Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
acb1f7d26450cb2a2d2b2896edf0c2d5
-
SHA1
6d98a31934cbbd6a9973efe436ce5e87ea466450
-
SHA256
d47f10e5f37f83420cf5159ceae94d00b4695ea7853d20b27a37d1c239b1494d
-
SHA512
3d4540c859105c3b0b1a611346e182ddb5fb2db94f2f265390211a422394cd92b1942ba46e203c8c606e1131a27db348a1b0dfe5c9607239d9b1c623b0ed6a70
-
SSDEEP
196608:xP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018Q:xPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4856 alg.exe 4636 DiagnosticsHub.StandardCollector.Service.exe 1896 fxssvc.exe 4732 elevation_service.exe 3784 elevation_service.exe 2712 maintenanceservice.exe 3496 msdtc.exe 744 OSE.EXE 4344 PerceptionSimulationService.exe 1432 perfhost.exe 3976 locator.exe 2956 SensorDataService.exe 3584 snmptrap.exe 2072 spectrum.exe 4460 ssh-agent.exe 4496 TieringEngineService.exe 2680 AgentService.exe 4820 vds.exe 4044 vssvc.exe 4644 wbengine.exe 4844 WmiApSrv.exe 5112 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1c11182fbb5459c0.bin alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exealg.exedescription ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\ResumeClose.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfab2d9af7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb55609cf7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d248c9bf7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3d0539af7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc74b699f7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2f5799af7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fab89d9af7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcf9e19bf7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exepid Process 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 652 652 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid Process Token: SeTakeOwnershipPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeAuditPrivilege 1896 fxssvc.exe Token: SeRestorePrivilege 4496 TieringEngineService.exe Token: SeManageVolumePrivilege 4496 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2680 AgentService.exe Token: SeBackupPrivilege 4044 vssvc.exe Token: SeRestorePrivilege 4044 vssvc.exe Token: SeAuditPrivilege 4044 vssvc.exe Token: SeBackupPrivilege 4644 wbengine.exe Token: SeRestorePrivilege 4644 wbengine.exe Token: SeSecurityPrivilege 4644 wbengine.exe Token: 33 5112 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5112 SearchIndexer.exe Token: SeDebugPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2912 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4856 alg.exe Token: SeDebugPrivilege 4856 alg.exe Token: SeDebugPrivilege 4856 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid Process procid_target PID 5112 wrote to memory of 808 5112 SearchIndexer.exe 112 PID 5112 wrote to memory of 808 5112 SearchIndexer.exe 112 PID 5112 wrote to memory of 2220 5112 SearchIndexer.exe 113 PID 5112 wrote to memory of 2220 5112 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1164
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4732
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3784
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2712
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:744
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1432
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3976
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2956
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3584
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2072
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1516
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:808
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD57256783a0aabb10df5f31a52a961e5ba
SHA137a4964f5a26638db7eaf3ade43bb242cfde9162
SHA256ec842e366e2fe0377db86f42b02a8fb42c17412ba45caaaf7c441873e3bd5a40
SHA512c9eead7d8aec316742bfd05cebbb0d2d7a545ee3684fe30613d845d8a98f8a3856a9aa5eb7edb3104242b651546b490d4d1cf5701eb430802d4f9d47850bea52
-
Filesize
797KB
MD5c0e77d168cb22a2c9279accb9cbe714d
SHA11d71f2907dbe2c1a623bad6a401d1c41dfd3feac
SHA2564152517816c2033958ffdd5c7172ac70dc545d8fcb9300fa94d4f0a15b5b9199
SHA5126e8ef56e6c773383908ea9950bd71454861e3d0a24e581b11d2d2c92cf015ed8f07b597834162caa0b131e1ead37bec419e2b59df62e75fa64ed41bab449d38b
-
Filesize
1.1MB
MD5e9edc850901a2527f380e1737627864b
SHA1d5c4f9682083d07ae5453020d513419183994074
SHA256b9dc75167b68bfdb0f8ba5f93ac122fe7342a786cd93de0e72c9ce74e596ac16
SHA512090a8371d96b1646114c160c64bfca28fb929047b572efbb8733084e499a1a585f8d26ccdf9da9e3418dbf94f265e8726a7785187f9868882162ef9c70711efe
-
Filesize
1.5MB
MD57bc948fa5a7b669608c6a72a8be9158f
SHA16c8a2848d2383cafdae5dfb90c058b0e11ad83b9
SHA2563607a3c17c4346a789322f387f6d15693a714aa9904a9e825cfd1a4e19b2e82b
SHA5129cff79ac57ab23f97fac855b74f4168b87b2d499d2030306c1806d476e35e94e72260a7cd640067682987520d1d0355bbdaa148fded8de545f5969c09e1d08af
-
Filesize
1.2MB
MD5f5308b32efabd180174ef4817487c7f1
SHA1fa1f519a3550de5e308c063abc201c3c03cb634b
SHA2563186c9df83e357a9ef6533271d3b82d6eb49076e06c8dc34145cff6457885846
SHA51260e99d68c89e6fe4056799f53d0a01114f9fb58b25132e29fa9bfcf1cf23129d6334964eac7ceac690dda32561b03fe7137220007420134c779f97c3548d5286
-
Filesize
582KB
MD57d7a9007b973ab27c86793a5c20acffe
SHA115df7b079250fb69311f99fb75e613c121d420af
SHA256947d1513ada276512eeac995a679ce20973b7cff67c335fe976349a84f98d120
SHA512df015ec5bf06a783d6929341b6333ca24ceb30a74f6885b5d09c5d21eca1ff521c390cdc815fe5a50ba61709f9ada13c642f678e845a05184f83a72482aba640
-
Filesize
840KB
MD575348808cbd33cd09a0d22c8d15d7345
SHA1bbd8d6a6302cce2ddb524efd5d834da28c2e8127
SHA2561af385243595e83e006e5aa41957b0ae463ba50ba92f7f04204792d5b6a93145
SHA51275abb13f7d61e2c8fdb62324e59394bcbe14644537ff5377fe1cbc5bdd2c76d7d8fea8dfcd9e474c8cb947955b299089b7d29a70852c593858c5ad51ba292e8e
-
Filesize
4.6MB
MD5d8528a7f3c836c506ebbcfea8003499d
SHA136f69e70640c1a90d3a3fecdfdf61120cccf3f50
SHA25642e3a525578e8989e7f01cf4ae11ef1efe9279dd046c6e3e120fcc9b1a1ae279
SHA51282f1c74201092221100e02385170995a8c4b0c8d3ed15d066fcbebe44b6f60547c481963cb629f2ff48663009f84152d5d15fd34e3513ea34cb3f3d89596988d
-
Filesize
910KB
MD5bdf49d55e810925bb0780b6b1a177bc8
SHA11cb232da8dc226a9b5ef24793178e3cb33e6ce78
SHA256bf7561816c6317ff709783c727207d58d167e68b31626f1faa646b8596d1c89d
SHA5129f02022621ed6e44eace08d48b175b421fcb9a811e316f78d2a7cdd53413674edd7e739624769c3f27ea2b2edc89187281dd16f86bba12e47328c78f0fb68680
-
Filesize
24.0MB
MD5fd4d270ccf30530a3869edd1354d9ff1
SHA12a1a97659d7f423036402acaa1934e4841263e27
SHA256d90e70494a0f75909cd80ac0b0fe62d0d0f266f2d458172996fd87991d63bd32
SHA5128c381451c81235a4ac44e3413ea9debb0bfb7b7fbd303d34574cee412c9fdb45155c820167693a45bc7adf488eb416272a5b097742e4b570d4b37bbd2708935b
-
Filesize
2.7MB
MD5901a04de85a995dcbed74b897a38703a
SHA1f1c1190fdd124c38bb9950cd68814a899eb8e0bc
SHA2564d1c0f8dba2f58f39897c22f2d78cad122a8fc60965e88fe93db6339c093b9b0
SHA51250f51c6ec32d794be6f22c9efb8e690b4484399f2f02a3e595167734e6a67b93bab04ec07ca60892de29086fcac47ed8766c348f25a57d515e5ded17c1528fc4
-
Filesize
1.1MB
MD57ee50c33b66a0650fc105011f3f78663
SHA1b6ff74656f7b774059b98d82ee3a00cdcfe3c2d9
SHA25604bf5adbebd5fdbe04d41dd0fff93e65f60e1465ded720bb156350419a0b0a79
SHA5129ab9e413cd990d815a9e92783c7fe0a9f0de844b06b4c2142858ede14fbd4fdae795e0ded63a824fd25953cabea8d439b822c4acf0ac5d7672a8e3364dff573d
-
Filesize
805KB
MD5ea6843700cfb34f2b8bd14acb1397069
SHA17c635687a4698e7355af080c1ebe7526ac87dd15
SHA2565450322dc53bc5ba4a4acff062be86262f1b223de1874c450feeed5a6aedc354
SHA5121a299c7e323dfb90d2f23aa231368aa5bcf574842dc395d80d43c880816e11e00a6d1ea2226504ea24c2c29b6ce2c70d4426d9eb28bedb31c5cb56635f33152a
-
Filesize
656KB
MD5cedc6370272bc3775b34b3828c4faa05
SHA1fb25e180b99890899710f2fd2936d6ac5663cc16
SHA256ff94b54bfcc49c807330196ef7952e4e4d817cab0109ad5f07aa628c98fcf904
SHA512b2c31e49835edb430fe65cdb6652b7366bb5bb1ccd0e022c0fbc021b202cb8e6415a99dc72e6e19bd1e44525c6037101c95d5564faebda5b64725fce4611523d
-
Filesize
5.4MB
MD582ded81dfbdc02be78c6e7ba5698c0e6
SHA127c6da2613d992e6ea322b764bcb59d5710ed4b3
SHA256f004f8ecafa72f510d2ef5c5db9aa79ff2c113f7f52b39b4fed99ac83afa6d8d
SHA512f7f195976047273ebb1f899671e571a4a3d5d0df2cfd9a767a47c268703bddbc8bfe2ee0e2185af34e14dbc3aaeaf355d250ff6e5fc22fba01dc5475b1150132
-
Filesize
5.4MB
MD52c5a80abcab205c514c0a451ba932156
SHA18a7e1ca25e9dea3f7906c28586556dfdae8edf27
SHA2565e31399f94c6545d20909e06376f46fa623e85c03079b58cc280b996aab3ea56
SHA512fec17a39d7c18823ac60181ca5ce25de6338e4b2e610290091469a1550a06950c9537ce20ba3a67b73e201ca1b6bb760ee8b09683c9ec54bac1962c186057cd9
-
Filesize
2.0MB
MD555e26e0432e5d36f592f7676f12046ec
SHA119d71a42a24a2140dbb6503291185a34df4d4220
SHA2569340b2cea74409e1abbce83a0ff2d6a72a23176a21f01d63ba71261fab63acb0
SHA51253b1f535832caea79d87da703875c333370c7b7dac5373a1a3de0a3a7d87f68e2aedd6f62a962ee7c459b5bef48e36ab03199201d9cc8ab932b4b9657a35aee7
-
Filesize
2.2MB
MD51e5fe1e1c2d7f7066e26934da16c09d1
SHA1ae5dea2615aeec392a4467f28028a44e228dfc23
SHA2564e2b2e5a92160f50610ca2627bc24ab5e9f3fd07aa85af44348d3b240c641f27
SHA5127de56512fb3ace494814bd9fbee06c626f1475e91bcf9c79d12e7ca5c4d254cbd170be6302bcb92d7a2de7e4637ebe0464338847f1c49f2508919a649e3be447
-
Filesize
1.8MB
MD541bc3abda0528e928ae534c1ddb95b75
SHA11a8bef75335a7aca6c5802e23c658def85a833f9
SHA256b7a8aeb7975880d3c122279176876d5cd5543920be940743aa2bb700c971dffd
SHA5129c0e2b534fe29ddad537ef8e36d6d96263f345fde35f540cf2df2e5f37e08646510b840207d08aa52516c36a3e52a20b511612454d28a50d689c961782a9420a
-
Filesize
1.7MB
MD506483e5d5f3668df7d05e9842b67d3e2
SHA14dbd7e27768d451388d3144a6bf4f97b5b7b495f
SHA256a78d7c7969dc3966d6b22d9c55df752a8fa65e05eb0c4db44f66a10342dfb7b6
SHA51239253791e2d9823ad3c7c0158a850bae49d88619e2859d00560b9f93d8ba07225876117b8cafddabad764647121c788eccbb7bc22153a5d3b04dd728329bf145
-
Filesize
581KB
MD586e80de11cadd4cb285dc29fd45d268a
SHA1a2d55cf00c5fe77a44b73e9d61e70001dbeb3450
SHA256c6183ab77b01ae12bc60f93e5abb78c978da6c210172d9e1dde9d24193bd332c
SHA51275338b3d674d708095df4c16d88b6bffc102f9c73a6d23dda4b46c3658ebdef56aea09f134e03d29b8c9c3694ae4af2c7a0e6f6c571b9c980b74bb7d7aad4348
-
Filesize
581KB
MD5cb0fa679b7d08ce3c0cff9ebcffb3c8b
SHA19b259102a9486e6f0d423acbd28e22ff74d365f2
SHA2560ddc8dfaf02e6e651609c2c0cc9390f07810f01f37e61f94724b97bd866a4e82
SHA5127e7bf372aaadaa995af182ab7abb5f424394a67fb0334555348ebbb847a05a4ba1f4325d540445a548cade83bf1192f6fae633475c9792a21c92122abc4fef70
-
Filesize
581KB
MD5b69d99d163f007e487ba1e5dd35d0214
SHA1d9170a0ca9eda457dfc40e62d4cced9a08d4ec56
SHA256daec949356611b0df1fda23783e11d8ad17a691c079577bb49805ecd1f6a18fa
SHA512d3ab74ec70bed67c74d3ddfad8335df8ae191cd575d108488cbd9ccff38e8d4582445426010cd0340b421f9d7b8954f8603972f9da7f6d46bb54f1f596cf6106
-
Filesize
601KB
MD5c096aefa1ab64ea11def4ca83b9f3435
SHA1925ba62074336dfe9e2bb32a2d6d6ef1b5cdca2f
SHA25600e40a21a1349b62de2e23e9ef8c23864b6cd56f7c436c1c0a449a5d67be83f1
SHA512c396d0d0a8c8c089438062fe956c77c935b449f25a85745233405b428c6a715718e57514e83a35d1626011220bd834bfbb7f683d1dad73e3ffc23a45e65a082c
-
Filesize
581KB
MD5a8eb1a5769f81f12a403793adef19c69
SHA12318a2840cd46cce378f8334adb607c0503fd4af
SHA25699f187bd199829e32e6ec923b0a79245e9ffdfcc4d2b614cb82bad34305b6311
SHA512306777b5850c941a6e1435f9fe7903d23695fbd061d6a4ad19ae4a49f5577e0123ed61eefb15bbab133d0870199ebe81de47a2420f3b973a0c1fee537cd00ecd
-
Filesize
581KB
MD501b116331796cbe9c18841d66017abd8
SHA1cf220595c6a3da9fc6e47fc854f24e12172cc052
SHA2568105470202bb72c10d3d562e5ef744a45290d740999f586da4e66becd6e28a4d
SHA512faefe5c3ff4c607d82fc79e056319f18fb3088772d68e5ed1aa8698414d36e3124b4ecf79e2b8a1c6bb5cb36108d2bd75285c171e121c007fffcb6f95596b4ba
-
Filesize
581KB
MD56424ef4a16f410b7b7cf56d4c5f5bfd9
SHA1d42655407be9b6f58456c71e490b750a1d2e7fe4
SHA2565c7cfd65ea24bacde1177ae3e84e1a3b2565910d2da6a5a153f2554669e17277
SHA51273db490083733be934fef069738266db2c980e41535c8f49abff5c1d969b8db13b70c1c47552ab1454a49f9342bc3e35fc92b61f88474bea3ffda2bd4dee593a
-
Filesize
841KB
MD5cdb8cbba0a9627dcb2e71af1227f41e6
SHA173cafe80e8423eec7218c50d5d3a4989b438a527
SHA2568a76efddd5965c146ef3647881d6eb6534462289f62352b444c38893d931d84a
SHA512f4d7ba5f38dd87f76acfdaeb8cd833b0052eeaf2b145d4a260f6cdc49b6da41023df5b6b8ef507920711b67afa3aabcb7159f41c643caaf8252cd5e19a78572e
-
Filesize
581KB
MD54c7e37f5a449318c9b6873b5a3c89a16
SHA135c6c1cfaf6b71cc849d99a06b52e217f62365fe
SHA256d9a3fe6b907894f5a7e96a87027fb6485c47d63b561ad55d40ae158eec291513
SHA5123efa372a99301fdf2497a8148811f77b6f610d29eaed76d27f1bbecb07f2455f615f07fe927dd8d8359ccfd594a24b490fe20231d2fb294050732c3fb93b5723
-
Filesize
581KB
MD52c67a06783fc5d642d4a63c44b0cfdad
SHA1029bee21f41c90dd580bf0e5950efd2ba6c8a584
SHA2564ce7e447a991ecfa18f44e013d0e0d36a77da8e7638e429909488ba9c2ebaea3
SHA51244dbe6f640bd702cfd96ae4d54af1b4ba1379e841308fdd0fc002d6399e48cdb38adff2ecd2c403e5e5954e258d735ec188c11d9a204f2f65b5d876395b892c2
-
Filesize
717KB
MD5c66ee9b2a442c26b702748a3e2143057
SHA1298c26f2f9b2e1395fd4bfabc30d47c984ab4fb5
SHA256d796e2c17ffe7799bb185690405098311b34c2e8490f75e299f5110fa9ea3985
SHA512011ad89a419c5ab5be06f49f89eb08510f444787982a2bfa27d44adc4142d9e9a3da6600323880de06566b9223dddd14b6cade10f8926ee4f6f4c7a54afa43b8
-
Filesize
581KB
MD59ed4dac73716f7666a3ea78bf6f07acf
SHA1e32c898af1d6370cb6e2e7d7b5e539cf41b7dba3
SHA256f65751d277c1817c90a6738bb6f09c0ef5fa9ea708e650cf14b7151cfbebdb53
SHA5120e39a6e6b402195c03a9a35a27f44fc09ac6577fe495ccd27d0c100a773fcfb265bcf3a4583c50882e8d047d0a88d7c5a543446d5c5d80cafd57a143d9da39a6
-
Filesize
581KB
MD554ef96158fb6c86e5b0aa166ff388b1e
SHA12af959527c2dbb04523ac2db0ecd26badf75d933
SHA256775d75340198b9d824aeaafecbe9067fce25e36f8e0743a1cf76acc1c1afe1f7
SHA51275f0cf9dbbf09b15321eed677cf2287bb1f04c1eeb12cecaa973989edad4e1d69d6ec281a52a38ac94bb431521a6ac163b193d8b373512e2c86f33eb0d2e8a0b
-
Filesize
717KB
MD58f3b61033a09016ccc46e34acf4ac056
SHA106a8507ea7f7dc3cac6d3332ffb7617c18c6fc7c
SHA2564daf82c217d4959b61fa89f8fcef35ca73f88514dd17662004c37a497e97331d
SHA5129438adee80b64a40a7e060955243e4c7b9c9acd695be7dfbc22530d4690aee92dd52766a53f2f7331e64cdf9bb3fc42e58fe6c72bf905044207f149596a33a5a
-
Filesize
841KB
MD59044b1132c3f0cafd0880a8bcb7fc148
SHA11eff4da73ee6dd6b888bbb9b7f0fa6e4b2b24376
SHA2561d45a878dde9fa4e98a3d90ecd79afc0dcd0beda4019c0c0e6f6afb060228906
SHA51262894b1b0d1c8d80fd9c800e1b7ac9d0ca6c33d6cab5676d29d0e06d35dea37f33b6967697fb81164e410914b18a356cd7e3ba5096663299413ccb83d6fa5b24
-
Filesize
1.5MB
MD527faaa9bfd660fbcc1970ec108cf20cc
SHA195bf1f5fa12463bc1e3dba189310ae7b4797acd3
SHA25683548e25f7a6630cc8d66545011269db9d2bef004ded73a936a65587f4f1748c
SHA512de8c37d6fe72f39f398c10944e919747b5b99e457ccef54d25df09883433e06d7a06d0dc10782127d7f48865c7f9ab41e9ff5549ff4ca17450bf7c997a168fc1
-
Filesize
701KB
MD519918676ddd31ef482260ab1eef6fa1b
SHA1a4b5e5aea2e867fe72415fb40c78766c096e0c3a
SHA256d2c452df05d43c45b3f7f38f45d25e0b0ae18e7b9991faf1e48c15ffe85c459f
SHA5123ce8f78d1539c8b3e40d93121b9aa172a4392415c2b1aa8ac4a249716b2d0196b5e8cd2907989aebb467bafac4e246c0fc37d018f3c12cc4a7a01ecb24c28076
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
588KB
MD550ad908f52777b75e6a24d747cd3a2ba
SHA146d71a81cf41374ca6dd55198266976d77974631
SHA256712d746ec9016e6c32a096ddadd5583cdcf4c8ccf66ba78d02fa0e338b55127f
SHA512c97df0199dfb14f99da318dc5dafd75bf7dd04f5776ccd18ed64fa3bfa38860c5ab3d0354e8d25c1c01b8e40d790ee15850e05135158378e674d1b45240a9c6d
-
Filesize
1.7MB
MD5b597e5c7ac383ea8114c0f0f95db1549
SHA18396ff7fa7fb0d5710953b975f655ab8b54fd2b3
SHA256489afd218ed7806bd753cdd8e9120775794fe88feffbdd1115cb6269446be7ca
SHA5120a85c2c89515cf6168411a978a9ca7df81cf48f1210d9e08804873ddf2aa1ee845a47b6f64b348902ee1e1dec6c76a92850cd5776f70f27f31cd2d32e39bde75
-
Filesize
659KB
MD505bef1679d91694facb0dbcb92dd3605
SHA1b4619fad115690bf5e04fce1cf7b83b0997df3ba
SHA25680f7b7e5bd054219ee288ecc6213c4caca773b7a54602d3a24492f7ac77c800e
SHA512ed8ac6142ea1b8e4aa21df7c7570b5ba9527db54a842d07cc480e02fcc58bf8d6e717baacf03158d51067c5e3994cfa413aee52475664b9476b5f21c28dd0e2f
-
Filesize
1.2MB
MD5ed90ea0ade928f3c83f3a96b9074fb6a
SHA10aa0033a3f850da02359250fea7583223dd164fd
SHA2566a3d232a2a985b65d35bc8e7bb38ab1b2ee0083fc808f0291ced911ea8977a57
SHA512009ae6672171a26e7c9aab16e207c8709f29565e1191f457a573d337639c130f0e78bb432535439fd1c76768ff33177708194365af3621f62f28dd7246a4af3b
-
Filesize
578KB
MD59bc18677870e2f2930b39068cf5e5e9b
SHA12a97b4684dca9641d271ff415212ab2470cb5377
SHA2561d1661416b3c4aa7cdacc84bd95d2e6e639766e4394f8d913c2b58a871bfcbb8
SHA5128b909b21c0bdbe65af7c77d2ec2358272f29f17696525188d9f4b0504eb772d487b758f77821ce5583fbd07e8411263f0914e46bd002c24e1d43d6793150f981
-
Filesize
940KB
MD53d8447abf396b029a01d3afced47f54c
SHA1a9e820271df501db8f3ddd7a21387bbf9bf67c22
SHA256b521ebc2801a717ba05ba7eba5aae1fc9da0db0fa9fa0aa4576d21ac0d380a7e
SHA51292555f9ec5f6bf2d874f89bcf98a23a6d2fada8313ecfd90eced00ef6e65f0d3635d78c3da5596d4f3d6f5a7983d3eecbcf4700cd18267c9fe4089791f1c0dc3
-
Filesize
671KB
MD5ef6150238d98305183a70419aca7d584
SHA14d10d058ef3b860fc1ce0c9679d6728a54f68f8d
SHA256b76fa0aaad1224746be40d8f1a47fa8506edaa29f979df74a2decafc1ddfdac1
SHA512cd1d2c23716cd94fc071ada4f55d555477853b58eefe5f70fd9c7ec8828d7fd2b83406738ce29e1dfce18b8dd44d85c62b9ed42052a6e67b8f7adaecacc3737f
-
Filesize
1.4MB
MD57bfedcd05031f2083f791fd6a356557a
SHA19f2d9adc0f7e37160318cbdad362ad1e8891cc3b
SHA25616e0fccca70da97029fba52bb32605793676139a6a2cdaf76d523b221cb50b29
SHA512350b64483f165de46e22207389aa8834466f673071dbb8e6022b08be444cb26ac4a395f0937fe7b9f80b5150a400dc3cf767561240266f4f54e6475e6ca34619
-
Filesize
1.8MB
MD5994b6c9e86b4ccb903af90eae8874b36
SHA123efbad2da49245ce094cae9f68e11ec16458533
SHA256909515cf38afc190eb4569f531992d465fd04b4e26e45adb47831c10212fe6f6
SHA512808d6c6d6c393ac716f048369e0a51e56151be9e1fa41a1e99aeb635ff31d7d83047a3e9d9153cc4ff226599075a5a7c29e948444c7396fdc2d5d8647efacc1a
-
Filesize
1.4MB
MD509c924c877c95969901ddff39a1d7d6b
SHA1d6a7799a1b920b9d79556811ec74041895b8f208
SHA256b65fcb00ceeea32dac07c8cb9fdc3459ab57b9e7b97122eb063265451af820a4
SHA512b5fe57b12a94bfa286eeedbcb6e8e664435eeb9b42e665a780f7cc6ed2d97b3b0f015b2d2e9dda6de51416d009ae71c7973d43f0f9fdee0ad3994f1a3d405601
-
Filesize
885KB
MD52a1225c9e5d3ea5f800cc8e093be52e3
SHA11c1dc2f8be7691a5269764d7228039d19ac78ef6
SHA25650b41a674c6dd9fe4f4c57a37d03cba4bb97ca16581d523378e487909dcf72ae
SHA5123f9ce920eb4e5d4058b82ddc6c585bbcf1064ea712dc1335a6d0d206c3ad269e856ec47d7aa75c7a8fa88d3dfd9fe5113501d482e71b5162f5433deefffc95ff
-
Filesize
2.0MB
MD5bb6d9cad498ec25ddd2d43b6c41737fb
SHA1be0ce8a4a28a0399381fd04fb7c2e003b22f2f8a
SHA25670926c5beb0c0398da1d3032f2b083844a75ffe0ef346a28eaa0e1624d6c16f8
SHA512a2dbe951fe5c148d6b031de3db066d593903c49669df0fad5eec845e36c1eca167f752f1af238a9dd103bef1e206d185d09813f5374606e58d31c9db61174673
-
Filesize
661KB
MD5199ffae83a344a7893bf064d59eb31b1
SHA1897d405877c710b921e1f66380203846323dfd75
SHA2561a2824d74b4e260dfdeb550e29259dd635175aa93bc766fa1665c128df069f80
SHA512d8c4495e854f970aa846561c1f92b8294c548c6c67201002e1dc801bccf72511e8a31967404c1384d83b47728f6aa790ad8e3d00d0acdee2ae9c1de93c534414
-
Filesize
712KB
MD517bf4c86b29661965f7aa15489cdacc6
SHA132380e47c390da960321982101299501dbaedac9
SHA256cc7a9bcc88aab931ba52509c188ebd45295b4e448a93618b0ea1f0b018b71317
SHA5127e76898196be5ac915343508fd0a15ee298666f47390b846f5eef04de9666a86fe94326521847896df9f975fe1f574049e10bdfd25e62fb89f1ab2106e9591fd
-
Filesize
584KB
MD51cc1ae25d0e74d67f93af8d98e8139a6
SHA1f7edf3328a4ba7cc0577751e43dc6b14813c7368
SHA2563965fdd7f28731fc24baa5725bf7634382ceb10873dc628355635fa130ff24da
SHA5124e04596782ddec6b6bf417b202e67174b170d8a02eb28ba04723517f80e5d01c99e62c8ced71a2c6b25fdb67b09a7b57277652de072c0cad462e21d43c7142ad
-
Filesize
1.3MB
MD545278d9be328cb4f2b6896a7404710f6
SHA1b637f8e264734a28586c2808b8d64ee42749b25c
SHA256381180541b0e0108a8ec2a2ede11d691d3613c37e78d00a2812c2053386df4e9
SHA512290f2e598df3970225eaadbb56fd68aba34fc70493b2e57a5092ea2f0795fe4e456b261c0e0dfb2b2ad468de4c57da646d1ead0590e57caace2027b9c46e929d
-
Filesize
772KB
MD5e70195f914923744210af48fef68ec30
SHA1cf8cf84eeed1eeebd036a1824ca707201f494f96
SHA256b917c6df8def48f1a663c3bcdb0407066b85b49f8a9ea2690000d6e1c6fe388e
SHA512363746e825faac6cf4c69bb47f976bff92da09516e661a08d0b68760eb21fbdafaf23ea92f247f2bedb368e73ac18609329b7738e1fabc0b7db8bb79590ecb2d
-
Filesize
2.1MB
MD5306a3cf799ca650e9bdbbc5382ba757a
SHA1d11944a8affc492d676c47d117fd0039df12602d
SHA256361fe294b0bcb354bb1f73a466ebbc75ce7d9c37f74539bae0e28fb474b07748
SHA512812740070421ad54e3f7c9a031c04784f806030003abf7f5fdf11b44b16b1a7c35dac98a6bdc36146ca7fee091beb0f373ef55cf76cb884db4ad4fbbd116e445
-
Filesize
1.3MB
MD5f0735f3b934cc9b0295fe40a55b6408b
SHA192947f4866062260d6c32661704c53e71f3317d6
SHA25682c53a95afde795b0462a09136d8ffdd04f7163097ab9e0b58b1bd57683eb4f4
SHA5125ad268b09c33725bca0c10ce208670c262a3556743889b6e99c31bc5f46a156943a69698090cb17df45b1d9ed8c552934c3c21cba19486a568b745a91c2690de
-
Filesize
877KB
MD55d52480e96e1a61e9054f9b0bd36943b
SHA1d77eb6bcfd5b74209f366402d69d808bde44fc0a
SHA2562d161cedbb3194ca825720a2bce58e8e50100b1b28fd81b5bf8d48a3c18d02a5
SHA5127ec3621634702cc1a0e88d6550212a04fc21bf590552ca1f1f7e2d4044bc4bb1673cbb0395e337f0d1ee1c7a669c1a9ba1093d9d7123382b69a1f532bece284c
-
Filesize
635KB
MD548503050c678eaf98cea333099011122
SHA141c6efad21af91eb256fad2aed5d72eaca91e759
SHA256e34bc99056cc55c596a263025c12aa14c2e885ba9f68b75a9caed52c5e2d253a
SHA512435830a2f76f2f6e8a0f67914c3a3eb60171dd6adb7c2d9ac38f69882b858708e092d020bdeaef2a7380e234ed612b2999d7e83e5bfb36bbaf4bf631aa8a1b24