Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
ba05ca7e85cf2ca75c0bb8295a75a77a
-
SHA1
80f12db2bc5368cdd1b63c0b5ee20e8affd569f0
-
SHA256
e3c554113cc2c84642591ec5f0a245d0f25ffd596995495dfa299d67ffdf46f8
-
SHA512
c020a503c5f0863099b405c8a9c8bedbcf59880209fba6949a78f7992404ae9290bb7ce11ff291d91ed709c077235aa8ee816b0af045443623cf89a87da97a73
-
SSDEEP
196608:GP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018JHBVH:GPboGX8a/jWWu3cI2D/cWcls1sH
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4024 alg.exe 3988 DiagnosticsHub.StandardCollector.Service.exe 1232 fxssvc.exe 4220 elevation_service.exe 316 elevation_service.exe 400 maintenanceservice.exe 2928 msdtc.exe 3960 OSE.EXE 4588 PerceptionSimulationService.exe 4536 perfhost.exe 4224 locator.exe 4568 SensorDataService.exe 3520 snmptrap.exe 1628 spectrum.exe 3368 ssh-agent.exe 4000 TieringEngineService.exe 4592 AgentService.exe 3336 vds.exe 3904 vssvc.exe 4064 wbengine.exe 2596 WmiApSrv.exe 2524 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8a2783a712d07ad8.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e322928ef985da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71db18ef985da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e46998ef985da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeAuditPrivilege 1232 fxssvc.exe Token: SeRestorePrivilege 4000 TieringEngineService.exe Token: SeManageVolumePrivilege 4000 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4592 AgentService.exe Token: SeBackupPrivilege 3904 vssvc.exe Token: SeRestorePrivilege 3904 vssvc.exe Token: SeAuditPrivilege 3904 vssvc.exe Token: SeBackupPrivilege 4064 wbengine.exe Token: SeRestorePrivilege 4064 wbengine.exe Token: SeSecurityPrivilege 4064 wbengine.exe Token: 33 2524 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeDebugPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 216 2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4024 alg.exe Token: SeDebugPrivilege 4024 alg.exe Token: SeDebugPrivilege 4024 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2548 2524 SearchIndexer.exe 118 PID 2524 wrote to memory of 2548 2524 SearchIndexer.exe 118 PID 2524 wrote to memory of 4592 2524 SearchIndexer.exe 119 PID 2524 wrote to memory of 4592 2524 SearchIndexer.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ba05ca7e85cf2ca75c0bb8295a75a77a_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1132
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4220
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:316
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2928
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3960
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4588
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4536
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4224
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4568
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3520
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1628
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2404
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3336
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2596
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2548
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f9ee3c4cfc41a6294da2d84bac2117b1
SHA158cac06d2d8eacd0b041905c4d3568eb07e329aa
SHA256b0d5a81bbad87db06037f676c114bfa775a6b37298cb7e2f3741cd86ae4fc994
SHA512acf3ba1af2a63d406959cff92525c5bda1d70b4e20ca8d0d4d4f5358bdc9feb215bc154a6a460644944905a79ba087865e30642f4b87dc7441726a211547d00e
-
Filesize
1.4MB
MD5a209904ff4361249a00d43a47fdfa7aa
SHA1f12f4f641837af8d65fddf56e23239663e544c1f
SHA2562aef6edc35fab472341969927f6dedc1a8be448731f54fd47eb208c5dd96351f
SHA5124956b65353a249e16df64ef27cf2223ca49cf9bf7868b624d17d929e6e81ed6e627ab5f12cb44e4ba782bf04f1ead9fbd8b0f8a213f8554d78792755d9b8edc3
-
Filesize
1.8MB
MD5448f084777aaf2cb8d6bf04afcd0e1bf
SHA1e55b42a2588f79f04b1befba7ebfa14a3605ae87
SHA256caeeeff58058843777d00710ce6fdde96e048272cf958e645a62c52c17dc0413
SHA512509f6563cda4f106d766a5d80ae92e0c81e1e55752718bb5fdd164bf0adf5bc9cdddbcee3d5f8175cee29a4140102a725500f8ca1e5c6574eea10654f3306a91
-
Filesize
1.5MB
MD55b2d114004cb433f402492807f20d35f
SHA1b677ca3fe37745f2769187b29c631fd8704d6bb4
SHA256c96f7f90c10357bf3deb311da98ec579d9ec71ce0444426105725954ba15c262
SHA5126f1aaa11f38a33e998c36b36ede596c295363bc13739d72647d27070f265dd73b5dbc8731d16187f29b06c490cfd4a723bee6dfd3105a0266596137691fb6908
-
Filesize
1.2MB
MD5bc121d9e0265dccfa7b806f536065d1e
SHA1fe657a1fe0a2df07c7d5f2de3c2fa7ca0e112c87
SHA256d715c217cd186a790f0c7445303685673ca583f1f61b1271927127f67092a920
SHA5126962e42196677363dd8d4a1efe5d2f81691c8ac1f59322b7ecb4c567e8e9294dab8b9d67b0a54082179b7d9dc2daf106f5e7ce583db581f89a08aecb8f86a6a7
-
Filesize
1.3MB
MD5280fb4f4df32133967cd4a4f1b8df46f
SHA1783579607dbaada9a0093f43388fef667af13f16
SHA256418361f395ee96574cf187bd6e597c6579a33519cc01db557a2c92cd3b35c339
SHA512ff6877a1cd5019bb09d19098f3f272ec67ae41764ab5d07eaadba82503c7c8dff0f8020619b1d1dfc8f99958fc63a4b8e93c71702f3c82c727ce39d0a296623e
-
Filesize
1.5MB
MD5d60b973aacb5bd3da9cce3bc82dd7feb
SHA1217370c0e3515aa2b8c65a1387b597ffe9653d71
SHA2569ddc6c7e20012be29c7d2a23118673deb0563923caa1a7fd3012a9161f24c65f
SHA512c41151d5cb09eb359b6d6f6d93fe44cbf014ed474e7de3dec679ae2441521bc941c2bc34d621c986ffa8bffbe59f17df18830bbafbbd43ba51455ff243cb0349
-
Filesize
4.6MB
MD5e3fa5f4f8bc959be2af1ae6507dd84f5
SHA10ce1b7ba0b706566a866bb70d3e59680ae163628
SHA256a5fb8bfc25c8582a4726d1741c6e5071b4a4c14fd86afe0b73e34a3ae6892304
SHA5123108058bed601d52f06c68a15382ce11baaf1a46417ace8c91e0bb1537d95485586c2899797767de9b0f69f91b51b09d91c2ef9ef123f435a218e668ae59e15b
-
Filesize
1.6MB
MD5736d6fd84397ad4601a005093223f0ce
SHA163cd1f6f226cc0e1ffa52e156b5bcc907e6b0806
SHA2568d491fa297f77321abbaece327af51bff86fe20b1c702314968c78545a4a1c70
SHA5129ae7f043863d8b9d6d412aee2dbf2bec19f66af4aa7b456867ce3fdda768b96a14c6eed76206a29e52a5860cf774f58bc8ff842a33b0adf3849bd5d35a7357e9
-
Filesize
24.0MB
MD50ea00e87ee6473b71b64151cd48f59cf
SHA1626025f550d547219aa62c38d3c7484154dd536e
SHA256b1f7eec90822570316c822d495af5d5af68556ab2be1531462801fe4d0d993c1
SHA5127681f1b892ec751ec3a81c2b891bbcfb9008ba23c5f44d3764a17cc30e58a86b90bd1171f3a2e35f9b617901f91d362b784988941fa60afa70eb84409fad86ad
-
Filesize
2.7MB
MD5f655171b07925d662636ce6d20836b73
SHA113c80fccf6173795642ae71c2a11659258607c66
SHA2560f6af8458d76edd8aae0fde624c5f5d9e2353da315367698d04879034e81fd85
SHA5125af505da47030007a6a6c135d60ae08d0fd7ada65f0cab1eb3564e16e1070f998cfcb08bda4859ff3388eb1fd05226bd4cbae3a74ea03be53c3ebd6ca95b62fd
-
Filesize
1.1MB
MD574c6b722bc4713816fe35fc58196034b
SHA16a5b9b64bec37cb3fe1f5e7f98151d24a21cb710
SHA2567e0a89ae3be0ec1cf0fc96c1fec4bfe6a9bc5af48c7bd38e4cd3a4207f151741
SHA512209b9d73194eed61e6fe8de72b9ef8affff0bee73962438778f29f020ac7b0f02feb55a77613c5bfaa7413a10191bcb85dc09b83798b100df786780f23ca354e
-
Filesize
1.5MB
MD5f5aa8b80aca5def8397b99fdc355fa5e
SHA1f9cc5689097dc73c1c93b2298f12022369d7a3e8
SHA256d7405579f278e2d877e2196eacf61b44b4fe741cc3f978edb06e0aabeee43b93
SHA5121f42fcb61a81a91e7da37be7bc688e1b63b39e1a9538bfe0b4415e9cb394d9644f737dfe5cdb0399ccb9cbfeef636f0ace8422dc8bc32f7db52533178e1efdea
-
Filesize
1.3MB
MD56603a2e8f98893dfb9fa60d900c6c9a0
SHA139afcb3a74a27b43b2a1e05f6175e7025183b55b
SHA2568abbd8500b1d3b54eeea1b254eebdd1e6e79e68a93ba17b501dafb38f9820471
SHA512bdf50bc9edba41e3fa2d0ee05ae0405ba4220df74333592e30461bfee217a3d7d6e501dd8fef18819a2e2eb04124f49aa6c6c13fab1a5020234b3dd057510bf1
-
Filesize
4.8MB
MD59bf3fe38e0f6686939685786af9bf427
SHA1ebf0a111bdad76ce7607ad4639c632558631675b
SHA256389ccf79678d58d313d576de2c333c69e45d88c3383e8d46ec3831c0ce02fc58
SHA5124ccfa3fcc5a7b5e4c669871216c99e6e767a246b91b784bc585a64996e9eb733135f5390de0ab8772b65fa2aa69fec7789e2ad1c0475b5d7460bb175a4821c14
-
Filesize
4.8MB
MD5921f2f09603e589cf8b8d99e966a46aa
SHA197573c7ccc653f08242be4f6528661058930a823
SHA25651647aefab802f40073b8570f3b18e72b64b25b5e20d23a03d7cc0b8c2eadbc2
SHA512e33ed3ae4a669efcccaf1705a4a43636ea7bcb53de5d71bf88689acb64c046c59b076565eea56af5053efdc6c4fd0ed59001031ba7488ba0221c500b0ffdedfb
-
Filesize
2.2MB
MD5a6f7bcc0c016634fca5e2a55d86e20c9
SHA103c23440da00a01959e477acc3de85bfb4f0e169
SHA2562f56088af201581550e2816612aafe7ec19b604204be9dc121e32b0b36ab2975
SHA512e9bd152962d2b2bafde3847fe48429acfaa6ab370fa104b264f980a0ac30a73e4044fe6a27f40450975647a734691c1dea57cfbcb478b2e8a12f215b7ee1656d
-
Filesize
2.1MB
MD578a1f4b24944ad1be17e717a04f4ee1e
SHA1bf383dfa73804ac7549e59ba2921a4e535185fb0
SHA25639d06e71e8d6d236766ea048093c069c911639b9a74e1ca6242a81b90f15b3f3
SHA51262afba7b22e97b4e7f3cd93bd34cc2a62aea5d3bd67e5a26997490e01a0e318a1451b444160123c4fb84dab0fe18d3bbbb5776f7bbe089abcdb6052cb0372c72
-
Filesize
1.8MB
MD5044b44ac07725e93e058bbdcf6ee989f
SHA178dbeb23c11e37974e81b00d828ea8599a776a0a
SHA256be5ed532151e97cee1bebba7f63daa9ad5b90176bda8854ce0d69378445d65e9
SHA51248f52e4852e5a43b097a31ae8c3dafdff6206f115e28b90617f2bb79a65e77dedb2ed27dda8982abe4eabe35449f46f30631f1825eb66c0f42600bb2db31968e
-
Filesize
1.5MB
MD54dfe384e62658d2a15c6aae2676979e6
SHA1a25d587f55c1235e6795069e2a74bec9dca83146
SHA2563b5eaf41c220b860fc6b054893b3b1c7bde0e1e6cae12fc6014585c14a696c7f
SHA5122c9ed6c50ce8cba5a449c46863db7f671c34a65e0d1d2766af046279b6a9490534a6a828a036365928122b17c47dc2fa3b2e985c15b776b3e4eafaf2ad9dadfa
-
Filesize
1.3MB
MD52c4d4db4e3461a89ce00de1b8f6f7ffa
SHA1f301462f543c4f7cf620967ac4c6cd758fa87768
SHA256d1728a2f2447d2b84e16166881f72fe16492fd718d6458591b62860ce2df93ac
SHA5120100c11d8182d8c24174d07fa8615d66bfdc0fb4c85590db430f53569eec78c9aad5e4e9b9910810cf6460083fe3e7799e81d20dafc24f1283511d3d96b5a8bd
-
Filesize
1.3MB
MD532faaee28be8e08a08acaac696c49017
SHA1cceae3c0ef43e31d2cd88215915d6da2c93945a5
SHA256f25d683fb9d7af7efbec8b200576fca0ce4bcdad372b666713e5b6a8dd0c7a8e
SHA51212e07a2de031cf0a6b1af308b5dcd0c3c1aa5d97d29d234f143271c6d522ea7432ff4909ecf726c9d093a5a724f1b2ef37c582a544a441145c505625005b0e42
-
Filesize
1.3MB
MD552449775eb39dae1cee08231d58d58dd
SHA1018fe63bff4a9231d39734f8cb3deb6b4c41a80a
SHA256abb31f8b4052b5d6979609309e936ede8566f34e896ddee3f280c74058c126a9
SHA5121d866e6ff459512ed01ad27589f8be9008a90c51a6d4d6e029d53aaf11d34e0d4d8edaa7eb62b249c79a2080da41ccc697bd2fe32973cd583cfc9c38819e113e
-
Filesize
1.3MB
MD505d94994c9e99924bfc2cf9bc814579a
SHA11ee8dc581db3ae2d02f25be53a07315c3fbc066e
SHA256b15afd324dc2ff5990a2d480c1987156d87c4819bdde2172bb5827c487e75ad5
SHA5127db30cd78aacf087afccd78e956c248c1c2576cbe5fb644b6e56b74ddf8a311cb498e79b44a384159605c3a976bfe40c71fe74150e1587164e3177f5e72cc5cb
-
Filesize
1.3MB
MD508cdfa3fffdf8f239338f764ed7b4e67
SHA1dff1768b90c70201a9900ab80a29c3fe6ee6ec99
SHA25607ec989a97ee3b40aaeef7f4308075616c2017e26284803e258cc6727d14abbd
SHA512389d896290a633cf2b198c5682b6e7f937a117bee408e146955769e482b23d9439f19e79aeba5da63d5b3b2edd2e0d9be7e5862dd5c93dbc60f8602c12e00dfb
-
Filesize
1.3MB
MD50eeb9db25c384360645183ad21564485
SHA137e8c61c055dfdb73881d7c80cbf80c2cd8dc5fc
SHA256d5631f4500487acdc4747d4fd0f8f54e932ba6bc008b83363a65bc3696807f62
SHA5126d5a226ac2efe3ecd222cd3ea6ced0937492fe8f7b722c4eb89efb2b7bdf9dd16585e8b9a2f45f76fdf83a6db3d0e9391cf3cd4d2c017e8156e8b759fba3445b
-
Filesize
1.3MB
MD5911edad131ced3a90bdcc5e0e5f69473
SHA15c9ce7b34c391ca2c5b0b8085b394e909bf810ca
SHA2564a40aa9ce61009fe950a80181087de591c3a1e314f416e8c13203aff8e3aafea
SHA512651e9990cdde45a6f8cc7fd5d1a9fadbb8f51587053c3ea106ebcd639cde028105e9206883948d65306f13163b87c01162208ccd0dac916ae20ef41bc5180e92
-
Filesize
1.5MB
MD5233f12334f9c08d64096999bdbc6d8ba
SHA158d56fcb130e8069d3fc9fa1ddc7cf3f6f502946
SHA256439b40a8ad0f1e0a2df403e925b91898ca1f6bec1af2c1544fa803566e5424a9
SHA51263becf0c8791c14b6c0424398d3d98035873df16208deaa4064fc18606fd871d9983c0f708d46b32504771402972c29b8809a5e700a0989ee07c47f0dea77167
-
Filesize
1.3MB
MD52fc255eaad9cc2d166fe20519754d816
SHA1e0443b8fc4740f8f93f9487ca8bd42894a41ec61
SHA25609c92e7ff50d91823e5c87eb58ae77fa15675dd3f29db07e3b3c24609eb46e85
SHA5128a2b1bc51e9918710d91666cd552d04c89ed0baf26b74a419e27272d93cd84fa0dbd12a8dc9406639bec5525a5410f6dbde19970ad77dbaabf913529f45287b0
-
Filesize
1.3MB
MD54d7f39f692d68604105f720d33b9365c
SHA173e70cce0c610b41a00f5fb65cab68723b3170eb
SHA256cf2cbdc2aa49d615f1adb21c8268516821451024e4ea43900233bf35ccba719b
SHA512a9e35f2523491001b9b2395d3f730569291b4166a352e0b7cbff56d046b413e97025bfe4527c9127570cc8b9c08bbb40ab83bcad049c23d80d3ad78fcd41b285
-
Filesize
1.4MB
MD5362a2ba9ff5f8c1c6b7f470c52077e47
SHA1249d58e707b63be60ca88bfc8c4553e37eddbc2c
SHA256358027a7be7f74ac47a50c3106ad9be025f5673cadad055182493a6f3357b0e3
SHA51225d6d9607d724375954bf4163d56742c6ac94071f3221bb46babc242251d8c02b196883760c459d8f477b0b745c7149372fbc8a0a37a356770eb926321f354e4
-
Filesize
1.3MB
MD54860ed499a9153ac0ff5d3121c2aee15
SHA1b120d15b112f4a3e251666ad1c81eb12fdb2ca38
SHA256ead95e48ec479084c1d7390cbd1c7c5d5d653c51befecd4668ae1fa1d0890843
SHA512ffdea7da4c21d50541d9ac343c9b8b191dc965657a81badf2cfd57e425a648238edbe79349a5b253f88fb2568a7a611f32a649476c0912dbf02978b4a94e9246
-
Filesize
1.3MB
MD548c35ce161cd38a546f69c2d7d2e0707
SHA19713d8ac2fb03686c77c5e730def81b9c6cb622f
SHA256cd82eabd177379267b344e574c7d2b708779f306657c3c1c5fca29d073a04abd
SHA512d2b7551233f34dc22b668f6a3e15a5d653f8ddeac9b09c75333b9fcbd7b5272f966b9cdb11a9e290303d37617c307b8426a5675a8ec23a50b8eab362e909b788
-
Filesize
1.4MB
MD51b884c01687058e0e0e9e2053baccd86
SHA13d91ca84a9a97747634cb2d4d4fa2e7af3bdacc8
SHA25624c61e34c64b71ea97985d84105fa141e5c4a8d397abb4b1f8c230cfdf2f2157
SHA512fef8d97d396a8e65e1a1535043fd9ce3b327423a3c5587aa8c50c5904784023e1a6f96e45378e5a85cc82eb285d0473744540d4fe7baa1ee7d3cd30758690a8d
-
Filesize
1.5MB
MD5cbbd4ad5d2d712ef319a53e3ec0dd2a9
SHA13dc72d69912857ca1920c757b4f870c5e272ba8c
SHA2568c8f615f08ad2bc12efaa81a04975dff90402fa232c56af426b3e8eac1573fd4
SHA512f53aff74936b879bfaf6e4a61024b5ac867147508e094b519c122a98af07152002d373fee8ccef70070c8829d272c3c9a48ae57102898242480bb05f47f71ed5
-
Filesize
1.4MB
MD50579139550a713366dd3664ac5910037
SHA160d014766ed4fbe801e974f2cc7961d03b33b1b6
SHA256c7f18c6dc8704f1b50c866f7bbaca00264ffaf8bbd6ccead8869318d45ed4b39
SHA5122ac23de519333890df63ac2ed901f0b102e8de3e90f207ea316c0d1ac24433992eee7a92a253ee82f5c6dbd705788d86555b42c1b676066f95d7ac4fe7111206
-
Filesize
1.3MB
MD5c785a0f33c749db08873614b570a5f67
SHA1a0714ff541e53e9cce4c0161c03ec35fe63911f6
SHA256b8bb5851b5d04cf272a8d14217fd61bee02a342d481fbc24a63d11b31cd31216
SHA5128b653a787d84bea5edf25fb1476164e0f11048a22ff840504ae22bbf0a7f178c40922f9d06dfa2d1112a59853f50ac5ef4cd1dcc0da2bb8ac160587293106bbc
-
Filesize
1.7MB
MD598a9dbc32ded7a7f1615a3f125d4e666
SHA1d65a483f07be157f45d1873058d24c565da8507d
SHA256c77c803c580b62c83863864afe4832fd85290ad221a63ecb321afc2f707ccb78
SHA512d1cb69174b613e5f87bad88c36db075ba3bc1b37b849af417e637493cbe4905677be31d2d0f8ac0a5a8c97e6d7aa8a58a7d26655017063c7e54d5505e769a497
-
Filesize
1.3MB
MD57e2fc70643f96037868aed2cda8e5031
SHA146924d7a75ad56eb604efaf2b99f7bb62435d3ca
SHA2564b4ee5361451a45d887988ae05730c3b34610b49723c5c83f92a3d89ac52719a
SHA5125cb188438a9c40fcf7220b3f184906da386ae6e59e5247cd59d50441c2917bf646b582a10b9a307c68e68e259539a95af8c99242338a8373c6914bd85fc800a4
-
Filesize
1.2MB
MD55a0e8a7766fd3bf179074814a3bc5edf
SHA10fb5ca3424519932f65acd273390868cd72956f5
SHA25609a343c8da1b719431d608131b5436d0bdfa630478118bbe7b57e1d89e6c1bb1
SHA512bcc572973d4c9daa3e2562d880702a581f1f157961460408177b94552c26066a3572d2456776506dbca26a9c2d3daab185949f823070f2d26904842ce65f7baf
-
Filesize
1.2MB
MD56059fa9529e7b5d6bb19a9cfa0b46681
SHA18c26431abb1b8e965b883766ed5a3c1442d788f2
SHA25664839e80c20b6818366184fe80813d7676560dd54183e6a2a2eed1d04820b2ea
SHA512b9159f6cda1ea0e6d93e71e65125a3e71daad9e94f1502880b34a5c06fc8a64e28db8c874678b3c7a4c1cb2686a4f7c974d200a418d410bbb899b98c276eded6
-
Filesize
1.6MB
MD5bd0f1eb238f6b6ca94dba9862bd1352e
SHA155bed8e9ea9d4ceee322ebfa266e3fe90235ea9e
SHA256ccaa8737b23c8aa071e1fdf9e7e24325e6721b6d5ca9c629591b4e904f641f0b
SHA512480690dc6c9552380dd575430399c84af4dfb107db7e72bc3eeda432c4009af22654f7868e71b02c06da6ed852a40a1d7a90fe02580b1191728441aa4cd4b301
-
Filesize
1.3MB
MD578036f55ccc9222e0158716d8575a933
SHA15aa89f6b5d05f806b4179f8f60d0f659897b0c62
SHA256f717d884f5f719f3de73d3254068606735fed8769cdba1ed5b5569869d74ed3c
SHA5125b26da474fdeb0fc33507b04741316e8f14237840872a5813e9d3654f207b3077358850e90dea16931668f653c25d157f9176dcd1941f7186889001a6a0d1b6e
-
Filesize
1.4MB
MD51c2ac3d11a0aaf4e6dba200a25631894
SHA18d2f9bcfb1bb4d282044d6640b82be71cad5cd49
SHA2561d23b9389994453cfa729737f219ab055d4f65fb0a57870a145e612b7c0cc989
SHA51249e5902731676bc786a3b9b51710965110918fe0006a30f75d6c24a0a9034f099d96d0d46af1523459de668767757ad2de5aa0f510ecf44f61ba42f8ebd1b2e4
-
Filesize
1.8MB
MD58b87f705124defb37200de0962172bb2
SHA107f787d336f59b85004fc7a024ea75522f9aa3e2
SHA256453582a16c1e38d210e71dcb2e631199d277eb1e9166782713d189c2ac0698fb
SHA5129d52c196070f3715e62de4c45ec30e856cd73d68d4394c184bb68e99fdecca1b91307786e3313a6991c59cd2e0d67d881af339ddd409ece82e5fa7d9ed786ff8
-
Filesize
1.4MB
MD5dfc20cc943f33706441f478d2d46293f
SHA18e4376eb3f2f16b777f4f08fa78dc25796d84f0e
SHA2560d8c30b5766a218798ce8b99bd67884aaf6498747b1e8de5413e239d0b511caa
SHA512f26a27ff1f06b5a76059a2380476f6f70ca3b65c8b691763de1835b4e1b665b1f9d664edb3f8892f26cd87b9bc7ab5c44a420c6bf42366e60ec246b04b2274cf
-
Filesize
1.5MB
MD5d446456518921911488acc1a46664ebe
SHA188519bfd1783ff3823309cf5e19ecf5120b03466
SHA256f662ab8e7fbb5ecbd3afe1d63f609a6445eee88e008f4c11d525e570f02fad89
SHA512ef615adbb451ae5c6606281f221bb94ab8fc2e0b2d3433d9875b0fddc6fdc80793b09ee6177bb347413abd37e70da97876e30cbdccf4fe0719849a12253d4807
-
Filesize
2.0MB
MD5dc5ffa1f9aba95b85c04a5df654c243b
SHA1764d4cdec2c2884957eba6710b1accfd44d8e80e
SHA256550226cfa8bdc6cc0fe22003cc59746735ea7c73f43e470871d9d70fe4988ddd
SHA5129f4f3d1e77714af24fe242cf0c33f19ca6a3ab5e3cbe9a4f46bd11479d44c9e8fff4b33362ce0975a326935e1cf843b48b156ad31a64cfca44ca522dcdd2b2f8
-
Filesize
1.3MB
MD580f10aef1dd466965017f9d1e3f0239f
SHA180c757192dee34e295395bacb711af8839c574b7
SHA256711879a0fbeeb7d8b999c51d3d2e2f7366b98d85910a7b40057c1d557093c775
SHA512be3603fd401b5626e164ca38d9c1d30dcfeb838e133fc42ef678e5fe07c6dd6079a7deca7b675f26441a48d1a563b798dc1a8d4dd6b622b0e99e33c3a4c2787e
-
Filesize
1.4MB
MD5799b0ae0decfa1e905ce6c6111ccf7c7
SHA1fec8a70840b760d4e2288fdd1cde3a8364bc41e9
SHA256b5a5b28b73ecabfa14162722741d029d387b8055929d5098e6e5eeb8c34f2b3a
SHA512414dd9291acd29923b3c66a19f330acc72c207cc816041aa6166eeb43823e722438dcd6c8184f4f2cdcd56f92a5e566f0f41f32f70527a070b90050ea27d3e0e
-
Filesize
1.3MB
MD565652d9617365cf83db0a823473ea957
SHA197658ae5abbd9c52d0aba7a24c1210274a58b00f
SHA2564e73590e23b75d10a8842299fa07f4c6f90b6418d21bf85768638d9bb1280627
SHA512164f6c0e8fdc997912dd2345ced3afaff37f02a71602eb3d22506c5d66c9c5594fc404d9c53a7e8a8ef839e356ab4a0bd4489d351a9fc79a748a10139050a630
-
Filesize
1.3MB
MD51f74eaad41d32b68e64f71cbf4f9b840
SHA10af1b71ee1db80e870ca3b5f6ac7c7d4cbcd49e1
SHA2567b306a94d5d16fcba10fff00a7bd253dfd3f1356664580b04e38537ed02ea32d
SHA5126025af3478383bca0e34cbd4bf2be232e819189d70132cbcdade49f32b903b7cfd59ac0b14a2c48ad28bdb1817ee1b6d99cbc073cc15ccbe0d4528b097c28437
-
Filesize
1.4MB
MD5d542dec83eef16e8bb9d59d1fcde3298
SHA19b6666eced60f7943213519355ab154b8759ac95
SHA2561e406b0a6218c39375e7503bec6f43ec03a90af9c9ef2757c2deda776bc909b7
SHA51286a67ee36e6aacdb4a3fa2e42cd63a048608627b5f31142ce165b63942a7933bb1bec891a9117f8ef19247754744439fd96c6c131d60d1955fea93a257ec2f25
-
Filesize
2.1MB
MD5378a8649b8ecc7e2a49fd9c15ec3d273
SHA1c050a9aa3fa668a56b80d0fb6a4384c34525db9d
SHA2566cfdb414537eb4244c7675122a45c843cd6650476bdc522797ed6ae1c3ce7054
SHA5128c7138cd5936d4886c59b1ae620540bde671ba726ca9001924d57525c4945607f90fbf323de8f87ceafb09e1250f2e4953e967eb6f415c120410664190cd4458
-
Filesize
1.3MB
MD561352a05087a380b7fd3eaaf2efd6786
SHA1f39808a48e0e14b28e0023715912bccada917676
SHA25621b1869a3cbab9844c462cfe01d260b793ed0faa720075f168d27b7ba4308124
SHA512794e444d03a235a041a9ad55fbd29a5045dbad0fed9f52b817387826d1cd0055f999b2b5b0f39c83ba5cb2b507c50cd49c228657d2cab83390de4cc14e44a715
-
Filesize
1.5MB
MD5f5cb09d9c637d1c22076b4f5275bb614
SHA1072755f1d2b543ce7285b4294d10d510d13d02df
SHA256367b0150e596327e0af80f7f96a21baac346bbb419a5d0749291f50256dae643
SHA512f9eb7a1bac34ae28b0bfbd85f34584128e6ad0cc2f4673c99cbe8b4681effc33ec2356585b737e3e6b058f590fd5da96d8188a43e7453d30de7ae287520917ad
-
Filesize
1.3MB
MD523ac8672700e4e4af4a01be75b163207
SHA118724aa6e438f594ae641179f627c72bea87a2ed
SHA256ed224aaf2a32da426cdaa3d9c66cbde936707e1c14d8486c0b474e66f43dec0b
SHA512330ded3d73b98321d6af9e00c31a7e90b2ea90a246d782c8588496e4ef17e3895f5a409f8ef7ec25cba06a64e5a09a0fa853e55ca18a40fbe0ea523b29a74648
-
Filesize
5.6MB
MD5dd7783feaebe7fb7c9b0576b719b0652
SHA1b0a6835c65b7dc3e01fdbf5464e8bf4c42305a3b
SHA25688255f28a3e1bc400614bd372f6758d56c9d3e8926195ad1811c9211e16394b0
SHA5125f7107d6e0775d46f7d5c92994877919c38594fcac1a3fadb0171ad62ca1c7037df71925752c1602b7fb1b82459d64f9e332544dc5159abfde4044ca3e3f9be0