Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 06:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe
Resource
win7-20240220-en
General
-
Target
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
bbd3f281d60dadc7b7c180fe89405dbf
-
SHA1
11b964eba374a95d6d22b1716eb650418955b4d0
-
SHA256
ec4a6e857a69563fc50d13bb1435f7c56e763b5f2eb9b8316769a485677cdb17
-
SHA512
fc4f6396b03213f5166e21bd89d1256068496934e10af714308aeba7c6ca6c6c9a0a6bc445d1f6bedfde68c9d39da1ae3d11a06d36fdfec3b7add69eeb90cb13
-
SSDEEP
196608:0P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018LS:0PboGX8a/jWWu3cI2D/cWcls12S
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3560 alg.exe 3496 DiagnosticsHub.StandardCollector.Service.exe 1388 fxssvc.exe 3280 elevation_service.exe 1444 elevation_service.exe 4284 maintenanceservice.exe 1412 msdtc.exe 1172 OSE.EXE 4628 PerceptionSimulationService.exe 2736 perfhost.exe 4824 locator.exe 2228 SensorDataService.exe 2800 snmptrap.exe 2776 spectrum.exe 3980 ssh-agent.exe 3740 TieringEngineService.exe 536 AgentService.exe 1856 vds.exe 4172 vssvc.exe 2092 wbengine.exe 3580 WmiApSrv.exe 2988 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exealg.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ad0bfe9b1ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exealg.exedescription ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063420d49f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026ac1a4af0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000147c4649f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021d3214af0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020bbe448f0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f5fe48f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052b74149f0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048517d49f0b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fd6e349f0b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005de1eb48f0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003699074af0b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exepid Process 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 664 664 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeAuditPrivilege 1388 fxssvc.exe Token: SeRestorePrivilege 3740 TieringEngineService.exe Token: SeManageVolumePrivilege 3740 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 536 AgentService.exe Token: SeBackupPrivilege 4172 vssvc.exe Token: SeRestorePrivilege 4172 vssvc.exe Token: SeAuditPrivilege 4172 vssvc.exe Token: SeBackupPrivilege 2092 wbengine.exe Token: SeRestorePrivilege 2092 wbengine.exe Token: SeSecurityPrivilege 2092 wbengine.exe Token: 33 2988 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2988 SearchIndexer.exe Token: SeDebugPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeDebugPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeDebugPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeDebugPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeDebugPrivilege 748 2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe Token: SeDebugPrivilege 3560 alg.exe Token: SeDebugPrivilege 3560 alg.exe Token: SeDebugPrivilege 3560 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 2988 wrote to memory of 4932 2988 SearchIndexer.exe 110 PID 2988 wrote to memory of 4932 2988 SearchIndexer.exe 110 PID 2988 wrote to memory of 1392 2988 SearchIndexer.exe 111 PID 2988 wrote to memory of 1392 2988 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bbd3f281d60dadc7b7c180fe89405dbf_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3496
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2148
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1444
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4284
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1412
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1172
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4628
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2736
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4824
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2228
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2800
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2776
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3916
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1856
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3580
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4932
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ad048c6d4dc6a942eb8dd51148c83fe8
SHA19ce9fa994aea3c4a62f5cef619687d9362bcab39
SHA256c073091d308845221e240674c740e9316c879f4e727e6c4f1838a031a765eb5d
SHA512ee814d7dd2b467b05056bb73dc5688b9119cf4350625addfe2a2ac128f7e11e139e112906c412d6ba3add12fad8f7ec7d5c6041affeff728b603eeca24927bd2
-
Filesize
1.4MB
MD5646a2b336bb65fa886e15ad302dc7388
SHA167a2025988bd9188667ca3368ae09c5363fe58f7
SHA256a3133e0d55b648b6d50c8ca223a7744a8da13ca34a45d2f0188b700c7e5fbe4c
SHA512ca43be4ca080149c03aa6c9f3e476cbd5ff2ff770f9b0598f821bd055c3d8ae96f2eb1aa681fed68f99445663f728e81f4c88d058541e23f4548678984f33772
-
Filesize
1.7MB
MD50a4e505e9fc099d0555feaf384aac1a4
SHA16aeb773ebb108254626da33b2b1bd64a90461dff
SHA25641635fc4c3579137b49362d4dc5886b498b0cf572f5fd68274cea0f332499d1d
SHA51276e3f2c682cd6e7c2c699b357b3ff7adac978b4c065158e159293f38c7b0a81f26f784aee1ad0870792ea4c323660d5682e922ee46a4049e3402b2b29bda2acb
-
Filesize
1.5MB
MD5225ff0d7d95ddda02e1b295c189625db
SHA19ac724ee9f446ed5fd84cb9e8d854cec41cfa4d6
SHA256c669db378f56462dfcc688fc0a30cd08663c00521a4d389129140407f3fe9207
SHA51207828228680bb7e0a0b1f4da1cd79626d19f54dfc9893da07a54f72fdb538df8a37bc00864402dfb68b0058a659eb9b591905e1f779089705a9d634d25f7045f
-
Filesize
1.2MB
MD59145789d457a332d238682b31840f7c7
SHA1403fa405e7172d03151d83c7605235c45e123084
SHA2567f97db123f090329442a880ec3afdc611f7a2624516200f7d49a761a048dc727
SHA512ecb1708739ae28d7b409bd03405c5048794a1cb68683c9b7e2c018f6ab63bb97b2a937a0ed215fa84e20a8fee663852a6e27af23e51cdcc902f07337eec58101
-
Filesize
1.2MB
MD5aaa8a1cf191a0902fbaf41a982ca0bec
SHA10b2a9e394f92bbedc33a6e51e9fb6ed0965d2743
SHA2566260c5c665e0e8ca50e5b63e5af9d5e4efa846304b09d0eb22ff1a2968dcf0e0
SHA51271fac8fd1844839b03c1c47f2f2906995bbb63bce202888b52e34017164a0a461c95d971f9af966942d2cf4b01dd0d1f1dfb82c1366965cbbd134b65686b479a
-
Filesize
1.4MB
MD5c75bd4cd0464fd729d485cee71cd2c5a
SHA15d9e94ec45f1aaaf6f693b7811590936a351e9b7
SHA256b7e340adb933d8f93b55de452fd2c531264a0ffb2f0bd1f2a756f6d6ce245e5f
SHA512e74de2b65dab9a54a50f40b7379c3cfd91a5c9c196bd59c9c5938b59a1f1c643f37e2f497b5f6ad3daec960b98af1a48795d3f22d68e9ee7448e537bf244fbac
-
Filesize
4.6MB
MD5eef508f2d19e12edadf01ad0997a4a11
SHA1afa46d9f0a25edcd4139e1cb40a4fe56e732f845
SHA25675c3c4b4ef8ec5ad7b7cb6c7f46bd422a11fc5b25b6c6ab702da08e576a78c25
SHA512e256337f23cb3781943dcbe54fe16f6aeffc0ea48182ec418177bde534bfa26e1de5a4fa2ea31b563986425ea3e99defcc8d9fdcf5610ce63b5a82ee344f7efb
-
Filesize
1.5MB
MD5564296da68dc59627d7d2fb80654c3a7
SHA1e14ba4bb49df6decbc4da74e5771352d25969012
SHA256e8aa874ad57bc02a72272f833b628c6bfb78ac0f070db517f4196fd7edf2aa7b
SHA512fcf5e7be5905a95e88c8dc88125dbfe8012eb0e84e83e426d6d8ca422ec115f0877fb8d856ef80a067f7fde26f46a93a6d9ce6d4649ca7f3609e9f5d1a7b3422
-
Filesize
24.0MB
MD51bd51064dca8200dfae240619cc7528b
SHA15c5f1987f2d928a64f1d98f781c307b688958494
SHA2561d1483320ce0f0979b8b6477d0638ca6a4da6bba54cdaa6878b46cb3ec9b0ce8
SHA512ba3fe4c8e5a260a062bbe371259de01e93b35f1898bd30b90eb5cf4a2bc1c738cda8deb7d844ec3f811b831fc1188b2b462cc3344ad605128ae88aa45d2a69af
-
Filesize
2.7MB
MD5bedc92be860a569487108288ce14423e
SHA1e1a98ceba7ed6c85147ae2eab6c806071ce96095
SHA25674af4b9941cab3cdde6009c8eb80788e06aab2df2386ae449e7ce355e2c5451c
SHA51243548f5609f624d960a4897a0485d88df0589465130711bb643a631152edce8d2d3de84c77f1157757eb614620f0948317cd4f51d99296745158dbaefbbd8ccb
-
Filesize
1.1MB
MD51679eac6139940f8dc7c3551bce49e13
SHA1d427e188417ca8745d6920240abb4433aeed2cc7
SHA256aaed31ede1835b514399f7477867a63dafab8326bae23c8dc4fe8afc67dae1f9
SHA512295e3f7d776699b77879886b38417e8e36c04037b195a37c274893183c45aef1769cc85e39b9f3a31c9c7f08e12708e9d8347a172de3f43cb30918bd0a83d0f9
-
Filesize
1.4MB
MD51e071d07dde7a8fb024fc8bfd93a7420
SHA1f8fb45f63d8b3e820abe4e796d4c602dd1607e15
SHA256fc74601d81adef195b3ba65e82f2335e3ce8a3ac404441dca95383b91f57ff72
SHA512e889c45ac88e5cd9911b11903f83fe542406d365f22c6e2782bfc8412006343d9c9183794b6545e15489f34823f6afca271d9cbd785e14e08085a693a46cff05
-
Filesize
1.2MB
MD58390b62e5188594f5d5c7c202b98e2a8
SHA15145205557f008ebd27b7604a3f83ba8013550f9
SHA256f33b0f19b1d289259416e1300b24d63cf94ee65baf1110b4ae79b75bf2376b46
SHA512aa619b238d2b7d1b6cf29f62294e261b0655d455e00b8fcbc5e5219a9466ac30df0f3925c1233bd577dcd20549de9c705bd1b06a281e55a757be6fea41a8df91
-
Filesize
5.4MB
MD568f7196229cb259ee3a31d5683065989
SHA1f3a74fe56c912b21f1940fd9f2eb155031c9da0e
SHA2563ac580948b549340aa96135de5a3408e00c11be6219a1995d2eff5cf49e6d24f
SHA512c674334eb12d16e36e27876dedf42d3dfc57bb337b7c3aa1abf8532765501c16c0253f2636092e73a6836f8e1167a53b32fe856f95532025afc9c2232caf456c
-
Filesize
5.4MB
MD56bd7c7d839a765fdc4c83cae0628471e
SHA172e7df5f55af10250b925629486bc9432af061d4
SHA25625da42b544338cac1e2d501af3fe82c1c4482cb1df3881cb58f5baa85f421fb8
SHA512e11ab5ebc9a294769c8642e70f4dc42aea96fae19d01abc83cc79fc9098cfc1a80a648d4cf2940f3f4ba6a1c384efd2550e2988094aa97e0a39879d5cfbfc1f9
-
Filesize
2.0MB
MD5c944efe39ef6f26b75c8ccdaed02ce88
SHA132336e2313813d132d7b64e6ec905571a3530bc0
SHA256b7830959f79ceffe6995305380b9f3ef2b71f63ebda5adc17241c23936b54e83
SHA51277ed71203791ef65fb3f6c34824c4230eea7f6d21dca76c18f5a1e57a0e9a7752470a85dcb196e6555acedcf7233476456655185a0865400d83caa2319d7aca9
-
Filesize
2.2MB
MD579bad6463d0f3266a0b22df7d59cbdec
SHA18bde227bedc0d0e4bc67fc7222a9f16a891f175e
SHA256e8eebaba154fa029dcb83401f0ae5c388994933f81099838fd00c7b68dee92db
SHA512a2dee2ad3195f810c5752cc56654f593bd60bab087522a68f7c05cd38d6cf9116cb2fbf2a638d6e408ef0cb24fa0851c10286e079d48a931bd7c0aa4ff5ce5b0
-
Filesize
1.8MB
MD588720683b0d8bc766f40bba3eccbca87
SHA1e1ccdc51dc9c3a4fa67ce98c81366cf9166c48f1
SHA256485de054eecfbeee042bec4719ca2ddeb33340213860ce98d0e3e902f13cda01
SHA512549f53e9b46aa2dd5fda9cdf8a83baf0e8797d7f9a9f2548e675da332474428cb91a9b28e49a765a4bcc7a48f13442d82eab38def98ed567da8308a57b80f1a2
-
Filesize
1.7MB
MD5d129696af5a59c07031d7fed46a1146b
SHA145b75c1a8b78b859a6b01827d1b19b1c756f6646
SHA25649df2dfe47b8185042407b83ce9ebe77dd37cd69cd7b4780ffc5f135c0fd25f1
SHA5124e58cf546185bc6d87e79d75a10873d8ce41241d934f5368a1bc595b20d14380182c3bc038bddbd084e172be23f56b640e8a7e713e4557a7055be52e4da8934f
-
Filesize
1.2MB
MD5ed3d8c9405473f13f8fed11c75c1d0e9
SHA180ab6c47af5f397c553a8cc0682edf12ddf84800
SHA256d36348516661c6c16b1cbc95aca77674dc58e210e6f5afeb0dbb6d9a6fbf15b7
SHA51244942c3c014b505707bc62aa0a2a368913c7236f566622ad16a24c438a30c2ebacdeeba43bc5c3f66b05b6851d08a19a47e918914879bfc2d6c92bb3286b10f4
-
Filesize
1.2MB
MD552be84bd2108f1c4aaea94bd4eb843b2
SHA10d885be14ac868148a4ca430f75dec9a24df727e
SHA256c3903bfbd39cab30b0dbc26cee8c086469b8406493ed276f81921df8acf0974e
SHA512513084cf306a8d5d5073d2162922f1ecc0b76e223b5f8a7ffe79b6f62dca34586671e4642da7353464e4e9ba17f1d1d627e17753d949a87eb7d9450d24c393d1
-
Filesize
1.2MB
MD5026466cf3235e2002653577bc75a7222
SHA1aa3e3fae13787ebff5aaad0e01fdaf98946055aa
SHA2566a6e701f4d3679a2756a87f0bac1660e9841b8ae1e0153cf66189c87a2559f2c
SHA512d8be798895c254115f455d734013df2f50e6ac676b4b547eca09166d3fe50a8bd8da1fa9bbc87475df503c9eacd87d55bd4121f1409aa0955463cf242865ee04
-
Filesize
1.2MB
MD57952a0655979d8a4d5c4c980c892ffd1
SHA1cdb7d0e75857fe327a852377fa2aa0855fc96e75
SHA2565dd811a797a19510783837c8770ed4a77f17ea2cb335eec518156a3d4435a856
SHA512803f0bdb8cc24cd5eab0ae7dd23bc0c873c82e859d0be6ece59531b0d19c9b70ba5b16211b5c07236d72c4900401019c45dea25921b48d161ef5b9a659bfec83
-
Filesize
1.2MB
MD567dbdecf16b8275fba33a5afa02c08e5
SHA1f0ee70b99c511e7460d62e8556d7720f6e3ad6cc
SHA256ed6fbb87ce6b6ddf54cff5a5248369dc3e98c1ee002404d11dc67e586ef593eb
SHA5123b30fd18741ca3177bd8c672120d2dae526969cebacd02570cfa9a0631045fc7ae0063138d3eddfbb054128cdc3f4e6d7c93134ae99fc4cefbb333a8a65a88eb
-
Filesize
1.2MB
MD5d4a8fdc106d30e83e4ba3d5a1e4168ed
SHA1c17d60699b2edd3988bef7485710fe7f2c8de1ef
SHA2560a399ba5e34392e02b0b6d99dfcae28ef03e09d35f60b8e47e893b8d9bb22d3e
SHA512fc0560f3fcaaaabcec49ab38b2813fe3620f2a310945c34cef768cde0b67f3312842e11c8d7591900e8b3739354dd1976e4faf22d103ae5e39c48d68215d28fd
-
Filesize
1.2MB
MD57872e7cd0a5c290293f5d74d3d76963d
SHA1549b66c50f97143c4e0ffef25143ebfecffb33d0
SHA256bc8683f6ef4c7c678fcf94d989efafdfd8f0101c69b8302a0a73251b918923ad
SHA51255bd12aacb8a33b56c759073066b1307033ed6205ec40ca86ff06e571de9cd67f2537de116f525c813d7a9764da342f904f910cc0d2056e5489589cb4c1f7fd3
-
Filesize
1.4MB
MD5cf9bbc5f0859985baf1850b4b518d032
SHA1c6520bd1a0e2c8878d9d9d0bd87291098e8a2b26
SHA2563e0ad4fcca60ce3a8546a0c624e907d13c30ec09251179cc62aae540fbf8f7f2
SHA5124c31eb1d4081109b900d004a6d44da7d08d471dabec7e050a7d404ef629ababfff779d8ffd16f24e6ada28735cdab036c7f63ca190c8ebeb8ed8630389e25ef6
-
Filesize
1.2MB
MD5210774bafb531a46e52a9d9eb7d30653
SHA1547310ce89f66a281d67f0cba97308dabd3136d0
SHA256db0b5713520f38dea449b5630f078de453aae233b1401e73028e133315e935c1
SHA5128ffdc48ab9628591782f55c1a16d46c6fa1b118d6e25dccbeaed6a0bb55e883e9a5bb535d833f1c30d88d4d77e9b790b29a7b8073c3eecb4c7d23156a0129da8
-
Filesize
1.2MB
MD5db73cf912edd350d8afe63e8daa31219
SHA13554a72c05b3fcf3de6a2ea5c770ccc681156940
SHA2568b199176daea10a8f44d920a2173a5b8dc6f0ac4579e6bf95a9714768869e21b
SHA5124e2157940d001730697f0b31d8b89f5de30029250931a5d544ba042ac9392542ebbca57d3ec6346500388603f57298be5c3e46a88dedbdee91ea7ab13156c5cf
-
Filesize
1.3MB
MD562b006f793c409a66ce7cd41d2bf41ca
SHA18e1f086a1c1a2d5dc43ff5301689c77b2075fbf2
SHA2560a2656d74009a2b86809cc7c82331cdd69b29005ad2becfbed6ee122ace0477a
SHA51231019f7154bcdf679b0e00ca1356d03daca55adaa40be58acaecb9a2bb3588c4fd4f2cb882fc761a57d334b3e070d9c247892b357ac572de6e07d5317abee7e2
-
Filesize
1.2MB
MD55f2359c4aea733fe7bdfeef98926a374
SHA10d2da2b1f8635dafecfba87fff5ea3a8254c1d60
SHA256e2a4cf23e2ae82707ff2f33e0fd1a764100b7b339655a2bc34da6c82227a1141
SHA5120c59ba0f3b16b84e5439732e828c61114a6b823001c95f7a6b8189e890d84a1fa186f687c956e9ce0eb7fdcea599dba7b815a23e60782783738f15477f316570
-
Filesize
1.2MB
MD53496971c66f9d5e7517235ddb9d5cf2a
SHA124d192cd42bb32a735ed2462c7b2480402d209d1
SHA256fb2e6090cbef8c64da91e6a6d831224d754f8a57f1434404ce9eccc8110d5521
SHA512d165511d371dae4b9d1af89296668433db703eab8733f406dfce86f2060b6a6b7abeba78cb9fc1865785ff32bac3ecb6706cb41be9dbd05266210f53266a5879
-
Filesize
1.3MB
MD5230f8b06eb57befcae32bd754d2a63f4
SHA1c0eca305c42a5f5018b8848d55446d5a626c250b
SHA256a5ef8d0602c9b9c486aa6ff56cbde6b413ccbe709b90b78189614e3a16146bd7
SHA512d53aae0a41b6ef1581dafc61928413bcd846d39f4e472b63373a5141ab50643ed02e23e868fd9b9b8314ac41810dd36f917587a3d6ef4a55564c115aeb81c611
-
Filesize
1.4MB
MD5dbc6a04ec607a55e8ad8eb2bb8c148ad
SHA140e4ce713a4ca25e9293b5550cd22b2ad7a89e44
SHA256cc96267c5d375304f2ee2b5f4c6c62c1da59f06eaf34c335e607fb095c024ac8
SHA512abd2f32278b8c1bde1897ee4a5a405a3b6f63673ef6b962b434463b75732c76f41a095ac042b7df739a08355d030f71d852b8df27041885504050a83c426e199
-
Filesize
1.5MB
MD5545ad4bf7305521b3646769d7121c975
SHA12648bce9bb9683d9bfd152f486ba303f0188a41f
SHA256b901de4d14036dd2b796cffd785e7b253cca84f31c29cd76dfcd671277a12574
SHA512344272c7f4f842a0d499891e49ebb467f357824aa1443f18b38e34db8a548b49201e354e2eccad00de65e93656d2bd4c3076247659b30d03e92235df5c1837b7
-
Filesize
1.3MB
MD5851e89f52ce584d118d45cd8a35ab54c
SHA1a8ed83d230ebeea4fc210113a4c77e55546c7af0
SHA256877a25fbc2a44c9a23409aebebf01a56f6a2f23a309f92bec8742eb2bd13b9a5
SHA5120d81d49d9862c3c871591e62c80a67aabef5285884027f6476931836ede2e708d7e5c1293e13f8cddb1475f41077fb60c6fbcf716019c54423c9059693ef1917
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD5e76e3548ffb0eb23bf3b48346d364e6a
SHA181ad5e8fa1e5acf4806c93f8211880282ca3dc2e
SHA256e32b9580a1dc86dca79238bedcc97d67875ab1b8d764e6559675e1cb0cbd3700
SHA512699a6c9105de0783cdd676124999a1976c6776aacc45ff179ac9e3dc44bcd0c0cf17652728aebf201088905a583211cc49ac53d78ae456b75c12970ee001f490
-
Filesize
1.7MB
MD553d502106e373d6f604fa5cc48c24316
SHA14077c1d36d88fcb1d6ed97656434383dad3647db
SHA2560675e9e7a85a644f60578d91bbb26140ffaf97ac1c9acf0e8d949113fb163ca9
SHA512c17612987bc54d939f26aded585bb3d3625fabcef3eb4dd4abb2c88739c40ce30c49a1121ac5dbcb6579dd12a5a8b966d2ecd37bddf9a81afbf4dec92028cb57
-
Filesize
1.2MB
MD5d3e13b218996d3ed061dc4ac1ab1ea24
SHA1a48a9a93917216ee0cc0a70c132da70fbfee82a5
SHA256f9434f0d082e02f03cbb019d66c91071be2b15ee1f4101cbaeb926abcb32b3ed
SHA512f0403b102ba7e311900e832d30a640481dee4ede42f6785698e9743d0b51104e9ff2c4203368002cc0f9ba0494c5501298d99480f31dbfd5798dcae5e476eac2
-
Filesize
1.2MB
MD56ea66173eca886b87148e9c85d2bf140
SHA133fc50a4d111ff77ed0d790fdd9604eb44a5c118
SHA256bd8ef6f28f8c4c03f7bddf1e9c808706fb2e61318c1634f0b79ce5ffd04348aa
SHA51218df72c3bafb2bac9ea32f52322de78ba1bf8eaed8a5a7b176a0db6bca8dd0b632fd6e3164f8ca83a345545be828416c2acabf48deaea243fcc23d4901f37f19
-
Filesize
1.2MB
MD5fda7c7260e6c07a18fcd981405166e1e
SHA15046ac36c03929502fb372b30a4703c08c7edde9
SHA2566019d4ee89e00294641cc997381987f17973ef36f93e8ef6580a301093f28910
SHA512be8f33c448b9262d14316c0321e204e5fffa810bec989af8f4700682187dd2c298aaa8f8f4297c096e4bd76a43831ce7d0ce67fc01e9e7fe870b3a6831fad0b2
-
Filesize
1.5MB
MD581c7787baca042874960083199874469
SHA15cb7d8712ddc853744c14d9aaaae9546efb448ac
SHA256361c28098ee240838cda468dcf56e00c935f3175abb9372e5de533c22117824a
SHA5126af7bbe380f865fddb6c8a4ed8f89224a9e1843ee1facbe4d8f6e07eaa1592791f40e948a91bbf99ae273ed8a316a887c3a792e1542408a54fa29ef1b5bafcb0
-
Filesize
1.2MB
MD5c8c596cfba4644d70f5ddad07a337e48
SHA173c2472cb5c457762dd049f948155ac82132bef5
SHA25683dd735ed07f422515790d0cd672c9eb3c49b62ba960a729e5edade01b222dce
SHA5121808fc5b5d5be616496ff01cf52bdfc6c8708455e5cf8dbe77e480d47ac76f9a25debcbd77c6c11a7de618dbf1b6da7b4217210fc4c3a388e974078b50a41741
-
Filesize
1.4MB
MD57c2acabb034cf1d9ddade9a4d37a9ef5
SHA1fd4443ae52e0a934867eb400d7251189a6ee1152
SHA2568bef13a4bd95216544d8e9ff12407d4a7ddc4424b671bbcb844e6a2986a51a33
SHA5129ee488a2c003e33959bdb71592deecbd6acaf496099382192fb6370f213ea30670c2c0bf7bbf136ff175d6856c863f01b7e93e8e333356ea5636cb7436428dec
-
Filesize
1.8MB
MD5993e8afd28ee909615013049d782e932
SHA142d0310b42f22003e4801faf86d5c43d5f27c8f5
SHA256334e6841f4ce0d986252c49f80e71cd4e7e5078131cd19e7176080f44b560346
SHA5129dca5e29a41e42eb04d5fea24e43ea68e3c378d7127115c1625903b1e8b0c8e80d0ee14dfcbe55ff09c8ee99c2d717c2912b943a75296be9860211b0ffb0ac14
-
Filesize
1.4MB
MD5f2c904a6ed917cd030b1e398d267d3ec
SHA1aac79895aa9e00685e339ac45fe291d2b4362cc1
SHA2563cf82e85d41c1c9a75d4bfdf37e2fd50f140a40af66b945730b37574e29412e6
SHA512e5a05391ec1b11140ec480b1b036b0b017879de4ce415f127c011d2b942a1d5671904a12795470a2c44fcb0f5b2d8c90f76b0d8a439dac80e84015af5c51f5cb
-
Filesize
1.5MB
MD5b7ca0c575f107c2d87721173b42df950
SHA12c91914b453838317f6fff2647050d28b9f01da8
SHA2568367da2336b2fda5461cae3701346b6913ae96daad3a3684a72394c1e26b390a
SHA512e9490bdb791c8203fe1abcf62279d6dfdcad348257bae2fe8950632209db2b6d748cece3e84469142bf2192ecb9df2e50c0ac1737272b60a15001db6c59dd12b
-
Filesize
2.0MB
MD53da8ffa5130d5df24dc62131596a1b08
SHA13a234f25d02106f78f28554764cadb5033e9dffa
SHA2563c3dbda6b515755299acd78518f2915aceab3156a62d8b2f398726c405941d0d
SHA512ffa3a090e14276ff6e89ea7dd384ae90ff2d3702503cba3a150aba8a3f8206ed78db1e011f624d501cf3fbe15ee8d775f36f663cb9c50642e0729c7ebd793057
-
Filesize
1.2MB
MD5171c4c8b9db4c36219b11a376a8adad8
SHA1a2b96c776539a6148bea4cee38d6754cc0ecc912
SHA25656a4190b6707d24c5dcb0679088b5415f110d454fc7e3900264e9d65344b378b
SHA512a04fb5a2b4fe49c072906c5bb83bc8ae5e24c1839bf434b6d12f1243fd4a323045e2a9f2ba6d263c4f26213ffed2d3ec55630fdf3ad11ecd7563fbb697cc1cbe
-
Filesize
1.3MB
MD5552eef13f1513284258e11688303db48
SHA1d6b78d65616dd7978e0397b8ed2d8386956aa2d9
SHA2564f2fc7f74d568edcfdaeb4ba0e77c072bb548dd79bde5070d3778c4fcecbdb91
SHA512314845143cb040a0facc7bd95bc4497a3cb275b9d53ad5a1a325d80cad5765217c1549b017fa8557ed08e0fa5962c93e7716479494a44a670fb416840c9db88d
-
Filesize
1.2MB
MD585065327162ec4bc1702f3ec17280469
SHA12d8fda11c42701e4bf6f6cc031b900453d560580
SHA256b39ffd024b97858ea7734dd9bf3191e4993a059407cd7021e16ba2f9b7588404
SHA51220e00edb0d7839b63143f0b723063a90b632b69fd3258a4d9d41c3541964cfcf662bd4dedb21f08ce58065ff4d0d3dab2b572f6ef53136012a890577b88786ff
-
Filesize
1.3MB
MD5f65dc722226569d4b80eaf5b7d588204
SHA12c55a83ec5934ed8f24819d2c3e38dbf3f94a0b0
SHA2564d30bcb508ed82caacb4f72bdbf2204984488020b3d5dd248d753d291336e210
SHA512be56e8e9f35182fbcd98810f300881fb12c81dd5d6f0e55b450f450e0bb0aa61bd642d4f8b0d68465ad6e461bb65bfc734fe950d52f8a7c868bfe5299b5c9cdf
-
Filesize
1.3MB
MD59d1c6c1e299ee51a542532d5f48cb3cb
SHA13fc45e2f915efe9b7bb701c2a3cf74f7ad7cf402
SHA2561de279fb56d0573bb5faaaca2d31859dafa6c10cd8f5a3f498c7b8f53cc36411
SHA5128f4f9f13e682aebf5414c611b256e8aa040f4eb812abc3c216fea7555ac85f7c74e100b82732f2788d9ab024ce2ff786483350065cf7d74a4eb1987547acbc86
-
Filesize
2.1MB
MD5515aa71cce832afc94c835a3b23ebcd4
SHA1f739cae4889d12c16dca1448d38f1ecde950dc9f
SHA25610d80ca1dd508ec0934b2797756a11fb4cca1d597c5e777354ca9f847b976cb1
SHA5124c17b660ea90251cec8b0681b26a60d9d45951c02e87a1cb8de9103db0ea79e2dea7a2b8f39baecd282e64cdb3a047a1811ab6cda708c1a6fd5e86acbb6672b7
-
Filesize
1.3MB
MD55930379cdeb766a99ed640bd83172334
SHA16a589202927c83772c673ba5b982c16cdc85e457
SHA256cc1a9df94e54f1aadc1892b6750dc4968770ab375cbc1cf749821cde48811135
SHA5121a63533c43eacc16f5e1ae3b85d0a84ae62fd7256b99addf2401bc91edde1cd9f9428fb95e52e1982ac041ef5beea37bdd7fb859b4c4bf23a58d501154a53203
-
Filesize
1.4MB
MD5b5facfca9b737608e897384d427fbaf5
SHA1abba9370bb0ca53fe51e9a60df0c74be3f27000b
SHA256cea75cf6afc3d596feb8282e61f797627b1982e15d8e5b8eea8354d022294dba
SHA512a6d5ed049adb363a3e919b92b1056d8aa4f77352c9c9517911afebfddd4dfb3f0b51170515d8fb203d3206ada07ea359f875a635f84deb764982e34d87ec5938
-
Filesize
1.2MB
MD5cc748f941e3c4a471071ace880808bbe
SHA1a348f7c72afdd12b0e5c8e8b765a4dbca9797140
SHA256d706d5034a5ed02ea997ed87161effd25703d41888437a7c794192c9bf03d89e
SHA5123f4b37e9fae34b8019e17134f99dd4653866255754e5a2d11a15e81fac7fe48100c0f2486bb1125edf39f86cd671a801acb7f65e99024e91adccea0dee4e574d