c200a42ff13b976afb2cfde4be419bd821cdaada9e159b32fedd7
SHA512abf588b98612c729f0022a8f586e2979ea26dcd60e7bbb4073556d4715774e43b982b681adefe1c4afe8cd03ca166cbeba29c0b15c344ff4a81688dd90ce18ed
-
Filesize
841KB
MD5c7d13cae8fb7fcc168b5b291dc3dce98
SHA1ab7d3e1372ea11ad13c1d802a1a0a980dbb1e218
SHA2567e255b0b7588b0ee711b64ea370a9288b75bd0abbd625c2e28a00356930b29c1
SHA5125a512b8c353be9d2241bfd568d13f2b227155e28d71816fd0b2d859e49d929294905f550d5501fd5f0286f0f23f5d997901233deda307fc11143558cd402ecf1
-
Filesize
581KB
MD519a4d445e90eacb558716aba0b9e2c90
SHA1fbf3a363d9f400c5f0401d797930edde6d0ef203
SHA25681de828ce6e7d8f507a649cf8316cf2184c435099861e82c965f0fcd84189ae2
SHA51219f678fef791c0c802fdeb0a6a51d11dd04b4960c64765812e1cdb3c0d61dc2c523db68238195081b930ad1b48a670296310ca536a5aa9c34c1ad1a904d644d0
-
Filesize
581KB
MD5706882713562596b8fb486b512e9b17d
SHA1021eaf1447b9dc8ece017e5ac5634e42802249fd
SHA25606b871ff8615bcf9407891d77a8902055a1f5902b36e5501ff16964695ad551c
SHA5128a33910a989d2fb937cd18fc7fe3ca2f1d18865eb13ae67c6eec72c5ebbadd17477fafa7061f36cf31e5fe04a152234f6f3a633e5ba7864f1a86dc19201b3be0
-
Filesize
717KB
MD5d8b2f1e8566e2ec4528b9c3e88250f4d
SHA16b83f842889adb1d5166f356c6c8d890599adb7b
SHA25688c22d8ea6b943ebd64692832e8f14ae946a5d1415247efe2324836d080ea7a3
SHA512cd6c33c4873f1e775602077672cdf1e760e90a7ee77aaf20508872424b1ff8cf73b27a3d74fb60484d36849595433fce316e345c7651fb9fa472d24645fdd888
-
Filesize
581KB
MD5e51645b7d3f09e76a7587be9a4977149
SHA17f469a0391c75b65aa8c75b2d43585f545b9a2e3
SHA256d2856ae483a0c5e382093f7b6e5165832fe433e49de9fc308193c37ad065a059
SHA512ecaaae9f6e56379d3d60a8f7e441573f7ca82d9905f4501b344d0a7a9450eddd5bbffcddf07e057e06dea14956c8ed92a70cb6d576dbcc7a949ca921b3e25bd7
-
Filesize
581KB
MD50051e65d6aeefcf074137162fd379428
SHA12181f29ea4d610d327f0fd5ebc084fea9a38447a
SHA256e7ddf0b44cc48897237cd0ca27c8a63af3e46b286349897e416612e09a4f1a5a
SHA5124a81fa08ec734a7cdebc4fe5bdde83a60825710602803b3c6135f110095f08b8462263cf14ac2b2d4f6f49cc0497d8e263e508b35cf491c7c8853d4d4779b13d
-
Filesize
717KB
MD5f0c03378742d3c147e78cf13bd279596
SHA10986164d337777ffc810b0eff00d631de119e773
SHA256207820e68b9938fea09ba36ed80b2ac640f57b5dad8a56a0004a8397b52b4179
SHA512318e779352d2fe82ad5e0ff852010fc0ca19593c3b7a343c3efe1684e647eca523edfe4075c7fda13ea331ddd7611e781691c93d33647a70b4f2d26523bc484d
-
Filesize
1.5MB
MD5be8143569e61ff3deaa42f5b778cf364
SHA18497f86815178000548faa751a1e0858c24c6a02
SHA256171ac37db96742477e9e04f51ac07f3fb38d251f04b9a13737510f452cb25cfd
SHA51299f545a1d364943c2dd2c14fc48b6cc8f4db7e9a8bfa5823ebd0058ae3345997cf08a0e4b5dda7ebb1bb7eb5df71a18164735c8096a4b7bbab75843539ccfe2f
-
Filesize
696KB
MD51c22068703512ad01dee1e1d62d7104e
SHA163371b11d690ea856aa8199ed32c27f378b8bc53
SHA2568885fde90fbb3f2eb8fbf8f3367fe6ab27119abcf9a4285638ef5d1fad307465
SHA5128c121590be474aa758a9a5306ac3e297963ec72e28685a7082d72275fe5be15c420ec6405e87d8f731408181dca3cf6bf9214fdb03bdc38833cc71bbe09f5968
-
Filesize
588KB
MD55ab4caf2f82b4780a43b8ac959bb9457
SHA19042fcaa7229918a7aa18f9a8b67381daf6cc384
SHA256ff181bc7cc3e85a4ce9c56cedae995ce4dd03987b3190824a3176ce2534546e2
SHA512c925e7d2fd6d83c884890df6159787fcca27e5a20a2b7e9de2fe5cddff021869d27ddbe251ec305ea7b80689c2d3073f17fa484dee9167c5b06635370e454a7a
-
Filesize
1.7MB
MD55eae09890610f7fcce2c574c2dcab10c
SHA187a30a413aab9250fdc61ab708cb6fda6c5d79b6
SHA25623e87d173ab2657c01233add59cab2c4863911c26287f4635aec1ed046da0394
SHA51237161db2930282d1656f5a1c2285476737e2229babd50845191b01a70167bc9c2bb5adc120936dbb1d62c3c87e6d9b84d2509e914094fa6d77f1c22867918a5a
-
Filesize
659KB
MD5e70fa66feed9caa784e55e2c41b7861c
SHA1a7d01cc9f1626059b46d07805bbd292c1d0534ed
SHA25647b974d9f4fe943334347666765585de0eca6e87f2cdddda121af7ef68726d2b
SHA512b23b5e8e254113deab09820268e1e831e5d41127c8cb754133cce2b835a58b0915f4bdee942131a429c0983aa8f1de70f0125fb87a40e442a7799c1cc88d03d1
-
Filesize
1.2MB
MD5481b4ecd82497cb0e8384376b6439063
SHA1b2866a8296ffad6edd34d203093f12dabc7850d0
SHA25646f8d062306e6ce745c8518b00159e9e7da7c20e53cfded79e48d93117e207b0
SHA512ddf54e2665535b0b0bd5f6f91244734fb8ae39dd8954db9c77c86ab000122f0c1b2158f51f5d7e39da8360e7a322cf19d6bd8c80bdbe75c2a9bb412f821438ad
-
Filesize
578KB
MD5b3aed7f0163a4ff16bb22cb0e9dd1e91
SHA1620318d5dc98994af5b2b4290a0244b55acfd5ee
SHA256943102a9ddb2f177dae7ffbee714061609f18b99db48c313fdcc418bf24dd046
SHA512dda2776003744cc56d23238ea4266c5a1b99e6af8e19cee1d6894543a2983427a9bbaf42c2e0904cc52ac597ca6452b8c4c41d48ab1995e2b95403b571e9e709
-
Filesize
940KB
MD560751ef6d1e2ceb5c8003b48a8b7f1ef
SHA14aad9a961b346e6bd0f438eaa8890135699c5807
SHA256bb65b72c2363a8ab1bfaf8eb13192bea90fffa3cb37b3a591b0938a2b74d9e49
SHA5120c978eafed4a320068de19b68e567cb5b8eaa2c634629b7162d43548748831af53acfd1f3c76a2c20b69ef0c9579026735eb1c74ed47c1e400150b8c0c1758f7
-
Filesize
671KB
MD5d9814a73ea5e3e72eef41cdf0b3fc635
SHA1563226d227c52650019226a9734ade0aec9d4418
SHA256d48b95a92d3bdd05ac72b292e2566079cd32539ad4bc4e81649efaa4b9cac09f
SHA51259bd0b09c3a0f32ce50cbac3c04f4f8253d9bc5ae85c0e324e8d6468ac553395942007dc19fc6d30531e7ed06ac4f2eedc4bb0a25ab3e953f5d901b2a371cca2
-
Filesize
1.4MB
MD5be3c20f0f53d1385dbd1a9852322f183
SHA199e770711c01c621b71d47b12f9a5f7134452497
SHA256699a8dbb41a828a70989fa9e2ba8ad1f2fb76a4ca5b9dd981213c1f1a75bf485
SHA512bba0922a3eb6c06c71d35eb1876b90aa8e9e096ff0f9834e1b49965df60b99e6ab1b6b963e2debced7692fe4e784bbc656d1fe988ef237ffe8755e67fe531207
-
Filesize
1.8MB
MD5cec4f34d96939e5bb8f67810ae325faa
SHA1d228533498c39a7349f6bec0677a67be80aeceed
SHA256a9eebc84d859034d384e95ac647d027132c6168132afdf5efa99343629c2d167
SHA51254a7cdbe79e49853d3bb8138b629e24106a5f033fea03a8e05af6c39f49bdf1f21f65ea92e72c5be940b48d006f9861ce1cf8b77596a71eab2cc8498d2f7d301
-
Filesize
1.4MB
MD5873c80eca5153eb35f77948c8156bb0a
SHA1ae038494a53f971c1235a3692ca98b72238f8b3e
SHA256d2a79fcfe6804733062b8253c1a6fb411a64c4422bb3db11ccc3e3e7f1feb668
SHA512ad84e49d8a54c3daf4cbb3c4b8c45c43351ac860f1a38b934393b2d786be41f7a119a488d1df37648464c352910a8360a55e85734da93b865c79d85ffb111737
-
Filesize
885KB
MD5d4ffcae33651cab668a51ed5eb3cea24
SHA1e5e17c2e3d6fabeff2525f605163daf4c5ae56e0
SHA256ce598715e4011a227e3e4c3760c02870cfcabaf7432138ccc67b7eaefaccd557
SHA51201bc884397e4ea776e78fed9407dde1d400c1c179c86de87f1e42565d25533fa860cda84bb9d6c2b860cdffac7b6772245a4c8cb727316ab301e9757cf865cea
-
Filesize
2.0MB
MD570b01a550ac1c4c4cc708046cdcd44cb
SHA12dd5030b44aad840404e575aee7390ac666c62db
SHA2566673ddee0f36daee5ad9eab94a94a928b80da3edc2a62d52f0b8a8c146c01218
SHA512157665ecfbd37cdb6bfef8f507a95ebc3959361d2dfa201944d5ce1f27a8b925bdc8037009ae22d33417aef32acb75280e8435e7cae8f13dc0d636cd99e32723
-
Filesize
661KB
MD56ff45efa7751e004c01feb5d79ec4a99
SHA1f0fb6f5293b0feb5444cfc9fa82c34fecda86523
SHA25613276ce601ded4fd4fae15b94a0c498784e29e38ad3f2d72647d41ee96a23323
SHA512aaf9a690354163a6458e5ac35a081781b5acb9ce5211efba3ec8ce806b4545a900910005c67a3037bce499479b1c37002681f836e7a8dad9fd277f12a7bf596a
-
Filesize
712KB
MD5f66ee0f1a31c674ed17876ec09a36ae8
SHA1dfcaf896c0877e1f2604de75be980a63f9f62386
SHA2569126919ac431442395540626780aeecfcaf0c2f4ecfadce20350e7c3b9a43ef8
SHA512d29e5577c663d493d2afefb6b4c0c1050241c30ecebf8c6c445ec50393c73a3d45bc438089045376b5795d6263f7155e63701a1af51e13af4d2805fab9ad67ac
-
Filesize
584KB
MD561e9ae8fc064db0c0f740aab9980437b
SHA131519fba075c2b020fae898e9c8bd066584bb1c8
SHA2565e80f4266ea4a283d0070f9af957c6ba37c78e98ce412634b5dafb4e2e070eb9
SHA512f62433b468294b7aa9ba626b40bfb829f4e54986087abbf50f142d5a1a77c794fc2c542d26cdc45b781b2f541d5a5290f5167d909a86caf6490dacdec8d0a94d
-
Filesize
1.3MB
MD531e3fc127aa2389e45cf800a0d08d4ea
SHA1ed570f89c9855589beae70dcf047fb23233b0a8c
SHA2561f3184d7c21f9df20b4e4f065ff3c5d237576d9fd50edb4c80e5b111aba9bbd7
SHA512ad646e7814c8752c7786753c6410e14e12a5980f745080deeac95444cdd5ac2a9d09397c815e508c97ae87dee60819ac80f893cfdf88b9c942f3408d0d18a12f
-
Filesize
772KB
MD5bb0a58557cd0388ef44f642868f1d977
SHA1e5cfc8a616c71f641117a970ee16e1f573d14246
SHA256eb58b491f4fb781419f38e1241b74a5ca11b45c4a9ee15c1ef28f1022047887b
SHA512a6c4321b35de9cda4bb4cc1bab00d54d38c237bca225ad974e4efef8cf892f639365ec1458511e5320f300d1319930e6aa232dbe52237b3dc240f11e2c5f0f44
-
Filesize
2.1MB
MD55f8110ff320abd44bbc684d346df3647
SHA1c7f1ade257b03eb3609a0b2b583438ae3627b412
SHA2562b039817f06aad41e635a44b7204229266bae7658529bddf36d3832876939049
SHA5128857bb36f7b589b6268c20e64b736126a4307511e049e1ba63925e7ee27726fc75097a14c82d458cf8274406333860db74b0e88f50b796649c37026fd1a179d3
-
Filesize
1.3MB
MD5830cc94ef4a8b2bec157b8f8f72c22db
SHA18f369a34dd64a21dd915ae504f11ff55c699efe3
SHA256d2cef9237025e4311a646c85f359a75045b4f6aeab94be2b38239667dea5eb4c
SHA51274a06c75ef5f748c34967d691e90bbdc7c059001fe4174b4edaed13ac38aa21d1d435b7592393412f79a3af615d21ed8c08e4983914d07b5b47d9fd1f55b207c
-
Filesize
877KB
MD5d8c59cee40d496be0ca2eb24876acafe
SHA1a147554aec5b2a8a57752763ef9707d242d5382c
SHA256d61f06d2faa600ad9c11bcb813f9e85f75d7a67213a9d6ce9849174175e68651
SHA512781d23a70be8f53bf40284e67341bb814410197d7ad0ec0139fd56263a0818c0f1b59f1fe4778cd2f0c0c5264f030bc6d64ca6cf047c62bac4073669f972393f
-
Filesize
635KB
MD550bab183875e3477ea757f8100d2e24a
SHA1eca35f38741b1684bdad93402a9fd5193d7fc10a
SHA256fd80c9c2e0c48b4cd098d6502f1c5c4f60735638d5e0c1d6e0df78056431e55c
SHA5125d5a8dc1010fba402038aa1935f48a6c688f85d69331efbe879ef38b10ea974dd32c0232975f22e0f0672bfed9ee7228ae47ae83d9516deaba392c715f168ee8
-
Filesize
5.6MB
MD5cb7121051402e6b71971224200abf572
SHA17b6099ba4564413c550455fbc45dd9655698fc74
SHA256af3272a8cbde8df95ca9ac83c22980f3855e238027ac90b2d64dbe4b92485a27
SHA5129f5d47b7ddd541cf4417cd9068562bf29cd5b655aca8f8360a1e4df328e8bbaf12500843e8f7909c177f5a222c4791da2a5685e68458f25d154a241138c02fdb