Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
270476592fb19318a5c2318b87e6343a
-
SHA1
322108da623c46196ae5aeb020d0d988e3fe1a1e
-
SHA256
50acb50ae74f8a114683c14a5be3b90f7362d101dc3f778788487bc9e0ef7574
-
SHA512
3d9678d50c36d19131b343f8fd441640fc128334f75a62d088daa8cb65092bd7354e25c5aab4c14a2090b3d96d43c9be4103b772e42a9ae2529bbd769f79d957
-
SSDEEP
196608:KP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018Nsd/N:KPboGX8a/jWWu3cP2D/cWcls17dV
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4832 alg.exe 2872 DiagnosticsHub.StandardCollector.Service.exe 5108 fxssvc.exe 560 elevation_service.exe 744 elevation_service.exe 4904 maintenanceservice.exe 3404 msdtc.exe 3600 OSE.EXE 3096 PerceptionSimulationService.exe 2364 perfhost.exe 4648 locator.exe 1848 SensorDataService.exe 3956 snmptrap.exe 1784 spectrum.exe 4740 ssh-agent.exe 404 TieringEngineService.exe 3248 AgentService.exe 3668 vds.exe 2428 vssvc.exe 1536 wbengine.exe 5052 WmiApSrv.exe 1308 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6c4c9fdeb3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059ca0d658facda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ef230638facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf2540628facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006439ad608facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9418b668facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8b4db5c8facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec31b05a8facda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053783d658facda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe Token: SeAuditPrivilege 5108 fxssvc.exe Token: SeRestorePrivilege 404 TieringEngineService.exe Token: SeManageVolumePrivilege 404 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3248 AgentService.exe Token: SeBackupPrivilege 2428 vssvc.exe Token: SeRestorePrivilege 2428 vssvc.exe Token: SeAuditPrivilege 2428 vssvc.exe Token: SeBackupPrivilege 1536 wbengine.exe Token: SeRestorePrivilege 1536 wbengine.exe Token: SeSecurityPrivilege 1536 wbengine.exe Token: 33 1308 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1308 SearchIndexer.exe Token: SeDebugPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4672 2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1308 wrote to memory of 3896 1308 SearchIndexer.exe 120 PID 1308 wrote to memory of 3896 1308 SearchIndexer.exe 120 PID 1308 wrote to memory of 1848 1308 SearchIndexer.exe 121 PID 1308 wrote to memory of 1848 1308 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_270476592fb19318a5c2318b87e6343a_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4832
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1656
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:560
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:744
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4904
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3404
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3600
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3096
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2364
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4648
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1848
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3956
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1784
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2324
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:404
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5052
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3896
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD538ac3810222de7790554554aca780470
SHA1644c0a0bd9627449c46032b5145d11bec7a6fa8d
SHA256419ec4e6a7a5a7c3c712c4c16a8ff8ffd9d777f36bd1c2e096a10219a7dd573b
SHA512633fabf9e36d8973193e5ad74b89b97251f89c971d5ee8c80c5e39bed4946927121852e0afbcd7ede7ea6f1304a1fbdd7fe62c5381ee1c983f40ea42bb45c681
-
Filesize
1.4MB
MD569e592c0c0d82cc3b27950477973a110
SHA1fca61b2db84376ca937d41b24283ef1e7e9668dd
SHA2565a1680c6862940962946e9e3ed7e371ed56ab3c19cb81f7783caee800d21f147
SHA5127760eacb063bc018e31dbae3ea00e9299f61c0c8ccf26e5cfad49b5a30b9525f9fc9142c5a49e6db18e11f3e8a73f743ff4c0f90edaaa276ccdc986a6bec0ea0
-
Filesize
1.4MB
MD5fb284ce014113bc28301c85ddf354753
SHA169cf1d7a510f4dce950d2f55af561b0d33d2f5a4
SHA256e6c3f32c06202fb892dda8a421b9943b26977d733ff783e0cbd069c36eb2a25a
SHA51220cb7b54f387e2cd20a53adecf2c54b82752c2a8a5c272416e0c0b1fba8e51bfe96837894e95e24cf47523b125ab24fed448ff4099119d84cd8aeaba16a6c66e
-
Filesize
2.1MB
MD504a43f0185243053802638aba4ee47b7
SHA12de7f87cc058ed0574bd6ad3b0ac9951579fc4e2
SHA25641c75c39298f60443be957ab043551184e4635f95a1d6b8cf9f8659326901287
SHA51234c7fa1687ef3be6e5a72ca9b72f25c6f5456b9abbb113cc3bbe98296ec1f07610796d27e531318919486a91b9834b4bed34deac7b3202e3ce5b7e374a7dad14
-
Filesize
1.2MB
MD5347ff5cfd2069e4095e21cd96e594452
SHA128d79b67ed0c278a77793030a415d331697e5df5
SHA2568f02db20dd69e669e455ff30373d8ed82f3d856d7f38fa2dacff4928598859a6
SHA512124a6e30cf57ab829d3cc5b583d242945dfe9d7de27b0bf6a4e118383772290bd3745d1fbe616c7038f85bbe8b494614d54a923cdcdc02964f18d23c5eec1013
-
Filesize
1.7MB
MD53fcf4b0d05f66010ebd34a66d58221f0
SHA19ed254e08bcca861c613bb49b39c01a8a14dc4b0
SHA256fb4cbb388a1b6a7cc6bd54869a0f7a1832b76970c812ba9f25b2a2e52fb136c1
SHA51247113d161e2c70801056f57d5f55e7807474a3544998c255e1def4af72adc2c63397f06ca312c6c5719122f8d4a96145d7a9d7c237e3192f9ce5788294bcded8
-
Filesize
1.3MB
MD5a7ddfca95b563e9e271efe00bc36e551
SHA1d381f06113337499da7a0decb794b1a6c374bd9c
SHA2562ae441a0a27839a1691afcd257927f41696d0501b6d9303fb6292a5567f9faa3
SHA512dc6f927320699b4308c1b778758350854141b10a7e638fcf49cacda44c126afdf71176f56edf1c57f41caefed26a01f0485bdb13365337a7d18df23125397369
-
Filesize
1.2MB
MD5b6adb722ffd5dde5e0990fe39c058d8f
SHA13ce31104ab9d231d076f5f6b2630bdf598756b85
SHA2564297ff56e6c24bc22583abfe14f705a35aad320ec0ff6fc6e795c0a418362dc0
SHA512ca76d9076585667b67032f6b3e1588c923e187b66571226ddce6696819c264600823de78d5a6f4a7844496f9f8a34cb39b112ab51a2b2f027bb187398ac77c20
-
Filesize
1.2MB
MD541a4918fdabf63971e7c0db71751e9af
SHA1c5579e2268e5c476ede0c148b38cbb3fbfdb003c
SHA256f98f1e1f6fc318098c48c5dea9e0124f0bc57bd9e889323e206a26ab2662aa7b
SHA512010c853e2380ebebbe92a8c4f4d91ddc294d78252f960fe3298cccda1a8befb0fbf3e54ea0a84e142fa9f5ac47e105042c164b28cb2f13d3529b7b668b605fae
-
Filesize
1.5MB
MD5aec744d6dbacfa1fd6115da7035aa6d5
SHA19b8954029b321f3c1e15d632e48604dc648acf19
SHA256009a5a1c905030d4ea7fe5cee335634d3073756548cde86677f149e89631aa53
SHA51229eb0652882820e3fe59ea4c58f7cd84dc7ea202b23bc456117f69d9043039437cdf760a0a76fcebb7c5c49e51bddeceef8f62dcc82dcfe5085ed74ef03c1446
-
Filesize
1.3MB
MD5dac5848931cca17cb3e6850f463c787b
SHA144e382513130360fcac6474d1ea28d152c399d7a
SHA2560b98fe1717cc91e6cc5cf526e77f294ed65cc74b2af058565ed52e04a41aa607
SHA5127fe93534668ec31522b17352f14bea83523a6644907028417b68e60546d252d6e7abb3c36c8dc0860790c86f50fe4ea769a53d1017d6d9641b2c3430fa21c88b
-
Filesize
1.4MB
MD51d540a2ea824fefbd7fafd9ae25438e6
SHA1fabaa2df1423a1e1ee894c1a64181b468b10581f
SHA256aefedf4e6a6e6cb951a73628f498fecb23ac3d56864869a6fa6cf999e1bbdb1f
SHA51237d6202e7372803983ec11e755e44e2727a9d17b78457876c3c564d584aa4534e489688c4c2b72fa2cb95b8f9f6c126ae2746e1a3e416ed8ad90026f9a033e24
-
Filesize
1.8MB
MD5715146e3c45a6c8ba9fb35cf9a9251c8
SHA148493d535682be952fe90d7fcb8c8ac1017a2822
SHA256156fc0792414a704e71d634e86dc898d1afe26f011fdaeb36798f26d655707bb
SHA512d2866f84172eb0210977c23a9f2c3c22a44d85525d349dceb9260455af807a7bc74304d38fd98f13fbac419ad00a55f4722c2f6ae5491948f84904f90b8f1197
-
Filesize
1.4MB
MD567c7663edae98fa5a289ed56dcf72c18
SHA1b998bf15e4952da9ad97043e29b0f0ccb378584f
SHA25615e93fafb4e1bf0e37ff08cf13f387933afb9cfa9e1d5bf535ae6b393862e4ee
SHA5125ceb7dee1082a07e3762101d9bc879b072c1b7ce936bc642d83198eef58074e14edbfad3b21c08280f5cea1d96b09ff221057f51754165f5e1f8e700735b4c7e
-
Filesize
1.5MB
MD5b6b6776befbde41b13acf3f0f80232ce
SHA14186e4c8653a919561e647e22f59d460ace70a58
SHA25639f13df327b62f27c8dd316b54ed8c192c366aa50cdb92e02c8940fdd81a0383
SHA5121f5120e575b94d2d5081a4042611e408e799c2642a50756f860f72e5a5005ddd10b6319c3bff4c9d988fc2064f4a37542c50ad4f01d557f41e8f765c0d1d2ecb
-
Filesize
2.0MB
MD5d7680a9fd703354695f48c824b8b3188
SHA13e04952e5546f4ea43afc23a08bef4e0a80a6b89
SHA256bf855684792050bd2992e0f6cb461d108b12ee98ab4e096032e0ee46787986fb
SHA51267c2d2a0dc307edb75fc9df3dc780e23423ad70c6e7399b08d646c44d1769f9e53fae675691c1ff0770da72edf6c0468737d09880dcb3482188091c11bd43fc0
-
Filesize
1.3MB
MD53c6f35e472729e604232b410611b824b
SHA15380063e3de5da5dd71d0e31fd497d951d9386ec
SHA256c9fd29f9a48d96465e9f4d214e85bbdcd3e76a49e9a69f72db595d9591162ad3
SHA51263bd47f36b7fe686221c7d1790c0127ebd433905d0b6a2e73b920a3978cffcee4bf42cfe1b4b628c011e517d6adaf9e067d5143c77947173b7fb9d91fa90a12b
-
Filesize
1.3MB
MD59dc397779c94931d46c715a141d5d3fc
SHA10ec4bb686088598ee7ad16f2afb6dfe5cee159d5
SHA256d9e6b9be619719bf4b03d8a2058c715796054aca16fb1b011f6f39986389580b
SHA51290138ef547717194df3d7a4221677cfabb8e68602723e1d5e55b81a9067d3acf251e33265a3d79b4951bc889bec0ce1036e48b388d0778d34e236b942fa9b2fa
-
Filesize
1.2MB
MD52b9432af7323d806a9d211d7e741df74
SHA1e51680374565db0ee1c8ab44e95044a0763375c8
SHA25651c269c38ac00f3d1730c8eef93e748d3806e4bb271714ac68b850f66030ab65
SHA512fe9651511d0822f66a6f23be2c9192c8de68bbc5e5abef73da837e7d24116a0b727f95a87a2c834f6c6253699ed1eeb876fe4c573188442dd55c42b00858d0a3
-
Filesize
1.3MB
MD539785e38b6b87a2256a13315142a2999
SHA135707ce1b82e43fb5d04aacb892b908bb08677b7
SHA2565923ff10e6edd028100d32ee716b7bdee00d3e75b50cf072b54323dc636b833e
SHA51210f1928718c7ee2a06cc538cf8240e6f57a876782f3753381cf2d0f4c1c74e9307a28ae4425e2c4a40f65bf9eeb81587fc91fe5cb979e533b48a1003ccfbe604
-
Filesize
1.4MB
MD5c56ccedda579e2cbad6e8d063eed361a
SHA1b72523e8b62d9c06edd28adfc8c04658fb79accf
SHA256bba70c1041596f5389796449362e69847de1f76c5af5ac2b8d0e6ce674393f62
SHA51270ee944454460500717e968f44c6820c9e898a7ce8d2f64231d5a7d3f2384b720cf4b236411f2c82e23c1abcb93185b875435c8acbe8ffa5c9b72469b2a6fefe
-
Filesize
2.1MB
MD55d444df52debcc1300114783d2a8a2e4
SHA1d14a4103737dfa24cc686e0a1d1ff2fe40171d18
SHA256bb5a5d980d62315a684864122ac4fa8d2c27e7b00704b8f521d43125b13f9300
SHA51221cbb7c9da69e13646647c99a2be76bd91818d36d2bc431ea2ea313cb4ea98e8e746cc08843219e2955d1a059252b5755b76c481ba31f94208957c7c3f13ce8f