Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
4f80ec4b9f735bef31d8f23cbf1992dd
-
SHA1
1b6159737a03590e2efc2869ff8b6a704e6ba6fa
-
SHA256
3f275b01f6c14d8383312820c4c6d6f37e05943436d446c69d0a8aa3f36a8ade
-
SHA512
6537894ee1723b6eca7469cd528446adcc82de9a0045ed114da12696950dd093d45441e9efc40494ef433f22928e027f39b4b12f81c57ddf050b7c94fe5c6d02
-
SSDEEP
196608:8P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018v:8PboGX8a/jWWu3cI2D/cWcls1e
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 3048 alg.exe 3080 DiagnosticsHub.StandardCollector.Service.exe 1004 fxssvc.exe 3680 elevation_service.exe 5004 elevation_service.exe 3896 maintenanceservice.exe 392 msdtc.exe 4820 OSE.EXE 4576 PerceptionSimulationService.exe 3492 perfhost.exe 3208 locator.exe 988 SensorDataService.exe 3940 snmptrap.exe 2332 spectrum.exe 3180 ssh-agent.exe 2244 TieringEngineService.exe 832 AgentService.exe 2232 vds.exe 3908 vssvc.exe 4796 wbengine.exe 1376 WmiApSrv.exe 3084 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\20b40877293b476c.bin alg.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fab7d49a9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000624fe999ab2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1843e9a9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084ce8a9a9ab2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000525d189a9ab2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeAuditPrivilege 1004 fxssvc.exe Token: SeRestorePrivilege 2244 TieringEngineService.exe Token: SeManageVolumePrivilege 2244 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 832 AgentService.exe Token: SeBackupPrivilege 3908 vssvc.exe Token: SeRestorePrivilege 3908 vssvc.exe Token: SeAuditPrivilege 3908 vssvc.exe Token: SeBackupPrivilege 4796 wbengine.exe Token: SeRestorePrivilege 4796 wbengine.exe Token: SeSecurityPrivilege 4796 wbengine.exe Token: 33 3084 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3084 SearchIndexer.exe Token: SeDebugPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeDebugPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeDebugPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeDebugPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeDebugPrivilege 232 2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe Token: SeDebugPrivilege 3048 alg.exe Token: SeDebugPrivilege 3048 alg.exe Token: SeDebugPrivilege 3048 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3084 wrote to memory of 832 3084 SearchIndexer.exe 117 PID 3084 wrote to memory of 832 3084 SearchIndexer.exe 117 PID 3084 wrote to memory of 4648 3084 SearchIndexer.exe 118 PID 3084 wrote to memory of 4648 3084 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4f80ec4b9f735bef31d8f23cbf1992dd_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1200
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3680
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5004
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3896
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:392
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4576
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3492
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3208
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:988
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3940
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2332
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4552
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1376
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:832
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59d609859d641816835557356a06ffcca
SHA13cd180c2443ea21b36c4472b6c4fb727b811b54b
SHA256e3a79e046c68fd370af3caed8405bf8668a88d50a7d9ff06fc024acdd7d3293b
SHA512ca64c30239444f83651d9c42659d3902f14bd59d520a6dc44879d8eb3978adcddb2c053fa2831068ae16d2dd5848f8f549c843724d6495ee4147196e1bf2bff3
-
Filesize
1.4MB
MD5d68b44150ea24ef9f0620c5d3dd249b8
SHA1d8e117f08913d7c772c61c35dc9389a250e6dcba
SHA2561921c53d6131c03b3bb78122baa9ff2c69824416fa00dda6d70b43fb277338c0
SHA51240ee86d93ae897aa73e827a1b7a29493b204676bef5dc22b04633f96170e0fdf89fd4ec655bb5413167448ae496684f975e5c737d998a98194f296f48be8aaae
-
Filesize
1.7MB
MD5d7a3b0a03ecceae8898a1bd299cc18c6
SHA13a274a574db22670937e6b36b89bd3f6424e6a4b
SHA256e9711766be552e64f835ae9dbe6b936c22a0e1e18b35e6ddb3b898b92769c35c
SHA5120a9d19e27b49bf500b283be70854314bcbbc802315dc220edcd76393cf18aaa166902fa0f8fc1664bcb30ab56c2e456bf0ec9e0cfcda51d0374042f995a29937
-
Filesize
1.5MB
MD53f6efefc1e1465873026f94976005583
SHA12405a95f5e3b8be060be595321858df308d13683
SHA256334fc638ba01f3951e11b39b4bb1e754ffcd05985caddbb8153fd052aafc39d7
SHA51289c53b03a003631583bfaa19d169fa3ddf767d6f4e35f2521d618ff4d6488b7cc1fb32113f4423a7078479ebb50509cc9b0d4396066b62a1ec3cb6b4f62b63d3
-
Filesize
1.2MB
MD525d04be7697d5a9a13704142630c1c12
SHA1149fedfe7011a0a5dc5c31a65fe0d055ef393865
SHA256c4cb2f5cab41bf99499993378fed7c05302300319b0e9bd72a2c35bb2d17b63c
SHA5121f46ac5db4bb12b3ac7ff85052b55b9c0a433d274bfafa1381a0393f6ef06c0f3c8291495108db1fa4499f6824ff978af5aa839c391e87898721e4e88fb53c68
-
Filesize
1.2MB
MD56e429e4c088414328d22d28de0c343e9
SHA1ee774972f367d7e5b3220952af8bccbef2d0326d
SHA256ad0da2f98a6dbb69bb77d0bd433bf6ecfede14934088348d5a535925477ade06
SHA512752ee55a2b3b93949977df35de9b7988b7f1e00ed96462419f3763e1e230041838b87ff5848b6e616395dd48340d4e7ee29e05f953439bcae9aa9ec8a938b255
-
Filesize
1.4MB
MD5f58f956835de1b206ddd1dae03efae9d
SHA142c21734f1e88a24c507c2cd56c6612e2b9438a8
SHA2567ea5e158922e4691e189c1c09c6074d8ef000b158d6e827ad311be595e299736
SHA512f7db50b6d79a618395068c40559b15d8c85d36291234653a13e6a77c282e27590de34f4d780865485a0064eb6b576f052947fba90cab691ff98ebd56703bd7bc
-
Filesize
4.6MB
MD505f1517e5e4e0055e0466f8eef67783f
SHA1ea881d0f1a641369bbed3506ffb6de0bc2e4cc30
SHA25624751acd8b005cbf0a9050c19e547673513aca90e9d6297335417eb6d29efd26
SHA51271b840b49bf93db005ade1d33364dea92b661c19dfa672a5c365d9ea07ab7def887a2ad48a15b0071bc946beb5406140b1ff6adfada1cc9f245e694fc419afea
-
Filesize
1.5MB
MD5627e12a9432708947b6a1cbd35e660fa
SHA115e3dfadb7abcab8f13d78da636b9409c68c5f6a
SHA25648c8b685f7532b1c4f15f58e038c5385598fb95f00e0aec8967e494fe46e8cef
SHA512139db7b362838e673ee8c424c8e644ccc4da9e8ff52c0c83e0b00a4183cc536a09357bf9ac27081b490c01a3e61c773a12ff044ca9d6a90371a2575d18c7d4da
-
Filesize
24.0MB
MD5272c70e724b9f8b6cbace2d702b50d16
SHA13cc9e31157a6d58944ba0753e63abf13d0065866
SHA25620f5b52e7b5d4dfe4143e403a11d1c44802d67a4a882bd062880490cb6cea3cb
SHA512ef81c15f7a2bac1085e2a775d31648e979458260ec0fb4fc226471638de259dc5153ac6e0b7dac9230678371e113f86b96f0a0f6c1205830ce948a7267dbfe64
-
Filesize
2.7MB
MD57109b0f54215b68cd720a23e1fcf9717
SHA117f2fa391dfea589f9ce1c8c3f556d2ba404883f
SHA256e18637acb5441f70a7ae9e34c0239163b140aae5e8f76e9f0cd4f187b787ecb7
SHA5125d0cf38f976ebc2d4199b71ab36cac0f95e08cfb786da98de09b1d8c828710fce9eab034c59f30f3bd1cf16a74c3980584a14110ce245af0442abb8d0141be70
-
Filesize
1.1MB
MD592ee24e5df5975828eda2d5621b0cf51
SHA134d88bcdbcaf8508e77debff0e2c77192da9f574
SHA2566764d80a92b3cdac84a3793b1e02647b551bd539f62e45314222c507ad1ac678
SHA5121e1880d169c8453abce4bb738ea1c67352887f9c60f9337bd70b60fae592e5818dfac3056a44cb09ec19c7b2e66087b6d3bcd323653172368f431c9d19bddc6d
-
Filesize
1.4MB
MD5241ada7538974e8cc9804b44064ea982
SHA12c1dae627bf2040fd92142831b43415b33c492f8
SHA256e2fed07b88bc9247b799bb7691de1a1cba2880e347a974eeceb49cd791aefa68
SHA512c5c72961e2d10f1d192e269e8e8df7528984742e72b546011b7589df124a9d8eb1ef35747a4994e8d99a781bbe06b0b9959ffecdd0f9519d47cd52c33cba9489
-
Filesize
1.2MB
MD579b835f75acb1aa8195edbe2f93d6c58
SHA1c957daab5259bcdb2794f8c7eb636cac6556a9d1
SHA256bfdf6d2376f8c6174c21bc007cdacd6c55bf16b44d34910615739e9eea392ed0
SHA512710b7e58f43a4939f6ad4a75195411d7b0dee4b35ed2783ca26b02cbf864e5b921ded1a67ee2ff137c9ec0dc1d8be4539bf586fa61d3dd7de4e84d8f42a372d6
-
Filesize
5.4MB
MD586b5edcd440d093a82117b865ea3176f
SHA15ddfa3d5e793f7e033cdccb4b7fe9bb1646c0235
SHA256fe2f99bdd7c91ed9ef8c771ef961624f873ce999237b613e609603d20e23c0cf
SHA512b32062beb40dc390b6bca1ea9c6c50c9ecf3fd3dfce2cb3c070c8ae710abd4ac051025e5324225e9cbe6b67b526335b8572dce57c26d9b5d467d907dd54bfff9
-
Filesize
5.4MB
MD5ff6dc3ae826e0fe71580539a3f660ac5
SHA144c0e4494dddda91d39f33dcb88ceb8bb1b20360
SHA25651840b8d63a0080e1dc36c3f76cc2a0f559f833b6e3222ded433ee185fdc89df
SHA5126fa7e949754b07e3ff404fa55b2894537163f453b8087d4048433a3ff0c7490ec3a469bde4f9202a0be6de692bfe4b85fc86716bc1c5267032b1548d00da511c
-
Filesize
2.0MB
MD5a5979e0745aa10dfe7147e939e0c417c
SHA13a3f4528d1820153859736ac1f864bd45af3df6f
SHA256ecd4b0a20c35c178c65443fca3c85cf56271a8f68c284830a57b6567f2750948
SHA512cc244f335c908ac072c69171c9706b360f6ec0126a9dfd17a062abc19e1814ce977358cbae091b898378cd3e72a27369ede7b94c092d59ca8952bd8c9b32adfa
-
Filesize
2.2MB
MD5926647769ef9c7c41392ad8fefcfaca0
SHA1b7ce1c0e554af80dac0f7c63e2d26b622d61cd1b
SHA256d858e031540f8248121eda67b2218301a1ab8e8b7e9d99d492a27e75c2a29e1c
SHA512980ea13ea27ce7e1110682cfc42867e25a2f88a18c78e3c9e1f3772acfbf8fd61060ccbe49168ece51b1e57665f0c630b9f405903053aaa45e3c9f76b3a12bb9
-
Filesize
1.8MB
MD5542aa5b7c3615dd57e7d24049a8e7ee2
SHA187b57802a5ee3cedad09e1a9b6c23807e8fd7f4f
SHA2565d20a61e7c481d993979e0768c561fb64432b2f0d51d1b8e12a5e5a935a70d42
SHA512c885a46fbb0fafc27adc7ea3f1b4216d494c4fcd8beff16eed1c649396a1f3486aa8adf802524c9a127cea19a041f06285f2c970ee6c3465a241fb36a8693648
-
Filesize
1.7MB
MD5e0d09a9278a0616fb0767a2f35712e65
SHA15d1217c03e36b3e7e2373af9a7024be33e277cbc
SHA25661997766817d0cfa633a8f27519b2d3807f19e38805cc74f2ae5dff1a6e1fc5e
SHA512b5ebbf2dc931d93e5edf1656b8421b62bcd386d98fe98d937a16f85d5e7723eab4b5f4b323b64c2d98e9213ccb4836454913c3c9114fd3b33c9fd550e1fb1a40
-
Filesize
1.2MB
MD55a43aba163a9afdf4be7d91e4ad95425
SHA1ace639ef488da4bea89e9aa65e3bd7193edf2841
SHA256b9e13ba1b09e1f6b728efe356e5c4e8b9994e542fd78035ce0a61c148e07d3ed
SHA512bc85b17686ffefde9d45ef3f59b4f9bda73a55d8b5d519789e96632eb4b8ca09e1cec43b5ca06c8f2f4a966f092c091969ccda6beb7aa48087be5109903d8def
-
Filesize
1.2MB
MD587ddca1219272601d022366fa42370c4
SHA1e5fd8fd41573004b875a756de494b65c838875d8
SHA256acd5af727a69bf4521875b75eac2a8bc6b29d4fd1af688cd9a6bce61e1f2f90c
SHA512f85e5c0c800ec1195206afeb8371bb36d88ad6dd64ec0a3d1353a3ebf05e86b0d6b297cced2b09799e86d737823ecf3da6a5107cabe85f40fe051a5d2d6f640f
-
Filesize
1.2MB
MD5619a527d8d4c401573b4336f17da1cea
SHA159eaaec65645f8197b9728cc0ae1df3192571b81
SHA256424564d9b48c5025a9a825c97ebe78874d6d3138146a708f96d1e293f0a1f617
SHA5129fdfb00230241116d051be234203f3a82bd49ea417250f152c09c35231289fe121c1872a295bd06d2eb335efd9cf93d4437a4b2cb0076e792cb571184ec148f9
-
Filesize
1.2MB
MD5d0a33e16fd5ee3b5bf3090b6df8ffcaf
SHA130bf2c7100a7a00db9dd0d19362510d8acf857f0
SHA2568611b86892d776c27f25e59a34375ed6fa074de966504bb8fc27b967ec4ad186
SHA512a6f7d3cc1dd6c17b287e7ae277fb7af4fef2ac61dfdb69f681bedd5252050a90c98a24e1d310b94deba4d503dd34c640e7a7b9de77f2a971d63782a828a69207
-
Filesize
1.2MB
MD5ccb6f6cb289c78e7e824fe7f455f118a
SHA179438c82f4469be9e2928d467405b1ae7094aa4a
SHA256e37caf072bd6cdb32b7314626214f9ef9ebc239a7529f3560d7b572efabfd10e
SHA512150add7aa86ee5657844994a8207c3bd8d41b155cf446ded6ae47e60fc8707941eee8911be282a477b4feea6eaac01ab969a99c9b32d8416b0aad1b2c30dcfb6
-
Filesize
1.2MB
MD585c19a0a030c3ef21a4a30e95c89fbda
SHA13369d0ec4bfd048c6281a8dbf55d41c65f5cb32c
SHA256af9c708a0b2a49e933bc9ed78528c19d7c5e63985b6b8209eae2f8d94eb0a0f0
SHA5122076bd71a5a87e916cf87e2ae4b83767a456447a650bc4a1730cbbd90e07fac7d7361f333e1f54e1725ab408e4767a0fa72bda0b9bbcd56a3771020a8d915c40
-
Filesize
1.2MB
MD5fbaa54acdea1181542e552da26563ab7
SHA1fb491f874b0737ab957ecd530dc3ba7bb29762de
SHA256557fe0465f2950ff1fb01f5acfc18d86757f7630ea5cdd745e4f3d92cd1fb14b
SHA512722f9240aca557df72a2c1328fd225a20221f81d4aebe681bf9e368080081a640746ae8a84885ce3f6cb76f3e892fe5680a5663c139a8fd5df609c467034e296
-
Filesize
1.4MB
MD50763052a63c1aa4376990cd5adcc0b90
SHA1f3d995d98875f72290abf25ac62dd392519d0cbc
SHA25622e902c0666ad7e8eb960f44a2bfb48121da98efa40b5b083940e4366cc1a5f4
SHA5125b55e835d4537e65775dd4edfbb50d72bad22003690c645d7123d14f575f6b22b55e53b25dcff0d984b2d2a6df1b66ba6b34e0d3c93e03de3a3abe1a980ddd82
-
Filesize
1.2MB
MD5e20f125afa2479c96374d5f067b60c90
SHA199d8767e4010ea52584a5070343061fdd4b83866
SHA256cde3b775a9edda4351a45e23ad59121fa088068ed9239ef70644d50b4fce772b
SHA512d063bffc0f655701c0ae81792b77f863bcd8f0667e868752aa75efe2bcef07103dcd733a019fad014e307072b7946c7b09c7e17fdbf129340e5836a924e97556
-
Filesize
1.2MB
MD536ce98aa0da3ec5d25576421c79d8ba6
SHA11544b46fb70689553cffbb90d80342bb4684d02b
SHA25606e251da2fabf67f37ba7be37bd0b72b230e566882b3985cb4fcd662c6eb0068
SHA51275b4a98a9c25d0c36b5e0a6b1b6eb79bd7dd8327736355b5fb9b8913715159f88ac351245983695d82bc0da405543b91597e4f623d62fb09dc86d187e157401e
-
Filesize
1.3MB
MD54b00d8916f717a77d028348d3ce025cb
SHA1fa6e9693af12c3f5d93e8dd65c4f64121055f063
SHA256e6950b0296d542e34b960f3c4c96faceb88b01933a963696788edc957ea81ac8
SHA512f3d9473b7e06d86d7738035b84a1e9ce2e959238dcc4d423b40d7e4221c8f3849ab280169b8aefa12be40ca80d8d552e7c279e63f4ddca67629a6e9f34e8a11f
-
Filesize
1.2MB
MD58db9c8905d1e7c417550cb412a016845
SHA1fbdf9527a70f94c14c67dab01e929e2e6ac4518e
SHA2563a751c41443faf3dbc9035d05f984343aface8739a10666a0d2451dd267d479c
SHA5120ffbebf88da214552495cb916c589cf29ba0165e0b7659b2ef86ff5d3a4d4b8ad17455b9e4a982e20695bbf34a6acf9414e008305c024cdec63869316f81d6d3
-
Filesize
1.2MB
MD5ecde0bcb29e62fbe748b5ab47389e123
SHA15795cf06ae94d97f74cc25873733c4d3918e7ddb
SHA256dda1a818173fd4e86c2ba3bf1b7e35c454bc3c505c54b60a402b7de49e391746
SHA51270b8d61e9c4ecc7dfd856fb7b9a4ad7abce33fedd9196d923dbfa08ebc294b4a38352ce3a91114e3a8ec3241e7eb686bfdbd6690334f5bdadc3c18f2fd4e11da
-
Filesize
1.3MB
MD594557eb09cdfce22f4c359a959b25070
SHA1b3b553c71282ed5b17caa937590d27b095ed2b3d
SHA2565b65820d50f3306b53b6103c61b43899c522b08a2ba420a4f000f49ed779f2ff
SHA5127ee0c4a965de8899dae384a827e1776a42212ecfd89c99ea5d7ac73e99f6a654d7f50ab8d0ffab058b90259c386300a6f3ac7ade59c38070b74cc13fc32ce049
-
Filesize
1.4MB
MD5656c57f36cf3f43c37cad71e04780022
SHA184c7620afd75fc3d7abecd4bee503dffd3bebbd6
SHA256a1505cd430f4c25090b5e86fd1fbeaaa19f5ac414653540b8225975ceb977cfc
SHA512930603a1088ed279e57061958cc37536b3874174eaf918e423017a434914686364a8468be7347bd3be918a626a95f43b48bd8a7271682633e0355e6d939d3b32
-
Filesize
1.5MB
MD533751d43f909de5b23cb67f9231a33e5
SHA179f496b1cd447bea1adb71931e21c34bd0a837fc
SHA256e134bf0e13c3dddbde5b0ac66e10b9e090f56383b29a1644e8071bab5e21c626
SHA512a14311af634a9185c42e88d1dcd3f0e85f36d68cde62df620278e97b336f11a4325605487c7dbf4a0d60e0b84000bfaf8d11f2b299d435f7e6cb6b6599f14b47
-
Filesize
1.3MB
MD51d212a38a2d77b23305e67c42482f553
SHA13eaddb4753dde424ea7430f9eb30136a5c94c4ac
SHA25688494f1d78fde106e102d9ff57fda923cf413d8167d23806e69fd2d6cea9eeee
SHA512b7fe6dee821d4b52e57074486833f917fc085723db6933b7bf011a0076c7cc3e8fcfa326545ad855f214fb3708cd0739a6e37eb173e4e4febfa81d92871d3a5a
-
Filesize
1.2MB
MD5b91a234d30ee7d7b85c1e2a5766b135e
SHA112b337f03677281d6e04b8839c92850b8a3e79a8
SHA256f75de9b3d666e3c052b2ec06892f5367b1f5156148f6794194518208122fba89
SHA5123f7d52e6a769f486ad259467d019302b6f4e2989a8fa5aa8a76977e43c3517ac423db252667e8636e6908535f898510b4c2e5ada9c5b7c2a526f73929691609b
-
Filesize
1.7MB
MD54bd3ca68c1f1026ffebc1892e2cb11d4
SHA1cf933c5a5d9b9daf39428d96e83aaf7f3f7e253c
SHA25681c99e2b0a6caeff19092950ed4354c5ea29e6cfe2648d03e0d4104d4835964f
SHA512c627ac58bed2b990dd2409cdba290b020ea569f5a05747e12a79813cf655cb87ddf914166081370f57664d2315c85ba541bb0e0ed201995bf50383f55314860b
-
Filesize
1.2MB
MD50c032ba1af7e2a4a3dfb78711e978e59
SHA1f4e65c559cdbb5a99b2aca8fe53de7e278556c63
SHA256432f55b441e9b9ca3e5934b61b10ec9c8d8354af043d19f77848b7baeee51b06
SHA512336bf6e48759f3ea7793d43e0f8e82ce0af2093d5099b99b89fce094588b9bdcaeef3350d77ea3045712df9e84b42e24fb91bfd157ca021ca6a70988ee8ca995
-
Filesize
1.2MB
MD54594f67cb7f68597791211d97c165148
SHA19e17bb4438f6e4b038f698bc3b78fdc3526e4805
SHA2567216dcc9d1d4ec450cd836fa5c1d5e9bf85415ab1c3a665b3fe6328f7ac9207f
SHA51205af54fac6d1e66eb57c1b3e1decb0f3c028caad1b6d7aa0b362eafa686fccc4742655483a1d5095c2a76039d353851729533c58cde57c520efb5247671d00a9
-
Filesize
1.2MB
MD5ed6e0f3118ab1c4ac223e19b7bb0d02e
SHA19b976497b4cd9891b6d53040fdcb7c4e01af32f9
SHA256ec5116bd6c14fa8a1be963a4f576744e15a02e424efe195f7cdc304f391a0ccf
SHA51278266febb0724c553ecc49c91695fb12b88b7b13008c18dc9c49f26c04c4218c687efa2056884c87058ec9cb7f1afe97d5d6cb7cfda3da308b0d262d6ec28fbb
-
Filesize
1.5MB
MD5457a4853722ebba099cd9005e22d6ace
SHA156898cbd786066ee94f1885a3b9f8b1996b6e023
SHA256cb1eab4bad0277dbf9be36c46fe7c6a7ce7c670b5a4fe93c9ed79db8925dee44
SHA51281f255a026a0fd67d9115f17722a7c9dbccd3c4e6d7913c110c2d4e4ddad526cc1e80a95f80ac7b7aad4ece6ca5e289073b348e3f95da30f5eae3f3ec0917c3b
-
Filesize
1.2MB
MD5ea03b1e7c231c2e80f75d2f86fb98fc6
SHA115b299cc8953dd74c74de89820ee4507ea859f9a
SHA2564c31352b03c474b167d5466fa786c33995ca2a6de1274c1c1da24815ee2c2198
SHA5128120ac5813ca7d6f4fc331eaccc1bfda603b133ea9264bf32ad2c0ef2154768fb6a1e89a5078a9207f6148a72063e03e40cdbe5cb27284d7ffd0cea6f6d92e9a
-
Filesize
1.4MB
MD5598eca87359da538752d47c94cad5bd3
SHA138aff99c1d5b952a54c2a8222169f523ee9e1a1f
SHA256d539a4b44fd0aec8343263547bcbe8205443a69dba004ec5c02564b103c41536
SHA5128dcc7116fe06cb6f28a9a1e12b36e378fcb9460662935f87832d2196e5c15ea21bb236cdede1604fee16220d641a5e9170c937cb6d71c2a0cda85acfb124f13a
-
Filesize
1.8MB
MD5c734344827a0baca22d564aa7050b5b4
SHA1202ceaa94a1553ff653c9f11871ce54b7f4b0eaf
SHA256590461e861764da1358cbbe13f2512ee477d97d23bb0bca078c9a51eeaf0b4e0
SHA512d6c3c614e2ad56c1d6d401cdfaaee3f7878b2b549cd2f5c644c2cc86ce9918bc185b8b3f67a3480df8e4049970f0d7eb97827bcc383e69e70df629711f5d0d7a
-
Filesize
1.4MB
MD5ca82020d0b417740441bc8479d65c3ac
SHA1fa769d3d606c12d35815d8fa803f98f289ab1398
SHA256edadbd0f81f38646a5fba43d058082001175b94d8cf8f62cd79cf53283f66a59
SHA512391f4d101ca014d2c39f84386270d561d143f0dfaef432785a17a1a6f2a4b1e6fd36e1d0ee1bb9eb10ed598b53e9af08e0119cb2afc3be5f76ffc64966896357
-
Filesize
1.5MB
MD50bb5413cc428a39cda70483f9e6254c1
SHA1efd45dd90ddc31c9238489f4f1a670f0ce9cbc26
SHA256f23b9e23bcda1133c6d416dbc024b4aa7f8f729f0f7b7f3b1c86c84a9db67c5b
SHA512209d9ec4e9c7542b4df8dd26a5ccb844d280b071710e851a8fd1820717ba248bfa7c8aceb3eb3faad3e810429b4c152fc505a69bcf47ce2ff4c04ba9dc6136e6
-
Filesize
2.0MB
MD577132cc617ff90b663e513aae54b6186
SHA189d803d61e1e701f39886764d69e30df81605345
SHA2569f3e23f4af4345c538216967060cea290ba37fe147035a808ad39da1c9e6d03a
SHA512f7e3a1ef2bdc238c538bfbb963c95f488331ed2b75d7e343ac0cdbb520e29a67f2fac16ce5d288ebb218c27be193668ad80ce4402d7aced4d7ff11859a17554e
-
Filesize
1.2MB
MD5570dd8a6585dcce54d1dee6a8785bf69
SHA1eee9f9dd44dd406fce1b9d4bbf95de7d858d949b
SHA25665e9e6ba6c301a7907f6997a365edccd712ec7ae04af35754f515a79259a36fc
SHA5121815c9cfb14d29c8cfa66fb250624837bd7b611dbbb03517aa6d39ea1d90fabe1eecbf1eee4bf4759f9e49ce47d2e271e5d1a7a594fc5b55d4fbe4f7c57dc5bb
-
Filesize
1.3MB
MD5f02f946f0fb0771bee5a12d74c6c5ffc
SHA1936f59370dd5659fb9e42d69a591eb5e600790e5
SHA256bbc899be4f772ccad7eacc51d7a81040e8829b943d86fafa36ff06b1d31bdff8
SHA51292a5a6f19aca25dafd4c36fbc08733126dcd92db5ab1bcfe68b2d39cff7c8490e3ab25d75f6a254b7e29dd61da183acc515488c3645a940b16bf86265144e4f1
-
Filesize
1.2MB
MD53d2e5ac82dbb0bf9356ac55eebddc0c8
SHA1497324d04830cf6aec63f36061e7960e70e5a9af
SHA2563929e6afd41bf19f2a43b7fdc7820980d4038ae426f21b1e435b93a32f9e3dd4
SHA512b5ef3ca5e4bed0fe308b3d82c35fc84294a1ea4aaff8347bae166c1d650b3577aee9a0a95cf9aa7f33efb70e47b230eb9be4e1ab0d90b91e222fb7b064b26d74
-
Filesize
1.3MB
MD56139ad54c9208c42d7373108540b5639
SHA153f33db901c66025886e44c2f49b072d507e71e5
SHA256301c78aad7a589fd6a3103b1bcfda138a7ecf159daf4a1eb662df2a460080e9f
SHA5127dfcc068b3b5a3331e1c34fe4ea5510a540de4fc7e00e1ced2cd0544c84cfbf23cf36422999f009edb2e05c5c449477977d5d8b5c5ce0d8d7d04e57552a857c2
-
Filesize
1.3MB
MD50f294a3c39e910235e0bc396e6645aad
SHA10c7b64659e06744777c41babd36ab152f53d998a
SHA2562ae5db46b2c1e9a65b67acf0fe4a77f0b518b4a7743b5a712e8f0fa251433535
SHA5121af27365f3382f9cbe1579d6bf1e63b3038420c0785a98ba15835a3e83b309ff383ccf3edbf1c5847108ab427471a0ff2f71d88bfceb69b28e9558df810efaf8
-
Filesize
2.1MB
MD56759d7fd49aed5cea9bf695d61c23e80
SHA13e70375cc19c5bc4204da8f7926797bd1bafc7c7
SHA256336ba33b46c09627704e97c9da69cf05634bf72f3dcc3f8ef08f8a011c3bdcf7
SHA5120419ab17cf7c920bac05c42c0b4b9df5f60763b8dbbdf5eae39849c9edbda26e706b5e9de7c813c86bb6c0dce1a718619715baa8f5018f78b81bc442513a264d
-
Filesize
1.3MB
MD5f4ee006b6fab5ff4063ffc6900adc969
SHA1b1096790728b26b8259741d8f9ed9ab9ddc97018
SHA256bb77cfa84ee12324215e12082b830c2efc33f3a868484eda583b17cd39225d9f
SHA512d1d100a0fa8da0796848ccff796ab7522d3e0e7c88d27c166140253c7ba45013f9bd6511f54608c911fe01311f6c108bb82c8e4798a5e2806e55e52214f0e402
-
Filesize
1.4MB
MD5d306d92d2ddf043fd94a748afb2fcf66
SHA12cd333cb72a931da184f6994b65841601b51a51c
SHA2561e3bf0c7281cf7c21545414753777f9ae2eb285cae7d21094a41268c59f71e19
SHA512cc76d07b987814cd435c9872a7f5a7e1aefcdc26572d5826d3e1f37afa5fdf37689c4be7a611451827add5ea668f86fe7c0ae224fd66ef925ceab0025b891a17
-
Filesize
1.2MB
MD5ffc8bc332bc397248ee879e9aea6b66a
SHA16570d6e00817340e3902554f54c114a2531bfc38
SHA256f9ef2f3bef66d1283322fcc136f5207f59982941cbb3e0834c62850cd9a0d2e0
SHA51204cecae3db1ff0e12aab35f3bc7763b2dcf139ab0f4b8f85724f935f380d45e228fab400ab9e417081ed8be11fee17f46c9c2648ae49a95d26aae22d2662622c