Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe
Resource
win7-20240508-en
General
-
Target
2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
579055f6a11b236ce9d0249dc13d336e
-
SHA1
1c8c873bba4c1a208bff53021c51fcc46d93e632
-
SHA256
29972d385d0ba872110b0d1f8a38b0376b30e7b46eda5878624e524360242c94
-
SHA512
0cd6315b86363df5ca7fee501381d588967009670fd3f51928ab8892c4b5d494ad81e8c76675cb053b96ce308fade2d0f47216e3dbcd11df5bf94a067481ddbf
-
SSDEEP
196608:yP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018r:yPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4108 alg.exe 3704 DiagnosticsHub.StandardCollector.Service.exe 4504 fxssvc.exe 1628 elevation_service.exe 1620 elevation_service.exe 720 maintenanceservice.exe 3580 msdtc.exe 1932 OSE.EXE 2352 PerceptionSimulationService.exe 4272 perfhost.exe 1268 locator.exe 1832 SensorDataService.exe 636 snmptrap.exe 3852 spectrum.exe 2992 ssh-agent.exe 2672 TieringEngineService.exe 2240 AgentService.exe 1444 vds.exe 3824 vssvc.exe 1960 wbengine.exe 720 WmiApSrv.exe 3248 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\840bcb1ab3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b735babb1fafda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3faebbe1fafda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000024f54c51fafda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608371c71fafda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004171f3c31fafda01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c7f28c61fafda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076eff4c41fafda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acc1d1be1fafda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeAuditPrivilege 4504 fxssvc.exe Token: SeRestorePrivilege 2672 TieringEngineService.exe Token: SeManageVolumePrivilege 2672 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2240 AgentService.exe Token: SeBackupPrivilege 3824 vssvc.exe Token: SeRestorePrivilege 3824 vssvc.exe Token: SeAuditPrivilege 3824 vssvc.exe Token: SeBackupPrivilege 1960 wbengine.exe Token: SeRestorePrivilege 1960 wbengine.exe Token: SeSecurityPrivilege 1960 wbengine.exe Token: 33 3248 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3248 SearchIndexer.exe Token: SeDebugPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1596 2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4108 alg.exe Token: SeDebugPrivilege 4108 alg.exe Token: SeDebugPrivilege 4108 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3248 wrote to memory of 5196 3248 SearchIndexer.exe 120 PID 3248 wrote to memory of 5196 3248 SearchIndexer.exe 120 PID 3248 wrote to memory of 5248 3248 SearchIndexer.exe 121 PID 3248 wrote to memory of 5248 3248 SearchIndexer.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-26_579055f6a11b236ce9d0249dc13d336e_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4988
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1628
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1620
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:720
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3580
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1932
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2352
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4272
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1268
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1832
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:636
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3852
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:872
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:720
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5196
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:5384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ccc79635cd95dc45cca7f4d26d8a82f4
SHA1e6804e00041b0aa6cccfc9663bc9241c6bd51807
SHA256b114e56b3a344c509488d38662c733f71ff34593ff8dfe3db9cd1316efb4a125
SHA512045e09697797d19b82ca4aa318a697aa3517420709dcc13892ee245cc05c0cbe89aa233093e7f3bc16ce6c6d679d3edfd53a014b853564fdfe52eb14b5c652d7
-
Filesize
1.5MB
MD5fc65822a815d04b6c0f9f40566fb582a
SHA122223f7e36ce21bbbd78a975af139f3fd25643e9
SHA256108f164a35e23ea08d691d520cf17603ac610570240114a563c74a148a8cb3a2
SHA512fd38bfb152d3df63365b79d06cc1c977244479a087ad1137c9a4998959b3abcd16ea955f1ef32037cbcd9576d7656642465f9f78ca1188905431554a276297dc
-
Filesize
1.8MB
MD5e9ae49fad4dc654cc42613de47dba815
SHA1a188c48c9d6afe415dcd0a5decd1801ee11873e3
SHA2561e63fc887f16b73349db22afca11db092db5a41b80ac6234c76e12d843058d40
SHA51277a5c73a4748ba9b111b915a59d3e40e5af902af2d16ec7a4e58fbf3998327112038dfb8a17563c770675c319cd74961aca33e5cc46886db94aa932e4d16805a
-
Filesize
1.5MB
MD5ca2e78ebf1f77fa35342b28076d6c061
SHA131be6db0842c731a0a49ba4ff64038450d7b510e
SHA2569fca9de1e9f47b70c2c6d3b19cfa2ef532003d979b1ab224814144a414345118
SHA5121c1637e83df6cc16fbab6d5860cb1f2e328412213fa59df73bbbd8ec526730a20874cfbe6233bd71cb006f78ce99b4d79e3559f6738f4030d56d1e9644fa60fb
-
Filesize
1.2MB
MD5a51c9a1ea9eabd34a7aaf94dbdf63352
SHA1da2653c177c74e83d47eea71092881129e33f6f9
SHA256428d13982ff236e610f2cf9e9a369889e49fe381ef066cd4d18823b9776b42b6
SHA5126c4ec3cb1df15dae63b74a8279c34b7c1a93373bc273ffa9f6730f2d175b5de148e7ea41d0f4851ffd9f90ca57139b7d701b708b3f5eb9dc7e5b720fd5425abd
-
Filesize
1.3MB
MD56ddf52809b99b32f6b3d4f895dff4a2e
SHA16a76e3023eae13ef62bd552755a51c60914afa2c
SHA256ea276120c8d445cbe73c903ff9b15e436596d46ceaaece5bba8e7c3f2ed2f425
SHA512f3f6ca583a90dcc43bd74228fa1b1a9ce5651839d2697960eee9dce9b156a591d8509c606e6bfa15eb6db55b5853fe529b124d21e7cf1033ed9bf4c4e9bffb09
-
Filesize
1.6MB
MD55be121eeda41c18d9e3ae08b786f77bd
SHA1c2fd5044a2b72f51ec336212971ada49292b32fd
SHA256f39b032f7ba545dc82387244549ea961141436897cf739fdf89c3860372bfb56
SHA5120695bbdc2f7e752f38823b5fc81064d3b1c6d162323aff3501b6553f6f9e1d1709df722203b8c62175a305f037778371b3bebf209e0b179ae3377e2bb3dacb4e
-
Filesize
4.6MB
MD5672ba80900d188d415de1e25385213a6
SHA1aa904b882c454c3305a53fdea67dd6f936cd48e4
SHA256f50f3a48c7c43ac78c88d2e680aba7da9848a22f12589397043f498820e3eb59
SHA51277cf8ac5bdbc0c3fd8f8f312bd0fc6cd5e82e6af0ca5722b00a9d1c997fcd2ff3d122935461563485a802888be15f4fd746279dbc7afeb1724c1d093f97038d7
-
Filesize
1.6MB
MD5e58eac4d20f251348cc2d792ced97a3d
SHA176fabf814c9170a5d7057ad731408013ef934fb0
SHA256b03e4acde757939bbdc41e0911f91d656c05b04677c92bd7be5f1f5bc07dc02e
SHA512e01944712b01bc5c3d5fcd5795060ecf4f17f306cba22e930d50b0d7a5f44b15af992ef29fc17a95a514be27530023c6e5175d0fc81d60389c10a37282cf6c99
-
Filesize
24.0MB
MD5116c126f62d4c889ff7260f35168a26c
SHA19788741647ce2703635b84fd2d60f9c3de300ea7
SHA256d445b3d9c5751246fd5bf3b6fae72b62083007261ea0c5dc66dfcf398dd5c39c
SHA512b407f34f4a74006b086e19169589ac774e336908155e792e9ef9446bcc9645a441b1ba3c495c428ffe2881b69f074a6301a6ecf0499f39182e30295b223d6049
-
Filesize
2.7MB
MD58786f61a70bdcc478cc422cb274e2b58
SHA127b8e07dee25d2d9327fc719b9800124d4a85f9c
SHA256527d28bff667d138b57cf3332011cbdf1dd96517f93776010762cf6f1d3e4c05
SHA512a5170785e818ffd976968ccfed102185f31b7c28a961b96d0c9938e1834602d00081d006a8594c5101b49d5573bca6b22cd4728629d22a91da85407ad1864eef
-
Filesize
1.1MB
MD575480c886eb7542c005808142e85d6e5
SHA1626ce7591d2d0da24ae4e29cf321d78e8e279790
SHA2562349708f1fdf1c301e040ba2cfad0f056ba5531c0b3de3e9c98a28ae6cc8cfd6
SHA5126caaf1afcb7798494027e7cfc83b22025bd480ee5d115cdfb23dc46b3b15752d582938acc40b25246b3129d6c148578a7a2a40d58b6af34a006e81abaa1e300b
-
Filesize
1.5MB
MD598c9c1c02145fd2ec2106dfa22b904ff
SHA1b7d9c95740a747fd4ce0276371178cdb5aad79cc
SHA2561935ad629a6dc8cbfd38415d342be972782a7e26613280dc8eb1e034553d5e38
SHA512e46a7da8e7a6cdea6128d5b780ca982dd034825aed332a381ef66c8fd6c0922ae7cec79295c2e7ffbbb10bef75390f11b6eacf034078fdf8f198cc54c4610d26
-
Filesize
1.4MB
MD529ef4aab4923516428750b21ccb5a833
SHA1f5f4a4b5f46ae78e15e73993e132a7d7ffa826e7
SHA2561d9ec82071df1528e8d90fcc2388d57f9f0cfc85a123102e8c84b1e84f9a5678
SHA512cd7eb25f411de57f77da30999f10f48022d2239fdedf4414e6d45e198b1971d1a7b9a98a720bbd29e03c147ddaee3c5c9e6dbd59b104c8cb91a0a1afc9802f16
-
Filesize
4.8MB
MD517533ad2dfdc018a9758d5c280dd45f5
SHA10496c9ee743f41dab110bff37d457229dfbb887e
SHA256bfec4dc93fe1954362ff2223dab0a832d4670b1fa8a0f1c8ed566c3eb94f5974
SHA5125ff8984d9d1c7885269f5479c5e4f8c4cb385e27f0b7be2464dd36d0b4547964badb0a972a8433d1027b7ced4aff33268347df41d8104896ba0543413ea26b1c
-
Filesize
4.8MB
MD5c9f6ff3a5c8451424601c84a473696a8
SHA18359fde58954d98d60582534dfe22913bcf9cffc
SHA2566455a482d65c2cdcd4529bc42113e32e76d88ab443ba31c01259a625ef9ecb8e
SHA512d7380d5ef21c83351ebfc35d58687605ab2cd2a558c55c38116143b91ff18da12af8f3dc7820c3d98c94a9efd3f33eb53510aae473d433821d4c3ab92ee34c6a
-
Filesize
2.2MB
MD506e4a8121fc82357bded7cf923361111
SHA111899460c7c228dd70c6d7129936aa7ee051a4fd
SHA256c425b4c696c23b5e1f405c65a971ca583caf67b244e5c4aef7756dc8a1c3129c
SHA512befa268e324d024ee4914e7c7d98be5d3cdf2d05a666737268b8a263fc2b0f16fc062a9713de9691f981c41b724a24ccbae19e1664eec7c83073e2778ebc2177
-
Filesize
2.1MB
MD522f7bea48d473239a1a5c980f0e7d9eb
SHA1f07c471fdf02a00093ca1b4639f7006f4af4c4d6
SHA256ddb770eaa50857777c71d8086f24ec3abad9c59b9f43bb64ff7ceea24a01e46c
SHA5120701107968a6dfe2e46f3c9ebf0158338ae1eaf6932c0b153260b92b19ba3e813547ed91f28866a0ed2c3ecd5324fe00d95ba06f2bcc7e5420f94db5fb912270
-
Filesize
1.8MB
MD5e28a5d2655a68e6f19f3bae5833e0e43
SHA154a58630f424f26c589ee5f0c1ee78420cf07e50
SHA25640ac5f157403c25fc781bb94c0558c211ca3b3a30b0168de42b09a0297f279d2
SHA512777ffebfd49190bdb08ff131c6805d72de5b2f3d822537879d548e276a5a32c5ede46eb59a61c3e782b7881d625c2f51e95f95234321ef7f8697788d9de80709
-
Filesize
1.5MB
MD594b70a13c7ffb0edaa76116942f97355
SHA114befb693d523fd1cbf30e746d40af0655cb6f9b
SHA2564b544343b910f88aec5e21a657cd6a787e238d12917f0f45315a40a14c91065c
SHA512fdc057660f9d7badafee85dbb952078c351b5a3a58273e3c976aa6a8aae8eebabbee34510981ef7e8181392e0a24f355da8d6f73512e30c1a6d5755b7777b6cc
-
Filesize
1.3MB
MD5477ed529ab95354554a832c92ebf23b5
SHA1e7c853832247ee11d688e9481dbd15c194b8c0eb
SHA256327ab64c09a4f3a0a73eed2938b96ac4bf45d83aeca67a1e488e3716af2de02f
SHA512864d4b1142332abc739603f1f313054c5e5172f61319b5d8c100c53ab4accccd2c70209fff56192ce7eddfaf84564ffb5212a84a407b86d6e16c1bf1b9912661
-
Filesize
1.3MB
MD5135f0c2347bc87f5f073fa0f8f2c8a1b
SHA1c34f670035d4bd355a6d1f1fd48b8711358a0a0c
SHA25643f271f9fd956922cd899a27242a7f9f85d3c31b04c4e66807c21a066f6ab57b
SHA51206f5aef548604affb9f2cefba730d549a25ba84e57153b1011fb0b2dee720129126c9c7116915bb0533f6445e87c65073302d63eb6887181607ebcd07d58c06b
-
Filesize
1.3MB
MD52a2564e67018aa635ab3cd6f7c13628f
SHA1f9cf4f433fdf3258dc45f24ba6b09690f2c02a22
SHA2564f5a519daf89ce1c8dd08458c693a79a5701e099f494ed24e43fc9eff84e0fe0
SHA512f1fd024b03df0d3e8f31947bbbabc74249ad975247a8998b994843a981fd3bdcbe34a3e4b8851afb509911290db9ca8ea6cc60f3e8d6039c1f200f4e09a398e1
-
Filesize
1.3MB
MD5dff59394c6674f45e433afe960ef82c8
SHA11ca3cd3b4a291ac359fb52d218adffe9db78e00c
SHA256e747752cf4babb40e38820f118b9e4105b6e8d0b7239616018105ebbbac8a516
SHA512610aec1b5aae9f14d22780f354d6b88a7ebe7ca11aed8c6a6de8fa2f07d4982e4d4306cf67fbb58ffd5c0ffd428cd8bd7fc18c7f4744cee289874b3a8e385aa1
-
Filesize
1.3MB
MD5eb1f29a36aff1af4edc7aa8c6dc950bf
SHA18d28c5d3f20186d8bdf5531bcba6f7e424fe1aa4
SHA25674d931b66ff747a07972a20f34ce7b0d1a82e097a0ccc9300f5e2aafc8191427
SHA512a46bc17c2630592550c7533f2fa336ff4ad2eb7ee23040ca91696047a194b7c43d85a2c932e3a588cdfcb84023920a07e1b405634e0f796a69fb733fa1ecbf40
-
Filesize
1.3MB
MD50e8a91bee8360d3c79f6610fc35fa190
SHA1fad065944dd83e2bac387dca7c9ed3ecc2c87247
SHA256b1300617cdb37816a6260fb4751b963b53f74f6432759376f6c0efa4dd740f1a
SHA5124b80ea41c2d0976fb8c050dcc78efdcd4f6b49ff73e2802fe135505efbf3d4ef3bc5629c781181bf67636775198db33cdd5426f53b35848802b6d7d01157fbd0
-
Filesize
1.3MB
MD5919edb2d462686fb1a1e3280f014a5d3
SHA1008815283dc1a63678bfe9eea7460bf8ca8779db
SHA256c1fd5571a29b439fbd1b300a9cd7fdc19bdb5c854dab53da8ffd0cf0fefd3265
SHA512679d4764d454e233c2e0c48b5fdf63bfd3a63ae2302a629e7221505424a9ac7221f2c062d96b50aba424e0eba300b07b05d35f772cc259ce42837496d07c0d0b
-
Filesize
1.6MB
MD57f9df1d636ffb7743193cce61c6c429e
SHA12d530b9fcdae1748d3ef664973b8788487231e68
SHA256b6aedd116bd9a12d1d6f617fafb4b0d4c196297545d4b319a27d36d27800950f
SHA512650d0b6cc260c8e015f7f3e385f999eb53f8a097c93c34a9eb71fd0b11f2c461eff8be31061ec5bca7443c19fb25c21472e68178b6113279250394561a1561b8
-
Filesize
1.3MB
MD5505bf58e5dbcba56260332c965fafe90
SHA1f8ec41b1e1ce8dc2a8b14bdb679d1432043a73e6
SHA256be188a82a9caf2b949d17d72e9d66f2651f8ec123ff142e22aeedc9affb45926
SHA51285114789e9d96367b73d16d139828bdc7509f573a592dd818ad2878b451154922f5e21c8b80ab08b6c334bc01c9cbb61a3487b72783fa28316ecbc386524711a
-
Filesize
1.3MB
MD5737ceaf0940f32d7eaa015eadbf09948
SHA193fdcb9fbcad32cf8198ae11994c97d9cebe0814
SHA2565a4a38d1ff9357a9d1d07ead82657263eddee3a9424eb153b5aae27b666dd120
SHA512de9e57bc4f90595f6493b5d1a58c096f5b4cfd199735c8d0ffc41a44aa378587855c4d75aca566891406e604b001c530cd2e117972c5015d6609aed52413b1f6
-
Filesize
1.4MB
MD569f42a237a19a67650a9ca871f06494b
SHA138007baf1a41f2f5f61c1419b6f2c9c783cd71a1
SHA256aac772ed66263bbb64946599734c72899f0375256909bad081c0825c873814b7
SHA5123c22caede2ee4df7b485d53f1c99bde8e7f9f7a71ee1e149feeb478528b42c86fd20b76113c8c73c7fdaab720f92d0e65b5aa1de32661a679975260e406ad898
-
Filesize
1.3MB
MD5bd7b3daff825faf06efa01a1f0035610
SHA1363539109a935ea4aaa855b71d55909691b01b41
SHA2564626457a653caa6c813a0190d2944a7aba6b604670c2e0ab518ee979e22fda3d
SHA512910d065eb8978a3dd5187347b046a9dd7c3393b5da5974c4ef4b7afd4a10b848ce5482d5a8b20e076949c7667d3e998113ced71d617d8fb3aacddb1e6e5ca67a
-
Filesize
1.3MB
MD57d65e9e2491572173d12687f2925c75f
SHA1ae5f67c95630d410c1544fb1379d9bdd3c3b9f9d
SHA2567f2375bf3eeae19ae27249f0bba0065a759245cb514475f36d805df5f084e0d5
SHA5127e471ae5025ba8c02a400079f237ec5ea2e9793f240de41b2f15675945d3029dc88ff90b577727b8964d6831aeb6918234f1aa3a192e413509baaa2b982617e9
-
Filesize
1.4MB
MD5e9f41d22ed3535b4e7e35c6ae3cdc5ed
SHA1dc2f19e8e1765572e3cafbbf4b1b60c96218a012
SHA256303544ef29c3693e4a2759267781adbeb608dc7991db7ebb8dde58320d3aa895
SHA512b7babd86a68dddfe17e52ce047d3310175d26609ea3442b80f3202e94e9e3abb50479a81aeab8728cbefc5baa9afeba674abe763fc2bfe7f73521cfb48dc9819
-
Filesize
1.5MB
MD57d2f4162cae677e14a456a0579a44657
SHA14d0e671fdbd1a54a72f1a8e52bc57f263131552f
SHA2568f64f060375b64f40f765d49de6ab5a6874ea6bc4eb9638d8d25d90be63c9a82
SHA51227a1f7d7716a0fa3fe6a1201abe6a1226c73422cd777d4f36c3785710042d53577480db9e12361a02bddfca8fadf09873b862eeff8cddecbea224dea768fa8b1
-
Filesize
1.4MB
MD59d35b0580a6baa1bb2077c905b86fdfd
SHA14c1fbf0c7a9e938c593466e77034de049677a090
SHA25628a38f471144efcfbe98c0f72d60164b9e3da6caf6ef75549f4970057c4a32a0
SHA51232f921efed53ae22436f80a50935f77172e2c55e1d1fa142f1e3726f8dc4a0ee3c2ad3089fa6939984815005a575ea77fd18105d4ee58eb288c0f097d84a9c30
-
Filesize
1.3MB
MD5198ef578c15752b1f2a4ee6f686ebcc9
SHA106f2c5e869eb5b1468b9cea353045e941d302ba1
SHA25665cd5ca0490afef97e753aef6ecff84b891fc2413719685a8a3cb911bee2a3d2
SHA51242cf3065b082e06918715aa865822a12934ec978d0793ae72f368f9fb8fe5b9cb144c129b78540fb4a87245a18ce85b64bec2b4a10814e58c3b9d2f80caa7939
-
Filesize
1.7MB
MD52cb580b1725d88bbf9ad545c5b7f34c8
SHA10ec20ead5af24848c4d618bb594a9609a340a606
SHA256072e0da74a629da72d9e0392ffee5034e0f06300d4f84227774927a3e684256d
SHA512953aceb5055eb3fcb5d5e5eaccf5198b780e8fb1a276df60c6ecb29004f215cea5a3db5c42b01148085f54f29169b113d34423201a4604de596d67891388c486
-
Filesize
1.4MB
MD522693eaec4260aa33a671de7fd286991
SHA1059949abf21ee570b8be8a790c5ea490ebe84d05
SHA256745d123cfc83501ba126cdadd06364c9d85921e14259346b559ba6115ea18b78
SHA512af25929c6e3d5bcaa8fabb08586d6b68dbb168b754eb53ef48f47f332b4d0ab96e72f51a45f6988ed98326b71e9423d70eb761efb6016b79b89fd5ab3b854c39
-
Filesize
1.2MB
MD54a93223c965a9c783df94d21320179e1
SHA17e0d20fa15a26182447f42876a87aefc34a163c0
SHA256ce55a2669ea26d8797499ca4ec891aa4b805a1f181d9160bde36ff17c0c222e4
SHA512f5b928e00ce16a54d7a0962b0c71b4e2a36910d2c57e8ce79cec27e5a563fdbeacff4d636f6dc449c562836528f06c1717a99aabbf17e7808f77a029f713cd70
-
Filesize
1.3MB
MD5281ef0f28ca5b1d9431b642a849ad20c
SHA152c8b61f6c325ef2e16fe14f6971186057c28fc1
SHA256f7ee97fd98bc3edb2268c98bf7036f5506474b37347c7125caa72d66fc166541
SHA512fbe437dc8a6f46c115e8d5b807b62868f94b3012c4f2b0de9cc6360a21ea0938af7c8e96fd2f23f3141a626e6f692c3f4e169fcd2bdb3339837e26cb75d9f3cf
-
Filesize
1.7MB
MD5266a14ffea10c5f48cb8cbd43d070f84
SHA1413a48273d150ff2c1643a1fadcc9b08107f0096
SHA256b9a67b5cb604f90e21beefd9734e498dc05b027358a631691ba74123ad2f6d13
SHA512abb47d35e1d04652f2ca687c5f8b7c5fda15affcfb5d9dd4f8fe3fcd5adb1851a7b3e30150ee928ac8483d2a4af0caee032152c89893d17e9468886d840d92d4
-
Filesize
1.4MB
MD5fbc65b15f82f08ca04af4ac065b86213
SHA1b1b3c8ec2b13549da12c269199a7da1c786987ae
SHA2560f8e271e9c9fba54373879eddd66471660a146b8a6b37d5f6f28e3b4d0aae645
SHA51210247a21bac37b6cf8a64d35ed12df1ce926e25f00980ea80a365e83df82626c174fd77eb1d1972dc09204adaab27f34d51aea397ceb2d264daa18273a7ca548
-
Filesize
1.4MB
MD561454fa76168a34184decf3bc58b9fb3
SHA1c242ee408bf37ffb1c916f207fe7780a32362fbe
SHA25696f2c4960b1bca919ab66b8e214fb474f9907ba01dcbbdb3eae8d0974c72b16a
SHA512c13d38107edc6007a351a5457d037fd1d97e22e93311cc9eb16518def6fd48a968fbde1f29ec2defff50067cc713fd1f7f3a63d35f57723f1a07415dbd01749f
-
Filesize
1.8MB
MD5340f352109171afd8248ab6a274a1185
SHA1cd84027ab9b128eb3587c8987a8503d1ea937f8d
SHA256e669a780cb479ba8b227f95265bc0608b1122c4613098b7531e1d06c44a68440
SHA51285c1cd9707278efd7d4f99553d68961360bf9921ae4acca7edf86a30804ac9453bf442faaf0f4ffe8e84cad9cd4a7d4171aeb31a8d4ff13243e069b10ec476d7
-
Filesize
1.4MB
MD5c74ea72acf8d6c295ed8de452d197080
SHA13f339e411183d51d873385df8a933edf917d6f32
SHA25642e01b5850db2a4b1a43f50f2860cbda39eb014845a75cfbe59f9744ab5b1db9
SHA512aed03627c8730c71493b607925d37d81b6e8e60f16ae6920f6ed77ff23104f854309305a27ea3d6e194a3e9457da6b482c4ac1c7bb83ab0d27fadeec12e958e3
-
Filesize
1.6MB
MD59cfca340cba1761abc312cc8cc3035c9
SHA1b18ac6e16b42aab23def060529c243ac2a21896c
SHA256217799d9c390b5d001ddb2a32b61aa1b2d69b05f9df266492e9bad7e475ee4f4
SHA51248487aaedd2a7920cf415fbee62da9301f0082b889c1eaf21595f2523f6a7c80918b28edd7d743faa28ece449ca44a9ef58d46dad081abf299cff8e7cddf313d
-
Filesize
2.0MB
MD578c1a262ea62bce3ef2bac0df6106577
SHA14db14788a4388ff472207bb49fc5de64f6873391
SHA25638941178d1e198f46ecdef795a22773b50842875a59fc75dd201ee16f2869c6a
SHA512a20b2d6d94a304251ace933b2718a769967d4f5896330f8ad0a7bc5cb4fcaed0a2d5c9372c7bb78320ae670476cd1397085b03af6a2daff402b048c5cc72e7e4
-
Filesize
1.4MB
MD5e273096d37af047ec110d4dc8a4fb0ce
SHA1df4b9f50de42f4adc91c7f89635ebab4f231b101
SHA256bcc4c778a442f770f72258923892c11144b8a457bdbd4a537daaadd472b11a9d
SHA512116bedf8100b2c2689c5669898c41ea48b158632d0241704bce7b224cbefc0ef6c3924fc9faebcbd26da2d32008c11c392d403a854ee09ce8f657bd9fd5975d9
-
Filesize
1.4MB
MD53e088edf749739ed104a2f2ea0102f9a
SHA1269c5534c38e4977e66296e8ea94caddc6087b9f
SHA256a4879f443604a5f92e486e113e559424b2e0c7c02600eddcd0c963ba119d5eee
SHA512b5ec49117739f03d26bf1d759351d045884552dc4ce62bffc95956d04450e4c592270ee5cacbc3d437b2629030d7ea9c9d127b4e284e2dc4fc4114ea575545ef
-
Filesize
1.3MB
MD557f02c910f81b8812252f2226a520437
SHA1cbff9eb947f5b98895fe85bcb5e187bd54266075
SHA25646551757e2666427b426f32bed33e312b9a0ebec3c666e0e41e28a900de14384
SHA512d6a811b4a650e451432b5ce145e2fc22c47aa804a17992a9595ca0bd5fcbd2b70237f42efa4724b465dfff093e865790cd868dc9e5648af20d775e11c6ee66d0
-
Filesize
1.3MB
MD55443b998a67d081d71693814751c4355
SHA19a9a645e3027133af85a3b92fc99956b1b086c62
SHA25636817391bf49247836420426793943a2db8bab26d900bf3c3c30043db2f68750
SHA5128505169afe4ce96539f084180df110b40a3c6058924b76ebd8decf8527d9c8621945b2b41c0535c104a50ec4fa390027f9696dbb6de02e8b048ba7e95f029fbc
-
Filesize
1.5MB
MD5de1a293b05239ae993f448cd66acbd9f
SHA119fcf5a723479eca6bff85d9da2b7c67cab6e807
SHA256259ff58c806eb6a9df5a8326d7fd78215fa83501120c59e61d51d28b1b19fd8f
SHA5126641b14c7d8ae77d23045043dbef915267f4949685b1919d7502e0b9175f8ac086dcfc28affd746578278999d60615723cb90e22ab7603266387eaa33aa5d210
-
Filesize
2.1MB
MD5a13896e540cb3241554b13c42ab3e326
SHA1784bba2f644588c00d038a0ee5e04480a0742f2b
SHA25641741c7926ff86ad44f6c9812c1f88826e212eb3fae0716be5ddeea8e11400a7
SHA5129adaea7a59424a1099c36c71a4b46c89e29808cd6a6905fe6358f6dc6cd650e242882c34630ca0f3b1759cd9e1c6890ee3db03fc56e87998b2cd2551c39c0f76
-
Filesize
1.3MB
MD559a19da738b15f51c831d91e01ad5d85
SHA1ec63bbf9b976d925ec1a904365e9d87151d27ada
SHA2563b2ac0a5773d5a073ce6b92718490e3430ee1eba52cf5447f24cc917defee0c2
SHA512d4d6cd4327e568a4589070b7ee026cb660d793e16a876eae3c339b2c23268c427a33565fc7b707fe041eb88d2aa2e88dad12a1920e64dca915f2e319fba16972
-
Filesize
1.6MB
MD526b0ba69c6c7358d316615acdad423c7
SHA1484c8fd369b3307588810d277f44629b67c6d205
SHA25623d3f58b7d2a01ba00da665223945c8dcd95a545eb46d3b885a6432343863b6e
SHA512e38ff5d80a2a1774d08c0afde8392014a82617ef383ea3f9c6dc9fd7be5f812e665848c4fd4ab9fe865ee3828c92d1b7c57cc7425b4c3c69fdc5faf01aa80976
-
Filesize
1.4MB
MD513143e86d980e4d69b75d11bbbd34222
SHA19e7aac7d067ae8e71a57e1ceec927f60b481eb43
SHA25636a74e0ae83f0bf3491015a8f1050d4edcb8eaacb9b51f406d53d65238742b88
SHA512875147d6ca6fd131ae69173672d566b4e64a1267ea8522992d8d791bea125c30a2ef7229232613b8fde58bb75bf6a441c8176df477e6f242a76b1620a5b7c0a8
-
Filesize
5.6MB
MD5437a27d730638b3cfca4cb3667f014f7
SHA1e90fdcaa4aaf24ac1f2f33bf2f2a5085e1c03900
SHA256637063de8e077319c904146d9eeaa119c662176e20c92e113df078696e05df3c
SHA5123c99aaefcd3df3d6db096e60844b4d587ed96c38dba363e3f3cbe102bb192d787fb516662d72a067fcaa6af1fa22ac361280d18e2c4e6588c555cd141b053ce7