Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
35937438978a3dcd558ce62f7391cf3c
-
SHA1
85a18dd06dc2e9dc8849c71851d29020d6d02d2c
-
SHA256
c133b2c20c0bc18a9d6d8c1bb9be82b52b776b6e83df1bd29a5519969c11524c
-
SHA512
da9a6a1eb2a78f4008087e093a931c31237feb9089663963b00be5a29c9ab262f3598f643d36698cefc70779848baebf5607ea0d644fb6dd8c5c654bd94da27c
-
SSDEEP
196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018/Im:VPboGX8a/jWWu3cI2D/cWcls1H
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4816 alg.exe 2496 DiagnosticsHub.StandardCollector.Service.exe 4904 fxssvc.exe 4572 elevation_service.exe 3984 elevation_service.exe 1916 maintenanceservice.exe 1144 msdtc.exe 384 OSE.EXE 516 PerceptionSimulationService.exe 1876 perfhost.exe 1276 locator.exe 4632 SensorDataService.exe 2816 snmptrap.exe 5008 spectrum.exe 4136 ssh-agent.exe 228 TieringEngineService.exe 2160 AgentService.exe 1272 vds.exe 3336 vssvc.exe 4508 wbengine.exe 116 WmiApSrv.exe 3644 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c700669f1ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060f99143f4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8dcfd45f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e8a0043f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008457f242f4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dab8343f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035f77545f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044ff8046f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099997043f4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c42faf45f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed85a46f4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exepid Process 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 668 668 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeAuditPrivilege 4904 fxssvc.exe Token: SeRestorePrivilege 228 TieringEngineService.exe Token: SeManageVolumePrivilege 228 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2160 AgentService.exe Token: SeBackupPrivilege 3336 vssvc.exe Token: SeRestorePrivilege 3336 vssvc.exe Token: SeAuditPrivilege 3336 vssvc.exe Token: SeBackupPrivilege 4508 wbengine.exe Token: SeRestorePrivilege 4508 wbengine.exe Token: SeSecurityPrivilege 4508 wbengine.exe Token: 33 3644 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3644 SearchIndexer.exe Token: SeDebugPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4012 2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4816 alg.exe Token: SeDebugPrivilege 4816 alg.exe Token: SeDebugPrivilege 4816 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 3644 wrote to memory of 2156 3644 SearchIndexer.exe 112 PID 3644 wrote to memory of 2156 3644 SearchIndexer.exe 112 PID 3644 wrote to memory of 3904 3644 SearchIndexer.exe 113 PID 3644 wrote to memory of 3904 3644 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_35937438978a3dcd558ce62f7391cf3c_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4768
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3984
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1916
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1144
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:384
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:516
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1876
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1276
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4632
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2816
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5008
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4404
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:116
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2156
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59b94d1ff98b036bbf8618cba8ceccb57
SHA153d51891157e9e9d3146545844c9b25905954edc
SHA25678c1de23c1f51167075a19a27cd6752b568044d5a4907279579fd608b5df92ac
SHA51212d1e49af40532ea7bb3ff96f25cd1096b872ee2bed42f5cc7a063a97f28748f3ab62d6a42e77a8b843449d367fdc072bc8013854e54850fe161ff280d69236f
-
Filesize
797KB
MD565fb5d10df096a7cc0e56fdb31ee1a0b
SHA162af21e728e345b79158b2adae4aedd9b519487e
SHA25654bad6658fc24dd619d9dc63a1a03c45e66680d1dd27773aa67431e678d2b359
SHA51242cdaceabd6cc4d56c7e5818f839c661fe8f9e48030871c48a4aeae5850c7ec67ad00d815e00c784f93042104937fff3aa832a249811d11e364b06b4be57a80e
-
Filesize
1.1MB
MD5802e1020eccddd927c11774d407574bd
SHA1b6c3d57a7aa7ed31b8e136ff2d6efab819512b1f
SHA256d7c9253676502f162dccde4fbc8b2ac1fdb6f117cd1c59cff7e0ee305ba2215b
SHA51264b72ab383ecf7af040c0992ec869ecb259770b473051eb3e4cd8a4cd040ca3e50409c98de974cc2e80a6496f0e41f751aa0634072cd1bdb673ba28bcc879c4f
-
Filesize
1.5MB
MD5b635c47c6926610b6303da3a2b8bfced
SHA1df6b45b4dba083cfd6c6aca880b5686e02369707
SHA256c4f19a85d0988efbd09179f816b48bf4640fff495d355c97c3ce0aab5272168c
SHA51239cea9ec638451943921f7dbb226fb6ec4680751ca098237ecafc825890ded4ddf17d1b8643dc324f6b45f0890fa1b32d05ab3df34f09480b46806eeb82b05d7
-
Filesize
1.2MB
MD577fd4a8ab9dde801939637b0af1046cc
SHA1bf229d75f4f794e327652544b272fff1196b253d
SHA25633654f08f42a7bc30207c785c427c7b720e1baef1dec47735084e8f3f7c6750c
SHA51285f375557443df970ff64ed4ac519769a84dc56c5e07e252bfeead36db61ea58bb02ca30ddf8b9e55e3d88f78cb8c1b7ddf33d65476f12d228ad85e5e435dbf3
-
Filesize
582KB
MD536aec6af3d96c150c9323bf2abafbeb3
SHA1c29b56106204ff74ad9e26462ed4e6bacab813dc
SHA256d466ba55ed8427fc467dc21b1409b8a3e898957fb0cc94bb8830e12e629abe25
SHA51200c7201f4d955e609752b3fead70e12fa7f2632bc265b94baa88ca9b9ce996665522fa7685baf79244149aafcfd474cc1ba29ae0513693376de875a7262aef3b
-
Filesize
840KB
MD5b57de6f752cc85abb223047e87aef1de
SHA10dbda354b346018324df5a72d569fdd6c5e95e76
SHA256fb6ad8bdf71f64505d81e2b0e46bc895b139ea788af9fa7c87dd5187443d1769
SHA51212b2f58c09c7f4ee6376b1f1e7464eea4e49dd4b41d35fefe8b0f1676efee0b7baa7e131f025943687f2db0a1c2abf3c81a50ee3e67446599e7bdd407966b1e5
-
Filesize
4.6MB
MD55aa0cadf65fe825f7b8b981f6e234905
SHA1472d001a33645eca8be2b44872705f7477f2ab1d
SHA2560004fc310f287f0865b82e202ee6d86b9cb9feecfa2d83f6b81a06b45522185e
SHA512cb2dde2b5ac23fda6cccf36f8e13f308ff264b153b7b9c633cd34f88134172bb2ae7f2176f3b559c638877f1a5dd87a64fe226ddddd2ed55731c7bbab1f1c5a3
-
Filesize
910KB
MD514a9c9923cb7864b3c21f8ed2d3ff4d2
SHA146e99ea5f5831348bc12d1b393ac4e699b749b9e
SHA256c14ecc2763a4271013345cff07ab90ff802f2a3df4f0f811063c40100c991638
SHA512cf46c5982c7ad336d4525ff40f05bf0fb0e2f5acdf5be60c3b97d5c49503569300325f8e885b32c0cd4e86279f5129366ff2546a9243979a3f68c45e84e4394e
-
Filesize
24.0MB
MD5c5be010e1efbbc64bd7bcded8a4af359
SHA1e5532712e937fda599efe481e381a255bd45d5f1
SHA25656be1b490d6245bbbc8642c61983c189beb2de1a71466aff3b8003b8a7d8e97d
SHA5121758847621a9503bfed57e5b1e2d26bee7bad1c40b156ecf8913a99bb692b7b2cfb183a869302bb761d8e40f6abb211df2501429eeab32ec77114128b510493f
-
Filesize
2.7MB
MD5c975a5c4ac36e31a4088d520a01c96e5
SHA1966e4b75495438a52e5918ce2a0b07c239acd16a
SHA2568653e10855ec6c5e67955ec98f62fc9640a5bc52343712828b9b12a5f9cbf022
SHA512f62de6e955f7caf983cd6b975f1a4835b72d86857f5e65e081cf0100cc47543913e412ce3f9e742b4dc1d5aa878674fddf05ef305c44c619770a81728d01f8a9
-
Filesize
1.1MB
MD56eea7e8ec635c89ddb873980ec1d735b
SHA1854a10e3d43d17fe1e8c5154b710105ccdc9edb6
SHA256a680b6fa332946527fac33f7a8789cfa04bed64425c13509c3d5089a25a6272c
SHA5122e40a233af2738dd49eccdb495182e0f8d17a6da5461fa2b219fa5e4977d9154ed5ec27fc211cfc4686a0d2330bb6bb3f36f95acfa8a03ca00fc33076aa42fe2
-
Filesize
805KB
MD5c35a1245e318f32e520501d597d33ece
SHA117f30ba2003a54b7ae5186df0a3f2e4e84df88d5
SHA25623ea0e48689a1cc3e8012eb55da3396313f067d5f3a7f85d3cbbdcb34d1c4fcf
SHA5123cd84c959ca925cb113272626170ad9988d53b919957d4fc9b1f671b48f767595e0403af2eca6c82d96350b86766a2c7fd706494efed19c12e1f49e243e01d17
-
Filesize
656KB
MD51eaebb939a6757f69e88ee8e82b9ef79
SHA1b9060d93618e68045debed0cff9a3814300ff7b0
SHA256a83b874aad04c82faf15642b8903aceff9f6e2835fa6bb04ca9849a0efc12dd2
SHA512145d5161f6c7e03c08fe9e717ec73c090b2c9cacca40a4b67654a0e4c5e09d0a9807d7fc4f9af742b66f490269424dd523b3c31e6ba6ef0b9dc1b9959c344838
-
Filesize
5.4MB
MD51d10b31d0a68cdcf28c28dfec352f40a
SHA1146841e5431c69b8a31355a994c6fd2580afe090
SHA25608a9ae7b43210b93c30081d0b870da9ecd2e081c6c9898b70c011132f880845a
SHA512cb61d886b73ea699669089382e09d4081005a9a1d5a6c94c9f897c481f1c7b8a9cb7daf944de6b8194f5284ce8b3e49a08d0181102151590c9e6be7bc7611a12
-
Filesize
5.4MB
MD5776550aef0d7896afd83757b0be36436
SHA12ba63894fe057abdac90b1dbcbec23e324477292
SHA256b2acd56c65a46c1ff73843879a58dd9c40796abef688af7ed02a815ac5daa8ca
SHA5121631af87cee7553ba4ddb7d4c5341a3d9a992eb70c3407a09880515b115ec7d7f68fb11f016f0c29329b415c5b41db77a2b7a40ed721d141c800c35e83e6955c
-
Filesize
2.0MB
MD5b744edf0678c649e0f6f28fbc87020da
SHA15f2f4cca159e2de79e293f350c6a45d617a113c4
SHA256b37851f180df0876c36f7358a323118db5b700a2f62be1b6dcf7db1eb415ef9a
SHA5124b2b100278ff5a8e8cda5f51acc12363844e543a008afb3eb0813a78bf597c40bfe0e4f331c9bb12cdfdcdebc7c376dc82b81dd05ce2650d70462199b6328c35
-
Filesize
2.2MB
MD5fd4b8b7a120941b0861799e549c744d9
SHA15cf915f635534690116ce981c3d2580210b19ef8
SHA256fc2068b942a4bd2f3af593d1ed6a10b104df6e7666eecce5df4429a14ba6c1b2
SHA51225c774ee188b5275f712cab61afad1e0b51c120c0904fe5f905314226bf52eab62c87a66177198c262305f0eaf0dc3a2cb6afafede926865445846551d01fadd
-
Filesize
1.8MB
MD5625a1511ce29330b15b98e1a162a35d1
SHA149dce7871ce871edcef10a82a7aa411090f052d8
SHA2565198e2d1a246b0117bc18a9db817bb99561e3c48fc13d78521ad60a6f460d48f
SHA5121119e239ea52dfea031f020591d3d2fb74830c5725a8feb6f8d235502f348fa2d3b07969c6a2d25cc5518cfb49356c99f558103b7dc414fe36d7557a7f568b7c
-
Filesize
1.7MB
MD5fc2dff1faf64612fb804629351d11810
SHA1b7249c916d80e0cf100581993e21e1b161e15d80
SHA256d09c585410e2190b7bdca87e1bc2b907f9570d907ea494b7db108fd9a25a01fd
SHA5126da02d34efe67435a6040268fa3f01c8960a17cd60d3d2e084eab56425d530294d5d519e205f26d521b6f8cfe7e74663ee7e9c782983e4d1d85609a3d9bc5e53
-
Filesize
581KB
MD5bac6a5bd47e4232331e86df5eb42cddb
SHA1575b11be8ef13a5bac7c2651fa2d021f22655bbd
SHA25635623567b9ac3eb9b3e696c438353a08e513e4fe47d095b46692a2d26c96d10a
SHA512e0327455f93009db0d7125c8d62161d2444654019430ce480356c7e97697878d5ebeb6a1c6b6174165088cfd9556f9b20ddbc052af46b84f800a14608f81ec11
-
Filesize
581KB
MD53abfa309ecaef23cf40315965262f687
SHA11d5ff6e7986bad95ee02faa9a1c0ade9ee107dd8
SHA2561c8cbbfbd52594f81b56b2b9f21646731763ada680e925e3107d3beed35c3707
SHA51298c18d193d52375324b7e7a7993f42fbcb03456fe8620f2adc7a53a5bfb552026a6e61651f7f22d2e509da184c402b4e1bcefc680062f2d0c808cd938bbe74aa
-
Filesize
581KB
MD5bf39a14720235e3db04d41d00ac4391a
SHA19d52ed96013aa53015577bd9d544ed5f0f6f59ec
SHA2564feb2651eaa33fc017231d2379927002b9550f03268e33a561457297bf1b30df
SHA512525cee4770123aa0ea03fd48b0ae289514082a324ddf26a8d5ac021a97f59c1009a4278f09e7e22dd16405606b307a502ac12fde9056a6405700a94abfd63d51
-
Filesize
601KB
MD59146b7168c3e4469961fdd7b22265ead
SHA1b1259f94845b3594a00c9192be2bbe1d8df6ca5b
SHA256e6c86afedbfe964ad0a3e11a0d5985e1bf52fda7563014fb77e2def9f700827e
SHA5123d5d55af0316cd162097ee292c371e653a0c3b0c6f4102ffa5e7618be98d6b582dcdd74201e8ac53087be38d4bd37a0c991f5888d7704219a147fc6407d8dc7b
-
Filesize
581KB
MD5a20dd441e32a25a9f95344e4b59625a8
SHA12c0717a68635af67b6a3d0525897fa10aef89cde
SHA25628b45b0c588b20a11b8020219c54e3ff3845827b398cb0799c10d0878521f40b
SHA51225453a6902094a4293030f50f3bfe6b50342018fe364dcb20fa9add5efb979309de5925a15a0b846ae5c9a3e63a4f800b479948bef5fb0f014e270389c023d69
-
Filesize
581KB
MD5fbbd0555e6455d0f4c58d438975b7741
SHA1f6d162314ed28741f9f28f800c78efbefb2ba605
SHA2567d286414f9a67c0631c24ee340635505e272aa3fa50b8fe614ab45e4f4d68117
SHA512c5bf653ad5fbe0675a387180c60e249654be783b26ff7c0741bc198e4374844139bd1a30fe480776d85ca84bc4b8392c564db88a80140a98cae2cec2bb991455
-
Filesize
581KB
MD5f8de64340bfbfbcdfb966ed82858ba84
SHA10515aa22d41895febc043aba9d4b82dbe160fcf3
SHA2567f2bfe022a6691ac4407a288022d35ffff48ae10d0e2bbd43577a01dff5a5c68
SHA512b7b329a760e8d903f95b63bbfc4a5443613ea2642778f13615fa2e91e43377d32b5e6a304972ea54036aad633102b7132bf0e010d093651df4cce0af9e220eb7
-
Filesize
841KB
MD57790a91fd7190eff3b2126cf4f185e07
SHA110698b1cd4f89c22fd56d2f5ed5479eac8dcb9e7
SHA256633cd241f0544806ef4eb4b88bd0ed5ad1c1638c9b2edfeffcc25cec8ded4b75
SHA512a59439e2c6b4ed56383d0405cd230b41b538eef64b458dc243c4aad56d9fcd4e1943e0b6bd7bb1d053fbed2ab2ecccda9f02ff2749a1aff3d9f58f8daad0728d
-
Filesize
581KB
MD5755e2e9dfb758e6529eef1e514908375
SHA15e71b36a9d513accb3569b6c1a7d3b776dce58d5
SHA2560c827fe71946dec90e6c8440fdd355f05015ac8dde1a20c70b2e75fa403481c6
SHA51220fba1596b5db65f75cd5a1b9f4930cd81ddc6b45308c7c622c27aebc59379b97c838bfc35ea5370d9089e91af762d6689c61f262daf0c3adb35b0ad3d8c7bfe
-
Filesize
581KB
MD5b9e277cb2655088034ed3d2ccd849a9a
SHA1a2e11f1222062955210da4fd8f4f502f7d66ccb9
SHA256d54f14861be50400bb33075316983638ad9116ccbd6408c3f4dc50533edbb764
SHA512e957fb8ee6c82afb556b960b19a3ceaeffcc1904c3ce1308ead34c5d32d095f646adb0fc6b996025652129547333f32e11ea61191ee1ce722b4cb539c2b20c6d
-
Filesize
717KB
MD58ddacf15d0d8e22cf9ab71d8a43cbec2
SHA17aaf80111b17e6e955323c84fc43651edd313f57
SHA256c09de54b662d09a3faf1ea95af4ea30a4a8b4e02a2149755ef45488def871000
SHA512af09eede32f5659bf109bfed7fc14b6cc694c3c31a8aeca68085e94ef94fcb0addaeb6dad2d1fbf430c8be809e4132654eccca8af5226030e56973b13080c8ce
-
Filesize
581KB
MD593ad1492c4839200409b9466d1e2c04d
SHA187bb1904779b9d9d0f7236cc5f49137c073fa5ae
SHA2569fcd4c773fc2e2643613492504ee0f7738e5990354b40d815ddc65c2226999ba
SHA5121307677e06ee225a3fb294fd1c5cd664dce7f62c45700657e875b1771d2b2e7615ec5699b646554b4a9c879d0372c56375c361862c12d605e883b5c3f23e3850
-
Filesize
581KB
MD59bda2d55cf0c2e0699e803c17060f4ef
SHA1c6cb0e3e7961188c8eeda530cb9920bddf454b02
SHA2569242603a6895ff214094f8b7581f89bb79b1ea4d434709a403fd6e758b44594f
SHA51226c317fec40dc79a6fc73f4ef597db01765cae9df17e15bb307a705fa236e390a24628ec0ea3e826ee2f2d3c39f542ec633d67e21c2177a369a03ae85cbd23e6
-
Filesize
717KB
MD5e3340a2f158bc1cebb6a8054bc0871af
SHA14295c85d062094dae01692fd606142dc4bf2b4b4
SHA256c8a371dbd365af7c656f07de3eb63bf48128179bac8c1f551d20b3117eb63277
SHA512d81651bdd20e85037f531bced8e0b7be060c164a41492e1013bec62676b2e8f6f700c5db08ad6d360f9d82732e69d7a9a411d8620e8828fda92b0dfab570f999
-
Filesize
841KB
MD50f57ad79d7533202f888f0e19511bf91
SHA16d7a06157d3f96934481597d0e46b946a0784cbf
SHA2569829ba5a06c4330f170154b6623aef10f6ca530e3855e8390d90147991b5e3e0
SHA5129e361434ec5b2ad9b8e4bf89838ed5c79754e1fdb424578cb4e8343d6cdcba0664dbba0fe4214cd97c8e64d86f55b26622294d52c606260816f67b5864ac7752
-
Filesize
1.5MB
MD5bd796fd6ed7be60f65d3e8985b7e0eda
SHA158083274e4b36a21fe4259cbc633911df218c8c3
SHA2561c90f1d83c2f2cfb9543707524269dc9ca74abab84dae7915eccea41b9f81652
SHA5122c88e1d3a5b99bcd8f90d2e247365aa584d139a425646c9d79f052e1961b6396e1838d2ec33c9c596000acd159e5a2c7669667aeb4496172b1c5a4a69382b2b2
-
Filesize
701KB
MD5b5227cc46251b8c995786f593bb5498f
SHA136e0b83fb99f1e85aa99b4b5341d22652e7258e8
SHA2568bbe15252522bf1ad2f1ca72c86ce13a7e670d62b6652a150ba5d7ce8f8e9366
SHA512ff728c1208cf4c93a724ea2791ea1e7002439d653317eaa19bb3aed26f3b914559e6b3a55dd664e705beb092103e0639bf85b46409824690ced8c07a33935708
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
588KB
MD5865bb0d3279d28755b018018b71e83b2
SHA1382e06be6acf3da02697514af50343c8426a1ec5
SHA2569f0a04f424285ba6776d0a296c678ca3051a8e4dcaa7ec22bfda31fc441a7297
SHA512c74520fe701f396c37304571049f8ba8aef3af8f4ba44bbd24b6ce4d7293702c0dfa587566b398ef9ad0c14fdb52a44c0d2f30d88322305820646afc2a237b2d
-
Filesize
1.7MB
MD566693af3f925174c6ef17b4268ad7ace
SHA1636946d872c4466c9ba252e114a0082e51aa9d35
SHA256190a8c76fcf5c6ffaad1481bbfbfaa54f02c79cf4417e15e7602200be3967a2c
SHA5125b71ca9b875f9fdeb15292f972bcb0be5e774a46a1e47c7c7cfe6b1b2852037703c4e28c75dfa2da649bccab8dc6c79a5ec833856d75f7eb355106ec2cf2f367
-
Filesize
659KB
MD57465e32ce3841746bfc4bcd3d8c7e57f
SHA1e25f88128bdcf4f534143c0d491a11887d1c4f39
SHA2562bc21927b1fdd8d57a5999f56dfb403edb564566d30b6ec91a56bf4ce680fd2a
SHA5125cb7f0101466fd45cd1db390b6f9d60b166b841ac19e0a96fd1bcc966415afe897491c8395ef6fd28bcd9c9a5cb412955295413bc2f6de5cb1d55704dc53362a
-
Filesize
1.2MB
MD565eddfd9863acf35a8ae5d3bb22b3283
SHA10eb9e50dec65a9c70285584f582e3af7e53b6b7f
SHA256b5774c5b7bba0c187f9de969978113e5cb38fe2ef03224fd927b8d47cf1abb34
SHA512adb7c9e20d48c555b399cab1b7939a6ed42a1b6ba934584fce4f2b503c7a9f4700f3ca4e50fed0923a77557f4db18fef39dcf542ecda5e3ea1594b9379b20658
-
Filesize
578KB
MD508718a4a2c2d80151eda4d350f68cb5b
SHA19367203a17352e9e44862802254296239fffa842
SHA2561ac643ac2647bccb581e8e25278f56bd92335dfb0f2d9e3db78569570cf9f56a
SHA512116d31bb0430c3274139904c26bd42441dd28cf04c4298c5c1fa5fdabbbea9d87f7048cd74cdc227cb6fd51fbaaf673b66ac1de6a9ac022559756363145c00de
-
Filesize
940KB
MD55eec6ae04c7a9e6f547a354b3ff40270
SHA11dd0d0612190d4f6d728cda2e65063ea917a3fc1
SHA25694ecfb05a19691b1c83be7e0f83872e61fc4ccb33fec2cf13dbdb817a764fafb
SHA5123018b0a02646dd02cd52331a7b7ffbadde0ebca1a671198f6e0d798612928d71364f076c67c5e91d9159b5888d649d901a0471f3451a86c07484423378bc9565
-
Filesize
671KB
MD57d39354a2c69e403ccc5b7dcb9240d9e
SHA1c72118643ee1a2070f30d8fd831b54836d40752f
SHA256f86a6638569caffbc390e95fb93370f8f664e709827e78388464f5a97a6145b5
SHA5129f54622025831b6e3588c234b7bd653e8443f14461557f809491c3bb44382bfbc0e586d589f42bdd09962258cdc3f3e351980e5cb0f85f0434e0501049b006bf
-
Filesize
1.4MB
MD59455c3c1e5a34321d751afbba4eeb11b
SHA1deceeea6b485b69edc9b7878c7d3064e5a478129
SHA2565e8bd8beaaf5b8a6e05cac4254a34b841710d28fb5f643e0a25b94be29c48558
SHA512c2616f6be23a5f20206f3325cf2f44bd25362e9bf29d1c00de112ef08742d8fa30452cbeb9e79ce44f58a67a088eb2f3f9e214f47aa04c686577f0481eb3c552
-
Filesize
1.8MB
MD50cec0cbf64476126a8a425f675a7f3c6
SHA175b110d394385b5bcff623ffbf4f076e5ff75206
SHA25662c2a559383d176efdc8bad5b04e2db52813c80815b23444bab0042a45ccded7
SHA51276d2bb779410b6a4adaed18bd5326fbe2442572088e3cf3a0022edccf6f8c173d7c467fd90029927c2f341459f8bcf818557bf5df8ef821aa175b8caea66726e
-
Filesize
1.4MB
MD5650c023dfd5df34a43254923f55f3883
SHA15ad0c5109055206194f0e880d19469f70fdc65a2
SHA2569f5b2fbafdbc1e88a853908f8bcc52387952a10301737b7fd31f45eed3b2de65
SHA51296c530b85722ad89ee542e105ed22411e562d9276c1c39e7b395561443df6b37e940f3af67008aaacb1d22017d7add600fec94f46badf26f2f138136e3c6d01f
-
Filesize
885KB
MD5778e086e5ec4164c08741c8ce0447505
SHA19443b6db65ab754c6b185cae24b2d8c6933097bf
SHA256d7fb2debc93f2b9b44046f91f54232e43dbc92274de73879ce0f25d0438cee6d
SHA5127c81d3645d603ad9a8330b5bc9399a593bb8b828f8e92328bb0fc3ea40c8b6c09affb62edba2943157c30726d90b22d112ca0c33a613c40d365f290f7df938ea
-
Filesize
2.0MB
MD53b235f29fccd6816b5e3dc097d9b868d
SHA120ff46b79b4d3976f91e91888d40a739691c1057
SHA256ed8281e1ac15c90a8bb697ea5b442d0f6070bd307688b394c5381821f56e2c71
SHA5124eab473f36b0c9152b40e47784b5463d60954cee0405232ce9c15e95ba5608d206b2f27814dbb71317a6daeb517f8e5725a0c5c3ca39563822cd6d3be39f5c8b
-
Filesize
661KB
MD598849df01fe27ed9450c777b9c6f331a
SHA1b34b06ca94a5c71c48d8776e14b56afe53f42b8a
SHA256b111d06c70beeb50ec7494d3d33de3834d486edadbc92c75455c51e40fe2a74f
SHA512a2a34c04f17dc3e20307de2223e0ebcb7d5abd358134a5794f1a2e8e25dfe52f6fda06984863256892ce1b8c841265825cf10a38a792c0e4df9999393281252f
-
Filesize
712KB
MD5f95814e8e1540375f40fa933a3aed0f7
SHA165abb1051790dc3465a19be9296005c080ea4f0b
SHA256c834557e0a3c57d1061bbcc5973c2e0f0048fbb4b14eccce2377972361900f4f
SHA51278e81aad3f27492830c800f3841435b8d8b92b234fa3d2b1bb36c14d9a895010987927905b01beefc7891337f003c09a0e811967f3e5d33a5f036ae22125e387
-
Filesize
584KB
MD552cc01215dec1628628424911154305b
SHA1b5acb84422c759904318458cb8053f2d826e4ff4
SHA256e23a602ad996087c5011a5aa44afc7c0f17a1f5c711f3db6016f0dc1985f5ede
SHA512dabd696219abe0a49c4b704f0836988ca0b274d6a16a8f25660bc13124c402a9aab71e8e23dca2e64587af22f4f84a6ec732da6722c77e512995cade83fa4671
-
Filesize
1.3MB
MD506463d138f34b4db1fd3170049ab5d20
SHA19a0724acf0e08ff41ae6ca330257cf5983f923aa
SHA256b5aacb4d19c83ffbea7770a3e70da16e3d2e7f99790facc5ffa295e024c5f7c3
SHA512e77e341df247e5450aff38c2f49aa2c4980cca9d766c986a77f6e3af584feb96331a0fc00b4f2baf4141114c5a9543d0b9a069372109a62eb728f8b7d15a1622
-
Filesize
772KB
MD5fccc29356cc7ec903eadf5d981eee0de
SHA171f8db8dc2d218584393f41ffc3c45422d684e47
SHA2566d35b51283d40fd621167670368fd590b1f9bffad00a0ead2325bb59bfb0093f
SHA512a2039ce2b374e436f45c75435e95882fe60689407a2fcffa61fbc967a0a8f2e3a9e422dc230a3da76f1588de6dd0320bd4feededfb239423d7aa66d421bfabab
-
Filesize
2.1MB
MD57fdf201eee33853863393e22e55f9513
SHA1c4bc0c9db409eb14099669b1ffbaa9429a95583d
SHA256cf06170ca3682f6ae0ec69ff55d35f61bd71fa1469ec37a0e54c3aef0459b7a8
SHA512d80d0e881ca8eb4606ef1a6140b83721d4223049b1b4e6118be5e866da3f224cd64cf7f4acc5eaebf4009cf4708c2869d59e614be4e45f542133e7f4f31110dd
-
Filesize
1.3MB
MD579caca25b8b3e2762d7228ae0abbd346
SHA11e15b1982bbea056fd7759811cbd992c3467b567
SHA256244e7538dba4cdeb9221850df20fcd91e5571664cb16244d47f31dcbd41bb957
SHA51289820b4f0de4b84fba20c3b7bd130985e5f8a7d166b9129d0283fd8edd9e1e7c3301ecafd5b0761d68074deae0890f4e34d08264379497d55f097def3fbc16ed
-
Filesize
877KB
MD5e8a4a28a7f1d04fb4c8bc4f8fbf70a34
SHA1c2045665574e42d45f26cb84c0b569fae9a2bf0d
SHA2568a07a77328b8224311c92af2b3a5c9fd91d65a135e85cc75a0a5905724734c7d
SHA51239586eb1cddacc43de1fd7f3fb951cc2d5b344fef7b64740c718ddaa92551e39cd33a112ebd31783f3ca76c3dfa6dd4143204e35db20cc55fd01188e602112c0
-
Filesize
635KB
MD57fdd35543d3b2500364b73f543802de9
SHA10dbffaf8136cc380c62a59df558d70fb56e61cda
SHA256013e1f0a2bf5d7f62bd3b4a242774ac1b472c59c0a33e5a8f310f05bc1d575b4
SHA512996bc38cbdb2fb8169e13454f0e4c9711cfbaaaa380b6043f66cf98d08f996a8e0c209fd0b8625915893f3e314095fe83302a02480d9a9c0ae2f232a9077c814