Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
02db9fe5affdaa639f6c93fc51fa9469
-
SHA1
06e81402d3b74e8bfe1ef80680130d4b79dc48b7
-
SHA256
bbc1cbb72ff95953d6c87d1d86c9d60cedb43cc19f0cd754abe71d2303ddc7de
-
SHA512
f131218aa0ef14b0f2b43a27c3315a026aa54266a2bab07adcf85d3ff534fa400ca8905e8c50d1f8b4ecb52d3779809d0352aa6231e2ab37cd139a068021dc44
-
SSDEEP
196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0189vhg:VPboGX8a/jWWu3cI2D/cWcls1eh
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2120 alg.exe 3492 DiagnosticsHub.StandardCollector.Service.exe 548 fxssvc.exe 2176 elevation_service.exe 5080 elevation_service.exe 2432 maintenanceservice.exe 4024 msdtc.exe 1544 OSE.EXE 3200 PerceptionSimulationService.exe 4712 perfhost.exe 1292 locator.exe 4272 SensorDataService.exe 5084 snmptrap.exe 2340 spectrum.exe 2400 ssh-agent.exe 2320 TieringEngineService.exe 3448 AgentService.exe 2612 vds.exe 5068 vssvc.exe 4984 wbengine.exe 3248 WmiApSrv.exe 2664 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7b4a70acc8648821.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006864b7de97b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e070bfdd97b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003829bcde97b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e6da3df97b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd798cde97b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aec79ade97b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a8addde97b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exepid process 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeAuditPrivilege 548 fxssvc.exe Token: SeRestorePrivilege 2320 TieringEngineService.exe Token: SeManageVolumePrivilege 2320 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3448 AgentService.exe Token: SeBackupPrivilege 5068 vssvc.exe Token: SeRestorePrivilege 5068 vssvc.exe Token: SeAuditPrivilege 5068 vssvc.exe Token: SeBackupPrivilege 4984 wbengine.exe Token: SeRestorePrivilege 4984 wbengine.exe Token: SeSecurityPrivilege 4984 wbengine.exe Token: 33 2664 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2664 SearchIndexer.exe Token: SeDebugPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1812 2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2120 alg.exe Token: SeDebugPrivilege 2120 alg.exe Token: SeDebugPrivilege 2120 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2664 wrote to memory of 2356 2664 SearchIndexer.exe SearchProtocolHost.exe PID 2664 wrote to memory of 2356 2664 SearchIndexer.exe SearchProtocolHost.exe PID 2664 wrote to memory of 4460 2664 SearchIndexer.exe SearchFilterHost.exe PID 2664 wrote to memory of 4460 2664 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_02db9fe5affdaa639f6c93fc51fa9469_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:232
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:548
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5080
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2432
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4024
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1544
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3200
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4712
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1292
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4272
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5084
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2340
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:220
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2612
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3248
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2356
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD580fb0b1bdfd101150472766a4490268b
SHA146873722fc32d26414207acc1ca055ae26693d22
SHA256cc62cdc257158f8d4a487eb4b26a677994011ad2f2af77e2fccea7e21c0c18f0
SHA51283385597609560139cc9bccf8030bdf203bd1e153af735fb70aa278019162920837564b5008c9e47595ce7d67f97a99296b6f14bbeedfd81ac306da5264bb679
-
Filesize
797KB
MD58a8cdfd123079d7063644aa9f6a79e6d
SHA173b0170e0e19b92afd7d5e2344c6b925394c1006
SHA256f9716aca9c5792077692192bb52fd26f657f3243f92af89fe2ae2d5c269422e8
SHA5128ee206d25c9daccd6ca5c83776e412c3d2ae9ad5fbb6e75b912c8bc931706f98d3c405f06485a8ecbe1633ac33ada117ba1be6d4d05c1dda1b0ff5568f35eeca
-
Filesize
1.1MB
MD595b86093be404b65a9724f55fb1bbb70
SHA1b5712f99187e42f8898400d6be5b603bd5682a97
SHA256211dc55bec36a3024432cad720ad40a4c14597f892e3596dfc815041d433597e
SHA512e96031385e9d7abb608b6c35e4ccdf86586930e06003b228c17fcacf1f75a160615b8602ba2a5e4d7463ea57ce2a152f2d30d6dfa1ed6ba0d55b6634a4b4c8db
-
Filesize
1.5MB
MD5084422f0a6d9269d6bb7599cd7c46609
SHA1ea3da11206a6b7f239ccf76986b3c35522fd6f22
SHA256f942a8ab695bfe3df5114ea9fe666926a75acfa3f19e94d1b73868d1a5716c76
SHA5127f6d6d1af48012406cd6d363d3a13a257ba70eb841ab86beee497351be37031489bca0368361b1d3b9e02e17b37318c286a668375f35eb7b1cfb78d9eca2ea84
-
Filesize
1.2MB
MD591eafd2af9a2b4db3c99c666bd9d82ad
SHA113e28f44de30c20fd1d4eada1046c4553d2615e7
SHA2568903dc5c6718bfa9938cfe930166b7be25b16020219b623d02ffd4578d5549c6
SHA51250882c39f3dd0252df18f0652fcd1711bea6333e950f58a4042d9d31fedadb5c3b26a42badc5c9f08b89d2312a3cfc29564eeb3cb01d15329eb4ca6cbd1f214f
-
Filesize
582KB
MD5bce22edb9f6768e4254a995583248260
SHA1627dc40ff252ffc826cf8d47489c795890821ebe
SHA25692b5a8d75e1367bacb0dd241e99dbbeb38f8a338acb559405402a6e60229702e
SHA512842f62ff9f6ab3a6522198ef8dcd8bf7b3ab15cc510b46c3c5178fce1f0df809ff5c04f20bbc352d972929b5448c22bcb862249cc327d5a0fff4e4e0700faeb7
-
Filesize
840KB
MD5e73a16d55cf9fce28cb9d52b7cf30fc8
SHA110a05a32325d20b9628dd88a1ac6979282013a03
SHA2567e35d2a19aa1b34e2eb2bf44940a051a074192a9a60dacc1a6cbd4d33ec22809
SHA51200f0738fe2be0501a926cc8365240e020e765a467b96861a6e4513785ac2657343a92f8d7abca07ada523c6f6c054132724b12851c80de6fe877588aad11efdd
-
Filesize
4.6MB
MD5f9f6ac902d8c607d0f753c3aefd152c7
SHA1a8d18f9defde26c4619aed2d862739158a93013d
SHA256e375c739f44d4da943a9e0694767d298c19a54785f9a5681a79576459e71ad38
SHA512ada94bcce41ede3b24afb6e68ed6a32c2ad0ff2c71040bd7ae6cb59551e251e81052c34a6225cd4632ed759a08ecbaa429b50ea1ea45467c34af7029ee68ab2c
-
Filesize
910KB
MD54dd204206d2a3fa1f77f1df7c989c5dd
SHA1ac6b26d583624260b62653ea1b84c583819aab4f
SHA256830f45a4d184f827a922a73f0b514462dc2a08b3aec93930d1bfd5116fc5d429
SHA512780e759937ba51345e1038069e7769f3e314b02cb27082d5bb4823077eb3a3dd11bc10e3c364ca93fdd2b9d096676561f234e23713889c326f78cbf500c7bdba
-
Filesize
24.0MB
MD53e41300f7139db2fbbe3955a394d49e0
SHA184aedb42260be7fe9012bd7053ab27e3810ac55d
SHA2565418e54fe6c987bb39ea3d3f0ec5da6933908b5f38d4ada635e139de82907deb
SHA512b7d66cd6e2470c8e0e93919c2af5ea7647807e5c45fdf004a586aef290579eb41e68edf33084e514795a30e26fc8d105088f024b49d646f1c945db2715c326b1
-
Filesize
2.7MB
MD55965ef5feec0e76bdfe5b1a03f23b96d
SHA1a358f5d0a6728d10ed230f92ebf3643fbec248d5
SHA256243fe5a434189129e9e7994b27b6d8a7e8050c858edb84e5e551c2626aac8567
SHA5122963b5d93496e0ac4218772f635e60e622e64654fe36bef219da2b4f1ea979c65a38bd39f25680dd8a76c1183b3836032ffdab99651c3c0a37d0cb12878423ab
-
Filesize
1.1MB
MD5549b93ec6dbbaca1d86c7f571c374ca8
SHA15165c30d45fbe75d122bb7af4ac44082f7afd9bf
SHA256cdbaef1bed502606bfcbc6d498c1df32d268e613516bf43662cf894e9a67f29f
SHA512f8226d22243e2ee8f9ec20322a46fd545b5a8dd68def71cf1bf9604b2624bcfed733309d62391a02b00622158c4cc259f1ace34800c211213d0d1fb47fbcbcae
-
Filesize
805KB
MD5493562c5c982a8e88c862849ab20b5ab
SHA1f5625ba774b4dac142a5f6a76326f51afa8a5faf
SHA256823e251e730b6578502382053bce8389adc5c55535c1b641f59faff8dda5cbf6
SHA5121ea850e58973527b5a4fcc868b07c7ac2a2b7435922bd5faf3fdd1b0e80eb1410a446028edf8f026122f70c69db6d0d25dbc75cfd630ea0b1581fc01587ddeed
-
Filesize
656KB
MD5d21d54e51aeca2fe3471d5e9b03e2fe1
SHA1f4b790fe632fe69adcaae5714ab3c2efd5d011c0
SHA25675909d19fc172fdad3656c9c226026b59d35642418df862b8874c46d0ca370ca
SHA5125a6d15c0bfc56fa4973af83a46f2ea845057ce6d5bf89ed75516da398d59d9243e36afd25482af4c9747565bb90782f043c92c6ed81d847c7d80ab6ac927834a
-
Filesize
5.4MB
MD58a8e19220c1791c35f4f36ffe5124976
SHA1ae7fc7fdd9c4313cc63c9f826fc84485c9b4d0a6
SHA256f0c2f993ae9ee56905b351cb06835bb26ac47a0818b45b11ed9cc101a0087287
SHA512cbd471609f30d0cfb3bd8d6a334eb9446d329787dde7a036d985acf8e75c8a2faeb7f8abea1f2bef27bd5b4dfcd1edf43c469d8f137fdfac24997e5d4fdaebaf
-
Filesize
5.4MB
MD579b34424eab101c3a3f10f30af51228e
SHA182cfea00f91e8da76651d947ed84d638a45da4bf
SHA25625665a46f213c6f75e02405122481c2d7fbabe1d448dbb33c2b519be0ee22713
SHA51289388c4bd824db06b3a9538e130864f81ed82f6bb83eeea2b9ced9f6cf7f1ed815752c1b0ab5479f2e36604f84594832c03edf4b116cd30637a9e7d5b4e5db43
-
Filesize
2.0MB
MD54511d8f8e5b692bb49a9eb355f536ada
SHA19ceeb5796ad3018defeb55f91ca93518415cb954
SHA256285307ec663d384f0217d61fddc5f2df11ed653525c96bcd952f38783a89fbb6
SHA51297807e19b845a2b46338e1407b4fba546771e5aab55f74743089cb7119ec0a1f6d6f9efb04ba6ece8852a9217bd7e3f827d0deeade8f19871b0511a866793556
-
Filesize
2.2MB
MD5ba85636230c291663d81dfae2ebb1327
SHA180ee4076f3f9065d081c9de73fdb06525fe7b9ca
SHA2567dd9597b3dfe1371439e0820e1559af8608a6f3f0785f56a7f85f33d81337db8
SHA5124c8248adcd8eabe1ad06433f27c464dce6f9f35781cea28e43785ad0bba3518e483f6f52ed6289bf766bb46bff97c576fa24264f56b9e951318d1dbcad336723
-
Filesize
1.8MB
MD5d720bdb9e7a90a9b2e66778d896acc40
SHA183d64e09b143cb8bbc25e772f2e59f63233d71a6
SHA256dbe3a9a453d05a4e1f5545a263c59eda714704711bc49fdc0a9020ea3b73bc0e
SHA512b2581b2189ffa37aa4aebd1b3c9fdd2351788800ae7325038732eec851b7a754fbff49792c439860b754ccd876e07d67d991b18fd8ec6bb4126d17d9e5b4816d
-
Filesize
1.7MB
MD514f3d8b1eb2c7376b5b80c37483192ec
SHA17f3921730e89fb443a245bc30535dfc62390eb79
SHA25640fddba6b0a05777d48eaa1f1db5ebc65dca0e2ff549ac1796ef2a7b180f236c
SHA512b616ae77cc9cefd915b8bdcbc1ae508da02de16c8f26e95b0ea2a5d4616a81e4a6dc0a764ebbf63a88528905c88c68bd47e45c55a092ece50c73fce60d725fc2
-
Filesize
581KB
MD5f30e8c23c0624d3049e8f4f43e18fa6a
SHA1b072af311106f9f22f80c7151c0591fed5233e9e
SHA256da51d7d557b1aa6d82347dc437965125bdb53e4e09379172c8c760fd1d79703f
SHA51254e061a7444fdff0945bfd58cc50766a9fb0fb1bbb7c1dc4f7207dc58c8a58a3709b94f7af3667d1e40541f12079364d56cccdcfe943d146a9e9be288b3279b4
-
Filesize
581KB
MD5ca1872c55291f0a7358c8650e83177cb
SHA154467df63a206bcea3395c0a2e36bec47cb43046
SHA256b49bf689b4400091801a90352c6d88352312f34ebc8e9e8e14f58a9d9e9de5d1
SHA51217237a68042a660b5406efa6f7d0a43e523fc319f3efa4a6675480ac008e3b45270baab9cdc9c56f4aa963e96d6cf435c161d11db8bda36ad045e3852e6b8dcf
-
Filesize
581KB
MD5855cb61a27978045a37cf03eea753313
SHA1e79248a5065a572ef7b4b65d5257acd4485f074c
SHA2568afce6876ad2c1e515e186a5b4aef82054b872645a28a60d8405d6c192aa296d
SHA512fdfe6973229cd9a1b85500609728049d9a4f18695de1d5cacebcd964a4272d66f9bc42800fb42c1283e16097d81f3f70fb6aaec6da13abd619a3bbb47dbb2ced
-
Filesize
601KB
MD5179f1eda6a8ae3984f23f673076b6459
SHA17fb1692126e04ef4ce201125d35f1007df003b84
SHA2563348948488244598487f807d222f0a2200768746292a0c8c39544efce9c31390
SHA5127a349d3f7780679406d3a55dab5e425c10131381d441448bd21d36d404d8b54c103f746cd9d39af8a447a5e5a66087d408dcae0b60a1b7b821e0663a5a185a60
-
Filesize
581KB
MD5dd64a7c8f093ef8998aa574628032885
SHA18873ed0f1802265c927dfc13b2221fd97c75b78b
SHA25616a296670275d972b74de1d8f6a53d0b7800eca2ec4061b934608cfba54262a9
SHA5128dcc76d30f85d9a7746e2a05769a7b24ac98fbf77e1bb2186262f460dac579fc887e09d25f74172f383b68c132f36ec5e540038be11b05741c24132b57aeef01
-
Filesize
581KB
MD505c24599c0d35b9a188dd485458fb30d
SHA1e825b77c9edb90f02990d706e2e0d62f9fad7f4f
SHA256720c3d6e0cb34607288d1c7bc88699fe1caa850faf6d6d7b494b425eb24a1fae
SHA51257f74bf800965a3b701f483a8f6e35c82c249ab8f54e41b3153238bcdc8b85242df322d019de83b99d1e27a2f48d48f479e0ce43a8e4bfb69a55bdc962463f4e
-
Filesize
581KB
MD5bb5656c95052e83ba259d20dd1e6fe08
SHA1bcc7fe6bbd340fdb56d0b484b8faed30e5191ab1
SHA25633e35f92b6bd282d2b37fd16e3a16617b2101d075035d670bc2d0a39f6d3dbe6
SHA5126f968b333c54622bcb31beff5c3764796aed91cbecc2467c886a2469e80d3b8e1420388e56104545c0d3d816c01bc35a9790b00873a3bc74375d424ce36cb8b9
-
Filesize
841KB
MD5ac2e1a493dbb56a649c1d407acfe01df
SHA15a76ce55d6d3ae419b9dedac033f8ca6bf2dee1a
SHA2565e7987602e9a52d43ee756e6309c771b0b8c7799494086ad58217454ca1e4e8f
SHA5122ea9a3138e46da1d11c0ea47a2c25af3c67716c7ca19fad87c5e9fdc05536ecb15347e1207f587872e719c04853cae155c6627448684675c05a379d16a427cfb
-
Filesize
581KB
MD52015c4ba124ade416055da2a8ba8a8d4
SHA19be04b8d94abb20ffb8dce9f9032f6be7a5d06a4
SHA256a8882c661be39e6c57e3398259183ea60690feef40bfd4aa1379e6113dfc8782
SHA512dd6e644e0d5edf5e2ef4914e748759cf591005e754cf68084653c76c0d967a00f366946e8eff9a6fb4ecbfa90973f195d287bcd7cdf3dcd95b840e1022471060
-
Filesize
581KB
MD5f8c9f415d858c29df40b63a709ca830d
SHA161c1915fc0ea891665d55e2e4d41231308fccc00
SHA256576a7d8c0005a13af93069d6afdafc4b71bc73633251f7262bce71f33bdbd2ec
SHA512621a516ad14d8820484c8ec89a84e315492ff3016dd163016fbdea5948e8c4e395c660a9b16ee828f37b52a0ef0d3853f4cce4db90806c3fe8b4d7b1bd615025
-
Filesize
717KB
MD525bc0e992b9eec994d9c5c43fadadaa6
SHA1e6265322d4bff03950786345deb22c0c86991980
SHA2564ebb311ac0741ec739ea27f4af58c45593ff0574647076327ed33b66de7f4752
SHA512e6b73e9a04f772218bfe5546ca7bc698cc764418723df25eb2ee2823e664e3bdc4575f9f37536e44239534f94ed0f5c804af208bfccc91b7e65b988a68ca9654
-
Filesize
581KB
MD56b7d2b224ad77782a3b3781a7ab7538a
SHA100394583b98d9424da69365526a915f0a1cf4be6
SHA25616089e1c1478bac945a13c42f3de2da81d01c79cfaca5174babdff0962fb2750
SHA512af17a3f8c9ce378e140cf3f001ec2b2620d8b0bb1ee212a872906b1ea3eedff25a0acec578bbf493ea640c13c458c4ec0d975c79afb5d075a1670076a4d48e22
-
Filesize
581KB
MD5bf259ca26137df6e55ea9ec07c71a5db
SHA12c35c071cf01e60fdb677d45b31a7929154fbd89
SHA256f0baf46687126d13b4c4e1aaf6b0a0a8007fee7b377d48a216c78a068a808a16
SHA51206e02ac971494a7384075b47aba3357cde337ff659222585014477ddfeb49a4b0eeb5ded2f19d668bec1d758848df1f96ca459ac6144e7084d9b6bca20e9b4f1
-
Filesize
717KB
MD507f8767d67dcf59cf724a7d39a652770
SHA1eef50270f962d11a0792345e4f72f8ef86dfd59b
SHA2568bc03194792cfff3a9bb061e6ff8c5de07c39c5316f453c6f13ca9f925157ec4
SHA5126137209f376dadc6d0dedafdec4fbdb19288be0e2811a8e1624007168f3c75f0b0a6b126d528153ca8d865c22026eeb5546262ba6c46c354e9e25593784a616c
-
Filesize
841KB
MD526dedd5f9422efca1b08415139048f31
SHA149e41734f39b908a7269115b0da42651bd8b96af
SHA25678d84cdf374410a812213cad85c509048c10aea6413a69e1e002f27f49f69875
SHA512360eb05e5084794b1f4519ec9e1dc96313d9df358d5d74b6be5ff5c684cdaeca91c14849d9b4363a4922649b40f3792f5469cfa175dcaac1f635b740589a1a71
-
Filesize
1.5MB
MD5000a06c0f483d4bf860818ee97a68022
SHA1ba189cd8d383dd81feddd753abeaa9dcb103b6b6
SHA256266dabf9bc5eb1135a78aedfd6a9d0c5a7d646314f9d18b0de5c402f4fd62df2
SHA512d617fc88d56c7320eb76258e03c26a090fcf47b3b7f25fd336f19f6578af025ad77a807ef9cf6cc32b461483dc7f0dbb935c1b4757be59a55c191bb3611946db
-
Filesize
701KB
MD572b87282d5b9bcdf4e38c78bb9dd29e2
SHA18f55c829e9ae93c2e54c7277c902e9d4f08ef634
SHA25668ffea7918bc2b94dd89a853d96a86116c2b9a149d1df37ead4fea74c2596b18
SHA5129aa864f293767de239ac83d7a12be67324157f185b4bcf08a32e4d7a9f47f421e875793f2c2687bf5a5763d1155a837c8de4fe2a7f0ab969b5e103908742ac0c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
588KB
MD5ae26b1209d30a6c2189a6e114247ace1
SHA1dfb62a6a0b61825fa78d28cc1ad6a39280f6cd94
SHA256b2a6c7bf62a1f7e8636b55e8ccda9e2b90dd5142c08d45dd422368a4784defd2
SHA512a1caad859ab5216ba3cdc4a51324774e409b065f3977e33d38bb21148564a80f46bb03c01bd1a67174ee8204c71136408dc797ba5fef813fed3a4e11ef1772cc
-
Filesize
1.7MB
MD5ecf80aa59af66e784ed78bd64f331fa7
SHA17f5875d802d94049b3a6401535464c6850569189
SHA2561d34d7a09efb931cb92ae5030fe799fad81fe54024d267d9d50531a4dca20bb1
SHA5124af4c4897158dd5cca6d4e3f79cc749c0e78131ccac525b3617e39d98fd137bdedb1fc12b23767aa98410b1af114dd28d2026205fee3bb510e4c98df8ca65483
-
Filesize
659KB
MD50f3029f59a7916a59e9400308528a7b7
SHA1687af08112654fe4a9eb1d63ce895c3dd0e5ab4d
SHA2565b6fc2aa20f639c05f8165b24d6d0473bde7e88826f96eca2107ae5b032d615a
SHA512a9cfb0027eb86e067b3019c5ceee548d6c91f007db67fbd4405c10e999b06f6bf4d400580f06175b13e8e820d24eb7f57bf2e112dbe853531dceae4e8a92c160
-
Filesize
1.2MB
MD57febd4da711f9e060d4e4941b56dc70c
SHA1c3b320027dda4ba13cbf4f20376073feaf8e2c37
SHA256e9723f52085a62cce9effbc5b78e050f504fbdcaf33043c4f2dbd84720c5b6b6
SHA512208cf0867e268f5a56bc13566fdfc001a4989abb038996916aaf606261dbb363333ac27be817b67e19ac11ab627a1443d6d86e683ae3a60d2740251bada9d7b9
-
Filesize
578KB
MD5231b75c55e6084f2bfb6dfd5d73c5bb8
SHA14d60d4562021f88d275b03d71ab2aaadde9d12da
SHA256363ccc52ca7e712c127a0a4219b3f9cd540bfc33665bdabe549e81c5bf19ea27
SHA512b058c24020003d24bc0c6caf73d8358c6bf570c04b22078460090227b124faeb9652104948ce8d6726d3d2e255243c4492e8b2801a8209ff1bf563ddd4c0d25a
-
Filesize
940KB
MD5687db5b7211602ceaf930c99e345fa3f
SHA102f3c4fc6ac39f279ef938571431dd9bd907c2ac
SHA2565c8dc233f5ffbfdec0f1992d1a96daac3dd50ba0ff041b7e9a624be206e841a0
SHA5127a2d9350c43b9def3fc9a4dac12fba65cc2115428f1d488e0a31f36cb1a4f85360ef300ec380d81dafe894770913f4b496adf053d25407c706ce509382c35027
-
Filesize
671KB
MD51c18bca66a5d79c5de26632923985585
SHA16dce9e5ef16e54b0442d06a8f7e9b10de020727b
SHA25644e431fb20ab4e9e0d52fe08047c2491919380a7ac9808ab08641e179a44d80a
SHA512e06ae85110e6038cbe8421f058a9abdddd98df8b73e69cb09a625a60f3762a0953a74cd4937e086ee3d5892febec750551b6cedcb968ddc027062af9bea4ebb9
-
Filesize
1.4MB
MD584a2460c89422a05ec0c0c73a697af47
SHA18cae5e7b6417faf61e4a8afd7ab42bb6b19c11e0
SHA2560f7cbe7731e35f2fb9d19eb55215901f7bb0da7b4c2c89f02f18a5c968bc0a86
SHA5122918e65794fd7bb0b8090e533599bf355bcf6090ad2a88f69b89db4bb900abafa6b99b12e889d65dcd98b8a4b4a1461ced7a64adc946c19438dea26dda94b2d8
-
Filesize
1.8MB
MD5d585bcc2ce78996577715bb82785de9d
SHA1566d27966a25f7a4c3eef0b730c420b1b32a82e6
SHA25629ab37504b80be163b18725c033fb31d3f7eefbe3d8b72afe3bdd7e132cb756e
SHA51223eaacf0e7ddc1048925515bf616b32c1ad7b0b1234bc5c3cc0c8404f8fc0dc7119ff0e101b722a9576e6fdd2fcb47da3f37689a4f6419aae0827965248e5074
-
Filesize
1.4MB
MD54ad9c98554c99389d4de7e010adfd4b4
SHA1b0b707fe080b44abb80f667894381588bd53cf96
SHA256d0ded2e80ea66965b725838c6eaef190262474dd4f8f60cc933a5d3053794804
SHA512b52f6b505f0fc52fb4ec57f9905c8fc018df7d0cde8c32ca99badfb630eaed933abfd603e2d778736b53f0fc88f9de33f53555b0161aba43082373c6028bb18a
-
Filesize
885KB
MD53fe50ed21ba506b6f3d3d048bd899209
SHA17fc326be9f4f971be412268e6b8a09ea40553902
SHA256622ac297ec9ba6fe82195b76543995578fccf8e253fb5b7e21d6ab5573969997
SHA512e157b1e4606c11b4d1e98b29071deca2d88d93468c57884a6fd7f5fa3454457b41075f9e49b08bd35e0d30d8a9520b2ac7bccf60e255b4a482a60f8028950b4d
-
Filesize
2.0MB
MD5f44642498357be5f767c358e2ecc1d5b
SHA1f830915378cbf58954e4390f0c1910fac96c4432
SHA256d4300c391959e41de22e3087c18ab3c8dce4753ddef4ebf0b0ab2594cb561dfb
SHA512c3ef75bbe16f2779ad563cda655ac745340f1a8ab04aaee1de0339bc4ff8b0215fa2aa9b748650e7862836b571d69fe5a95c6363bff2604f29c2e36213c598bc
-
Filesize
661KB
MD54a7f2874fa8eff4684edc1d193021765
SHA1c8a1a0f64d7a632c4d6d538b574854427fb22bf9
SHA2563b6152140e2cea845f3386ca24007ac348ff45c11b73bf98d69e1a80e0a817c4
SHA512b4462c0b61b06a6c95d5c270c99b4bcfc61f1c87ff935d3f29540a84ff710c3c99eafca073a9f931496496d671cd6a6370af01e15d205d597ab551075693ffd0
-
Filesize
712KB
MD526555c98b02ef63f67c98051c67cdd03
SHA11a6299de1d4b105b8cd40c56545e54eec43fa856
SHA2563a06093e7b8caa5d96af749e8421979129273667f4159f2a6797d2f03b4a768c
SHA512a26a1bb7112795661a1ab1b096b15936445ae0f319321b03271a58e4d1a1967fee853adbdec2055999a3c28f6f0d6f6acbc2a064334cb175cb13d415474d40ed
-
Filesize
584KB
MD51cf1b3bbe98b1a962c1a6d46d19237b3
SHA1f1d285797f560cc20975f9a7ea08ba3b778bebc5
SHA256e0682e2ef1abe8c34c04e174941ece9d840b1a914e9f59157028181850615046
SHA5125d2b3b91f505317813fcf69aa517b4850d41b4a5e813aecc19d3c3dc52249ed3a10ab30989b2ca924b32f30396976f64f84768adf815beba8c1134e24657d6f9
-
Filesize
1.3MB
MD582625e8307410658df0f562cf1999173
SHA1d0d3bb4877f4a8e443218cb57a267396385f2305
SHA25610304646700d369a3cafbd69f0c48da39ad77223534bfef43f99a83d3d1854a2
SHA512d819d9eb3f37625e1bbc43c31977c8f959b1421a9d92d3c3055d953ddedc904fdc5b75f9a09cf8cfc5c853d69258ccf0f33f4be50138d79ca8c4c30831df41d4
-
Filesize
772KB
MD550808b62ac1634c56acf3db7450417b7
SHA17a1d4e185fde4b83cf2b14ee16b6706eb7586e52
SHA2567df949510224c2b3812d08bf48b8252154db34b39a83d70144af22abcd5736e5
SHA512fef857045f2f1686a0130d2f28e8e804f284f8d034a19189e1f14c04f37222300761a6a43f44d0a1844a3a179f81b4db6557a2bbc850aae1292db451263996b9
-
Filesize
2.1MB
MD5dccd12c6b5c3a62aef5edbcb36f1fe62
SHA1b6be3ffca99acbac2d604c8784b67ef950a50b75
SHA25667a645164467c436614a286f4416ffe2ec29a52b384da0859990f4b412a6c0fa
SHA51248e1e6fa0838528298ee211e89c863be5f7a73ac6ee4743158941ed8ff9a9024e9d2f6b3cc7c76e9716dccd07e659e5c2e41a563b39592746cca1d51a800bcf8
-
Filesize
1.3MB
MD5775ba663e0f9f541cf0e658d6844cc0f
SHA1807ed89d852b57cdc9258cf1e47932fafe685cef
SHA2560b8f5db1d90c0d9a1d5a1da7f31701df5dc84af020059c4b34837685a45521c3
SHA51236ca5c6b3426cec76adfb4fbf0cbeb1da2efa02cf98069df1319e40d8f026ab0788f90ef0a44cd2f52ddde2ae40ba56cf09bfa6b6ead6f5dbd09992f2afb7810
-
Filesize
877KB
MD570ed504604bb19f18e71fd7e8f94783c
SHA1dc07ebad2abb1532c6c7ba0e5e14148c340bfaa0
SHA256e446ba6d27ae98423eaa49e0a774603d0e955a007e4503b8cab25dd241723e0b
SHA51247af488214edec4ddceb0f875f8149be6ed53f3d0c12f5d7f7857c6cc9c9ff43b049209196086110fd9ebda9ca465bdf69dd1067ba000880a25278fcb426f3d7
-
Filesize
635KB
MD521fdb9926c52d8e37c9676e68199a4ca
SHA182e7a020fb0ef89a862240c47693a1d74d232b5c
SHA256e759afb395c40d98dda6dbc13b25119afb30d1e0b7396018632ca7ccde3ecb23
SHA512634dbeeeb7324b3c5e9312bab74041f5ab1bdc80f679da31f403e6d23c78e2c75f6e6c0f025b07b4fd19c89eddef6ab1805b009b24e0c40b53b4c5ced6a9fa57