Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe
Resource
win7-20240220-en
General
-
Target
2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
115ce58537463f6797dd527bedb1717e
-
SHA1
671c1f607d2e1c018f3f7809eb5b4114b5d0e4ae
-
SHA256
bc0b6220303979d855f7727c0d8439d4177f9f319299de88308a82a6d60b9094
-
SHA512
9112b4bb5ca9b9025e43419f68cd71b438759c2e09e06ebbbd86e08bdd8ce0db7fd8e316c81a9442cadd7c4544523a3c7d03eb94f285801f186c49398eaa42af
-
SSDEEP
196608:HP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018S8d:HPboGX8a/jWWu3cx2D/cWcls15q
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4636 alg.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3544 fxssvc.exe 1480 elevation_service.exe 1364 elevation_service.exe 2968 maintenanceservice.exe 2996 msdtc.exe 2772 OSE.EXE 4856 PerceptionSimulationService.exe 1212 perfhost.exe 3344 locator.exe 1664 SensorDataService.exe 2804 snmptrap.exe 3392 spectrum.exe 1056 ssh-agent.exe 1124 TieringEngineService.exe 2476 AgentService.exe 3492 vds.exe 804 vssvc.exe 3092 wbengine.exe 972 WmiApSrv.exe 4812 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\67daa73ebb5459c0.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exedescription ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exedescription ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000954ee14ff2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a0924ff2b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d9bef4ff2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea87fb4ff2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b8f0651f2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad370c50f2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ae1b750f2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9722650f2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exepid Process 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe 3436 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid Process Token: SeTakeOwnershipPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeAuditPrivilege 3544 fxssvc.exe Token: SeRestorePrivilege 1124 TieringEngineService.exe Token: SeManageVolumePrivilege 1124 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2476 AgentService.exe Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe Token: SeBackupPrivilege 3092 wbengine.exe Token: SeRestorePrivilege 3092 wbengine.exe Token: SeSecurityPrivilege 3092 wbengine.exe Token: 33 4812 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4812 SearchIndexer.exe Token: SeDebugPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4864 2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe Token: SeDebugPrivilege 3436 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 4812 wrote to memory of 4624 4812 SearchIndexer.exe 111 PID 4812 wrote to memory of 4624 4812 SearchIndexer.exe 111 PID 4812 wrote to memory of 3208 4812 SearchIndexer.exe 112 PID 4812 wrote to memory of 3208 4812 SearchIndexer.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_115ce58537463f6797dd527bedb1717e_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:5028
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1364
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2968
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2996
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1212
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3344
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2804
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3320
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3492
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:972
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4624
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c2cff2e6c1c5792e8b38e042f5c5f5b1
SHA18dc4cb7ad038768d91842e47fa6bb4fccc3d91f9
SHA2568f8ca76851649b9d1b56a80d8c70520053515b1d83a02bfc175d3f3cef2e4e1c
SHA512f17e4951e94d1dc9664e2444e0bb8a19bf64dddca4517e6bc963d4d29aa73793434e79d036bcefb336c7895d4665e23c3b1e3276dfcc1d01c67772ef95a7c4e3
-
Filesize
797KB
MD5c4fb153d2db2a549e6cbad4b0a1475c1
SHA1cfb2fd5a8ae72163fff142d14b1e8909c3ceca15
SHA256d22192213d253c8bf7fef92eed6efa25f8e477a90d4ad2c8ec4e4a850fee3c1f
SHA51238c2a7581f9fbe0b3df4bc6a62b455d3061c9b3292813b7109d7a19a6472f460c8123b37e06f4d7b1047323da0b960a180e59f00e831668ed0f07f62df3d3418
-
Filesize
1.1MB
MD5f8fc7fc8b39823fcb0ad21d11b0bb5a8
SHA1f4eab5afc0fb71f0f57c875626f26ffa956e5fef
SHA25634305b0b29863be1cd33c55b4f599a9d1cea21c31bbbc66240d9bcf2cb814da0
SHA512031a293fe7980961438511a4ed4eff5d99297df34f44d56bef709fb32c3054820164dc8f931a0e8e106beb1961b206f2953bb3c69412f12c90a327a30371e72b
-
Filesize
1.5MB
MD56da5a71d43cffa4e9c5b0351e475ab67
SHA11108b59860837b0e9008de69d31544169191e77e
SHA2563f8786640fcf72d4c6b00c25d3d3ea5f3c65c6e61836ad83d877ee74d4586434
SHA51240d61dad7a9e202cb5f2e17408d6db9a8f78c75f9b4b894e60ae6029340c82fc142952a77b3f6e0320828ea1b9d79b6abe15ce5b95fa7723f4cc51390f68ffbe
-
Filesize
1.2MB
MD5dfca64f6f94367deeac5769501def611
SHA16bafec1939a1c6d0f9cbaea9c9e3f105364f9964
SHA25684e26d5601d0914f9be22e9057bd55106276165606c01d26ee987dc35f80ee10
SHA512fbf6814341609043b9513ae82591052b82fb7cb1a5bba5cabc7cc99ac256aa60dcd0e5a4a6ef023f1c258c0961fa156249b3f79544738f734fd938b3b4b5d3fe
-
Filesize
582KB
MD5f6eb13c8b3608ea291e89d166976dd53
SHA1ba5b9e02c891ebc8697eb1fdd8e7b0730f17f633
SHA2560a533fd8eb0aa72f7983c10c3279a78703d343cc8de2eb915dfce3cae3b54a52
SHA512de440c0c4b570ebeb9cb5f1bc9aaf8e75114702e9fb88b7a127d8fffb03656f211d9c7c09d7ac67d415045906f6e235f20253e468ef6166e515ad9080ad03c2d
-
Filesize
840KB
MD51a23edff6c2e426372d40c648a5350a5
SHA1a554f25c94ac2bcbfd51fe4ab3965ebb0ff59979
SHA256ee4a629945244f1585833c88cf78c59473be9b20dc12d9652783a49801d52920
SHA512ed6d5dce118dbf88f42bf9d204cfd3c5930f15c7ce17955c2d4fe5d7fd0ee0f49a38b368abc4a8cacbdd289444e1ef584f10c86713ebe1d6c9e298c258090539
-
Filesize
4.6MB
MD5fd7845aa26df39f578dd0649ceda4fcf
SHA12daa022618d73448437585e49ec48b6c7bfb9e32
SHA25642fe2f9db3ce46d7df608df8f8aad66213cd47a44c1e4b8f95667ee43cb3a353
SHA5120910d2b3898227574708d1a4ba6973c97765c509beef7eec44d0cfb37aa6a9fd253a267f800d502ec3ea53770d03ad8577445e41b2355f7c6b95c0a980d93ef7
-
Filesize
910KB
MD55a2dc9adcb4300e203a070b58043b5db
SHA117f7409091708325976b6d62fd2d03420e456240
SHA2566bf94baff7eb3d8bddf7f53456cd4b9a6d338b6edacae8ffe00e1e88a5df2720
SHA51289b1c558f79168ef69cd5e16c92154fba3954d087bca0f5bfecd530837116c3e2672cfdf242eb1dd794a7a9dd771d11ede2e548f7a5697c053160e549bb6bc2b
-
Filesize
24.0MB
MD5fe69ffb7bc0b9dfe93176206e45b2c14
SHA139b3e5f50c8a431411674a505661664c2c918e93
SHA2564cd00b5a07ed60bca3506c5f9cc6d0ba5e23256df2a33dc1668d933a4457caae
SHA512d99be4db48217380f7594649f21d40fb55241a7e99d968b619c8e2ae99c3352a6ed30386bc3c0cf4714138f5c3325c75d65e53a190d65be63e5f1732517002ec
-
Filesize
2.7MB
MD5730aa5e53bd58552a3de5f67e8794d7e
SHA139da9ec7724d111f50f0643a7689fc3b18b43635
SHA256137473a2ad90066657d7a4bf946a17d9007602dac9a54bfe2fb150a1d3c49bd1
SHA51214b8d8fe4ae17f1ee2248cd0e892494aff0ce895a0d9711145a6ac44e9cc0e6fd1a0a843ebf194b775ec361ac03d9444d0b4ed4a0a316229d63cd08303c655d3
-
Filesize
1.1MB
MD5323f46d05a84deaa80f708f9e85a2430
SHA1b75e9140b297f2671acef05e3ad1287121cd8118
SHA256c1ea562f60de5252173c0fac2c0d7cc8c02002a8fdae84b7e8d33a32c20d0f62
SHA5127c394ac99443fa3d4c7d6954c20bad1926cd82248eee39cf43d47e8d39adcddff23009aef3629a2493b2b3ccecaf7840cba0cfd6cfdf60e97097bda8af7ece4a
-
Filesize
805KB
MD58780978419404ac188228f57bb440631
SHA18ba6a5ac2f64d378708a2f3b93ce55b3e27f883f
SHA2565fa65c609b1e33dd27816c26faa7209d2f661ce38a4a9b3d1d87ced7b5faff94
SHA512211f277eb895646e6efcf1001a6a0df0de0726d935388ff23eac462395b74648d0d063e74bb0bf8a573d8e8875d3b10c54f8159f6e322b030a319193ebcea123
-
Filesize
656KB
MD5cd581141d8c1785d90d20ae11b1a8e69
SHA126a15c61a9a56a7c556f0e01d0d2e6cd0fcf35fe
SHA25653fb1c63873ec798656db139918258dcae24e48aadc1a20ef2a38a74fbdc1ae7
SHA5125a8f2ede47d7038539b710541d5a7c52f00bdeeb420e5706a8c065a572b5e4a3ac3b9e77033104a8d652cbd1bef55782d14bb0fb2683b7f99a52a3a6ebcbc4f6
-
Filesize
5.4MB
MD56a9def7fc2680dcedd7c284a989cf08e
SHA1b34100c509a705f23d52b21f930e50cdcd3a035a
SHA2566b737f1f249183451fa9ffcc93b0a7db60d908f13323eb793d4ad51500497a70
SHA5123513f7dd8010a35908e6ae93b284485ad4705daf5e21c2597b4d9b66353c4f60b8837150af596763f1bf06112a898603dd18b7ce8c57ba75f2413b9d165012cf
-
Filesize
5.4MB
MD5a1dc28f8e36adfa614db00fb8962d325
SHA1b37df8b9abe16f37472dedc5070f8ecd05dbbb5e
SHA2565cc190f3e0e812d443975e4d58022d2b21bded62d3df8cbe85010c28987aa0da
SHA512363b622fa80feb4233cd181a9efc4c346cf3444dad227d12ecea6e13c9993e4502711afe97894921500af096ebcc503cc86baa603520440eb28e2cfd54215e55
-
Filesize
2.0MB
MD5c9728417e70bb80e70727207cc87eb56
SHA1100328d2eb467b1ac495c2a511dd5ed9044d4695
SHA256f60632927b0e277e4356b1ff3184d0224f609ea1cb7776da3ca5a4cc272cad9f
SHA5127f53e49a94112eba495eeb6392fd95ddc2fcdafe190e3828b46ca72f1e818d5caa87df3835f2e4b37a7587008a95483607d70a017907d4d0f60b9ab9bfaa3868
-
Filesize
2.2MB
MD50116ce39c1b191b44915ebc629efe1e8
SHA1fc7d0ac665e85092854ae6dfe2ea66b321766a37
SHA2561f8c332138ffb6ae94046fcd2221740121be787340aa6adea1e28c814a9b66b1
SHA51236fb7bf5366f5ea438a9b2fbf089383a2076189bd0689ecc5bae5c12e6a5fdd5ec149a42145aad539abed62f290b5c7875b6c3d2ed2da7256691ec6ecf7c183d
-
Filesize
1.8MB
MD55bad67cc9de3718cc37b4a6129c8dca4
SHA1537231f02ac6bdb2b9562d8c2010cb091930f23d
SHA2560d7aaa43a550ac0103e21e6e9ad2a83d62f84c260cf2da4fa9aa99f83f7375fc
SHA51220414bd61832593f8073c82caaf89fdbab15aa08d0f32a87a001e51c470684e267c6441280be9d44950d940d2771b55d1aa5787f3a6309a03ce10b9315ad0aba
-
Filesize
1.7MB
MD5dcaa741dc295b04084c6e75992a5c46f
SHA12e672f7d6bcbfc219ed9d1251fc4b21f32deacc6
SHA25675553c2d91164f245659a7c43f2b6005a444a64ebed578893c0ae8b0c9100258
SHA5121bb5ad7281acc92efcd618d95d5e204adaa29819875079bbc62def98fe01826c41f6e686e7629a8258a7b47abbecb9854ceb523f62bceea84bc4ae957060ce17
-
Filesize
581KB
MD5acd85e1d0ad498c3cf32cccc8640221f
SHA12680ec0d1af745dc7a746a3b31719833dbec3256
SHA256da1568bef1795796ced4639b37b5c2a026de3f6056d3b7430fa29837ba5b1ac9
SHA512766d6acdb17ce6e6b9f2d9becaedc4535330cbc79cea2a96c1dabb28198ab72ebd07fcc2a0195993be1d4c4d5e49851855fee7a67ec16beebbe1f21b700c8be5
-
Filesize
581KB
MD5bad23a5806ad9d282799ccf40e1d8e7b
SHA1248ad8ab9a26a0d2f61c75769fc692c25bc9abb1
SHA2568b9571de00250929fa99da8a14a8fa94730cb4ed986d4d7b8101ae6df0403046
SHA512e5b8628167f69b71e77c6a6f5c5d3951f7b179e456c02cf3541b232cbba17c2e9e4f92a17cc8afa5fa0153dff358cc3d6da6885febb1ace34aceec887edef6bc
-
Filesize
581KB
MD51e8d7d0f3b93fa2833e8be9c84ee76dd
SHA14872e8165bf30ef08689d56a14f4bd9ca3d53f64
SHA25626fb28d996a2010d9c65717c133d3041cded8f4b1da025cd5eae37947ac754e9
SHA512c90e51ae45a2190930644e7740b48d0eae9299fb8d133839f479d3ab21da706edd19f4cb3a209ff9e9a099217c9ca61822e29e0ce7a451d47c2dc2fb8c02f713
-
Filesize
601KB
MD5859f000ffa6b1d7f2329c60d3d1d91f6
SHA13f64b8405a0b51cd34d6fa7b75bbdac3b677b4f2
SHA2567a8577012960aa6c604746c021238785569b78eb1af85919115798d50882d261
SHA512dc9c70a81c83dc2a7ee09187d4c5ea5a8836f0216a3f02f5ec5b4242e625f2e0cbc8e1fae62ab2f8d40758e69830a45967e695f450ef4ef52f63cb89e686de61
-
Filesize
581KB
MD5403e049deb8faa616f696a3277a935a1
SHA17dfbc3f55d9827c43434399326fde39c08bf8ded
SHA256ab9a358c603bbe6e821558ea075af08004b4f2cc0c59a1f06fb7521fc679f8ca
SHA5121bd4f763ddf44b4cf853eda57cda9727036f383ad515ad9a996ecc49712d32d746361ace47b91431d14af0c40ed10024a6cd474c4a991c2edc17fd3ba5d670f5
-
Filesize
581KB
MD51412b26e7e05ce7bb70aa15cc28d910b
SHA16b06aaa64e2f9738267863076f1d1401a2a5b350
SHA2565006eb752779a08d550324e6b50bf01b73b9effb084bc059295b8ff77a916822
SHA512e2fada520daefc38a7daadd1e2acc87fd1c92a4165c089adf7de6c02d1cd81000d59aa5011789692a0b7efae4be308e6148dd5ca87b351da3805d01e30863229
-
Filesize
581KB
MD5bd45fdc7720d10b987e4a8649acf91b3
SHA19159049822d19730ac758fe1f5ec08e3674048c0
SHA2567358ba2f1040e6f97f915c3aa9d1568414f4c13322027ebabe70452ecacb2dfb
SHA512498f7fcb09e7a9c587d8d360772902f7e983d815bb66bd9c569deee1d9403000360859c53e6734dd11e5164d949fe5032315b6f31a2288e12e6932ee5cc880d3
-
Filesize
841KB
MD57e3f9e4421d46362c0f3c85ef5541082
SHA17bd82cd8f9b2ceee24ea475fee56de4bd5cc8d0e
SHA256014d86bb43bf91230be2092a281f6f963fff602e210507f8322951c173a9e531
SHA512ea14aa1a022a96a370992ff368192692fde440a56245ec04d19f850c7cf34c88064f63d6e51379e26fae038e8d4b9c1e9c2aa0e9a3ff8ab8e0365e9b46e09437
-
Filesize
581KB
MD5d15461a3a29ae98b9cb80d4e246f00ee
SHA1af4b139e48e89c075b20ebf81e57438471fcb627
SHA2564133deb8da3e895f14ba306fefb72a5b5bdf2cf6f9761c02ebabe64199fb10f5
SHA512663952daf8c2b61e863a05230ec94259d0c66a1894165173526d7756831d32306d646ca4941a9421e23751b9e2697336d73e588d284198d5a0391d6de2f1fe82
-
Filesize
581KB
MD561e6084a917ad5ac8507ed1e495ee60a
SHA1fdc7fb26f70befa6c88944aa8f5da9dfa108eea4
SHA256c1bad9406e51c9fa21fa8dc3f4091d1dfd66f178f231cc876f2d677f44868a83
SHA512d254f9779d90da9b6beb3e33b0ecc49c8a2399cd26a581311515c3eef5f447434aeadcb000763552e847b5f49991aa8b5eb10fc7c4c998458dfe83fbbfe72000
-
Filesize
717KB
MD5fc22fff27e7438b5a778cfe636091177
SHA1a3bbc952ea2a4d1e9c2a828beaa9bc78f0d46f54
SHA256033445aecc0bf26665a39b947380c49194c6c4cfbe89df2dd5ff2c9af358bd46
SHA512874bdd701c1cb6640e833e27d243c11d8c2113fd48304514baacec411da0b7fee19eca3dadb3b707192c87119276174c2a88e15ba6b1180c5b6a17e0ad6cdffd
-
Filesize
581KB
MD5f91188118304e673d2d173d848fe1a2d
SHA1bdc45422ac2694f630531ecd6972d7a81408b7c2
SHA2560cd63fe073732d3375b28a2a94ee9845eca562edd30a3e424f55250a892a6899
SHA512c43b46861206d04b7d711ef8a331a1883620a4f0c96c9baf53b5fcc0160aef2b8501f815c11d8947b814088cc281262019162a1b13cc5deab72a3f3719817201
-
Filesize
581KB
MD5a1b8d09aa821c1c315890bb9e1620b3e
SHA1cda5a470980e4a3145c0a2431434df90c45372d8
SHA2566e0f5c87b9d087784270a7e9fef2052c6be5e0d4b6f1fa56a6fa626058820269
SHA512976913106d72e371e06e01b2e4e76ef59cb6c72ad916e636f54f780b11988834f8686cdd4e36d41b975c1de022225638f36e2ce7e6577d6e62888ee7350c9aac
-
Filesize
717KB
MD533702f444cdccffdccdd703228c66169
SHA1a8477f482c2a778b1e3c4944057c4a09ad1fe524
SHA2569d22a06931971d95cba2d447e4f97b0026f58b816b52cd7462f9d49675391863
SHA5127c9c981745233f8d9857327f9f1bd209f32839ee1e6024b7d5bef513f24d1d56cd2f2b0ad61ce35026fb18fa0a5c01915c723e6e41d2bcdb32fbed62eb9e072a
-
Filesize
841KB
MD56bf58176377d397a50c029b4b2a7d6be
SHA15fc4ca1e91d455f8806d7ef6fa1e4d095f34c04b
SHA256f81811d5124843028c2e6dfca9e30771f97c319fd1c5c153fa3072e903e0627b
SHA51299872e8d8a359c55c8704277741ce8d887f5c934178f729d932870b81bb430aa6851a5b55b62b985615485771a6d797b19c57ca66934ecce10bf8662020aeed2
-
Filesize
1.5MB
MD5cd665b354c7909c16c378f002ed34953
SHA1eb2fb1949a325f4c409423f154331ff092af5f86
SHA256369dc5a1dd8b925e68946311f557969c6c79a38291ee4dc52edb120e76166384
SHA512ca393dc63d1ff96ea5b3007f8e16102eb212716212190e5de4693892a885eeb734c4866a00415b77107d238f1acaf7534057839f5045a4792053f6d7fd149728
-
Filesize
701KB
MD579f4c95d75864bd2500860bb447a223a
SHA12c3af3a8551b42c8de8c59d9b91cf3314b5d9859
SHA2564396bfd11d4477e72f12e720e1ab6dca5ff318ddf4f1dc9537b5f5dcee24807b
SHA512b415410633f336d0209e35033bad622fef958a1fa04666d9011212fc1a28cd47e0d790d48ea96f2bab66ebefa93e4c685aed2a3635d5302f835db32728376882
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
588KB
MD5ee224a14e8e464400515e7218701e067
SHA1270488340422716a96606d25a692928d506a02f6
SHA256e18fac4f42a1f28cb05b4719a7d2afbeb1c607941b1b95bb7820ac7d5401c01a
SHA5127f0b3bbf779355b9c024db71093477005fa9fa42eb2d36c8400d0951c4e3fc82ff122552f91b4ff8e657e208880a2223355946a4d5cffee5eee3d17435493a78
-
Filesize
1.7MB
MD558cd50075a769b0cd810ba48eac9c153
SHA17cc1be6fe7d20bc429231e78ab7365385ced6566
SHA256828f1a08bdd1cc9e80042fd58c1d44f9a0e25a05dc29a2587272da1096ff6c83
SHA512e51be97d346a51fa9e3eb7298a48dce3d2b4feac857eabf3af89db8394b072f724b4313cb4395c29a00a15559a8906c3b253af208c166f8e240088f924582b14
-
Filesize
659KB
MD506415020dc270a1dda7391f83fe6b7f3
SHA14d4c8fe9ae1c80a599352ac23e97b4605bea6954
SHA256f58c118eaf250c9cf00789df2103089ad81edbbc9a25d420e60bdeddfc59f86f
SHA51299e568375993e7914e0162360059a5f3930caf45e9791995b8220d7a7d80a63f0a458d14eb45e4e9a438db08c969625f9c8fbedaa5c4872a5fd7fa37a9354456
-
Filesize
1.2MB
MD58b94c84727931ed82ecf3168d9d88258
SHA1d83cfb1b34de371f65e61f34ae57a4d19e595f02
SHA2565bafa368db8632e8016dd4c1d64132fe4ced1eb19b15f80ed21309d033d8172a
SHA51216d0ab580167c69c8bd32e6c47e77ebdf9fa3ea983fce74820ec0fb673c5d15cded62c787428a0b8959b8d81851b5d6813c0f1e103682d67fede7a4d5d55cab7
-
Filesize
578KB
MD5ebf31baede295e23b94aea57af3683f6
SHA15d42808facd83875bb552785a66fe636e22fa72f
SHA256f3643cd40b371f76715ef2cde6924575262a29bb6f01cd0ddfd902e9ad761ed2
SHA512f17e23b000073c3cca17c418be3ce4a08304b164bba007a16c221807a58257e45b70dd37336f9b9f299c90a326ce0623d690295705d4d2f00e97b10ecd47cd18
-
Filesize
940KB
MD52f3201c66f81f8f827e5d9dcd2b0f7f6
SHA138c840667f7fff0a3052b63015b373823c326c05
SHA256338ad52bf30d223d752c14aeb9032016226007ce8d9862c9f8a2de847ea63e14
SHA512c68c3f5deaed55c6910bda0ed20c47ff61ed04a56a0acb48b00f9ec94230721853c9e4599075adfa8142ea11191572282397de49878637e293de36d9e0eecd3f
-
Filesize
671KB
MD5a1075e34da05600b387cddf8555d1811
SHA1402364e3b80aaf18bb21e4b9e477de723b623de6
SHA256e434017495fdb7b386cf904090e3a0e1ae91f832b109598151b79e46b7371c5d
SHA512612007fda5f3ed2e52e2aa516af84e7f153dddfd450f660c6ce9f2bd3f5365027db0d2d97b13adc072113f4615b6a546976637800abbb36b2e66681d7a32ed9a
-
Filesize
1.4MB
MD5fdbde932bf578e5d98983b5dd4730f08
SHA1d01ccd895da5a4b43d60d76cf0311ea3abc4aaa1
SHA256380563fb7bc63bc60680ea2ed5eb3dac58ea04dba9f39a485b6e950ca7159c04
SHA512ce1be5881f297b93290dfbfc76d763f1d0b89b5ba1375d6f5eef0bdbc978de3715c434d22dbb74cd6cdf2849ffbce24ddbec4e89350a396f68d859fb105d736e
-
Filesize
1.8MB
MD581294f2f055dc65fd12cef292671f34f
SHA1874a0e8e4b7472acdcd86737581fb9453f7ab83f
SHA256aa73f791f4d436b9a25b69639a9249dda8dd6a26b1de3065d1d4aaac2576121e
SHA512b7283c583fd1ad7119642bf259688d9de3bf33945afdea57e1be72f4943db0fb6eb3df6472d9cb69e55ad1d9663268bece9e66e7de61b11703a86348ef15089c
-
Filesize
1.4MB
MD5780468c30c664a524a290b2dabf98a0b
SHA19ddb34a4230aca8b8dc72247674224948044af42
SHA256f0b5cbe8e531e681ffbe2003d492d6de1bb878b721e3ccff8fe1bba94951b52f
SHA512fe3391cfa56405691276857ba4d8adf1e5538e61de24ab26b3966b8849e9495fadff2bd68126ee87f97ad9c9fe35a598ddd673c4c10a8c797f8c3c04fab4bb54
-
Filesize
885KB
MD59d1af04cee6987854b72d615ba0fccd7
SHA1ba281a81096a733e7c91ce42f8ec68daf404e98f
SHA256d147a90ca21a7dfd957bee92f663305ebc18f18ca4276a688991a4d5b6aafcf1
SHA512fbbc876df29051da527b69e99d9eac17455df55ce32af48263764a35b0eb7eca36d8b351fab1000908586e4047d082c2bbea32eed84f588eefdf4b16a52726bc
-
Filesize
2.0MB
MD5a6f0a9452f72ce088ce2d1e1fc98157b
SHA17a03cb1cf3f36dda9552cc3d26559ec10ce24106
SHA2569361d444bc7fe4e56c07f2839136cdc5a2a66592d2d3c3481a2cd0b8a199caee
SHA512dbfb3fe5f4de468518d2f972eb3d3a4a2bb7abedc3566edb807c43cce3e0ce2c4832702f9afb261acfd6189c09fd14f7fdf4e2c7da7e7b9ca0b9aa2e09bf6c55
-
Filesize
661KB
MD5d672bac79c1c0da5453e6a91153f4434
SHA180f31675d96600d254e99c83167724a0ed62e9f1
SHA25616e31b11288c5a048b6384119df3d5173bc2b78da3a7d09bff0c7ab7aa3fd523
SHA51228ecaeea81772291cda50ba6d5cd50f6a8e887c41c0f1d66a63a3d611729a8bb7db30e11957be917015baebaade331f63d0699ab716e1982973e062d39e8049f
-
Filesize
712KB
MD5efe270e312301fe755f4f1d4ac8f0b4d
SHA16e0bda134d7fd8e1c89e24c2d2fec19c71310e80
SHA256c1ab168a83be19791c286ff9d0d3ae27fc7548974830b644f08356add8a5a716
SHA512b82066efb40905332d1bcd6bb5ccf39e945321edb3b7ed0bcb5428f87a0e9e6779abd84ba81c7e32cac663b166dea3c02ecd2b6ea4bd28017cc775158bb0fb99
-
Filesize
584KB
MD552c3a9b91b480c2ef4fbc7bbdff5b626
SHA14b90084899491267795ff45c2de9a9a34bfd1ad0
SHA2560153796dc451301244b234d1d0d74c60df397a5a4235d41aa12755e142492168
SHA512a39257edebcd95c7011a433fa079df11ddfe3838c197c3ee65591da5cbf69d44485355f3b292d59442ab2edf218ef5add8708808ca160938a23e9b5a5410ae3a
-
Filesize
1.3MB
MD53dfb6909c8fae60d10d41075690ca34e
SHA176f8e66d4167e68637d969b918f43d5ded4f1663
SHA256a4c13e6c8499fba7a00f7dab890bc9cff2ec35c25c2b60d7e033edf7a4a5c816
SHA51291f02b6d415a85d61f3ceb156743352067b7612ae2df5d89668280556ee8381d2cc50077fea9496dc2a64018fd284f50948001879bf06881b66f096e871fb31b
-
Filesize
772KB
MD55dc1c106a263dfb913cf39a0789abf97
SHA193e4d0c04a1a228169f6576764ec802a7ca58b06
SHA256b4a26df2d8669dd007d23a096d0f9700b1c428a8ae47e760cac96bc42f65d4db
SHA512def021ab03099e3fe8836365f13fc3ab8e8e64f139aaa6eb035bd0237cab96d4b1f1361cc561c52ff4b29099b8c130c009a1490f5e330aecc4e044fc7a3cb8c3
-
Filesize
2.1MB
MD58f97539780c9301163947e67f5aba842
SHA12e398007cd3ae1bad8d6e1fdf902a9ddd3521ffa
SHA256286de8eea31d8143322644f267b22d346f5584625ba121e26ee67ed3643b7c2c
SHA5121c6b633874aa02ca9966e3a5cdd462ce227658611c0e48f9fef2b56f8921823ce06fb4115f3779836a1dcd423ae7b428f9d8783f52d6f30f68d72ff0c0df9e6a
-
Filesize
1.3MB
MD5f7448db01c507687be18f48d0f760987
SHA18df90879b74d64c343902c891075794a484efa2d
SHA25645fb72a1d41bfad4cc25244757f48103f82e5a20253948a7335322721a4bc246
SHA5125e2f0c26c38f96ca63a915285a2730d97c8675ab864ed237806b8f5fbc693bfb380dc59523eefd2ff521b75cb32fe3a818f77b17141ebde484d4088e4b61107d
-
Filesize
877KB
MD5056b7dfbaf34b1f14107360e21c188a4
SHA1ca7f4e2bb3742a509796d4b2b39f65f5f6f74e2c
SHA2567baf1fba376c51d4b77246971c48c59011bf837f9013bb41aac98dc8179d21b3
SHA51244c7e5b1b5699a3d28a1d3690fddd293329b2683c1efc0480b5ee05e587c3465dbe74dac8277ebbb4d6c46ca33c8f925d0e9d9c320c55acc80acf93c8eaee087
-
Filesize
635KB
MD52fad737bc3bc28ffda5af100067c5b08
SHA110f5bda16d29c5967fc087e86e84f29b197c5fbd
SHA2567a56da9abeff44168f98dc23b008367bbb4938efbd5a11853ee26f9ba3a9644a
SHA512fcc04b595fd648afabd2a6d95b1ed180bcf872b211417e4099987cc940b862a6ddc2eb799e3f5b445da0bf5715e6ac6f13cf982fafe4e4f026459e48b871cccf