Analysis
-
max time kernel
163s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe
Resource
win7-20240508-en
General
-
Target
2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
3676e46bae8ef223ab2b771be5e00705
-
SHA1
0d3dea4cc8afbee91e91fa69d0a15c5fd4c50f4d
-
SHA256
e546be9e73cc18257f2a4da7e8cc58bc784ae56957920925f50be87f95ce68a2
-
SHA512
175b61cee5f766480cfcf935a6ca58434866551af5c6597b3c3ec07aabd0531f1fa4b2a54a0d4137c2e4d818d1e8692575116142b4038f6789fde1fe120fde31
-
SSDEEP
196608:+P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018PQ/:+PboGX8a/jWWu3cP2D/cWcls1z
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2312 alg.exe 3688 DiagnosticsHub.StandardCollector.Service.exe 4928 fxssvc.exe 4996 elevation_service.exe 2420 elevation_service.exe 3672 maintenanceservice.exe 3716 msdtc.exe 4532 OSE.EXE 3692 PerceptionSimulationService.exe 2932 perfhost.exe 4936 locator.exe 4044 SensorDataService.exe 320 snmptrap.exe 4548 spectrum.exe 3696 ssh-agent.exe 1544 TieringEngineService.exe 3420 AgentService.exe 2856 vds.exe 4420 vssvc.exe 3264 wbengine.exe 1572 WmiApSrv.exe 4364 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\vssvc.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e398b23bb3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f1bf32a51b8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e94dd52e51b8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b54ff2f51b8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed48163151b8da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060e3212c51b8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7caf52f51b8da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005deaf12e51b8da01 SearchProtocolHost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4184 2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe Token: SeAuditPrivilege 4928 fxssvc.exe Token: SeRestorePrivilege 1544 TieringEngineService.exe Token: SeManageVolumePrivilege 1544 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3420 AgentService.exe Token: SeBackupPrivilege 4420 vssvc.exe Token: SeRestorePrivilege 4420 vssvc.exe Token: SeAuditPrivilege 4420 vssvc.exe Token: SeBackupPrivilege 3264 wbengine.exe Token: SeRestorePrivilege 3264 wbengine.exe Token: SeSecurityPrivilege 3264 wbengine.exe Token: 33 4364 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4364 SearchIndexer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4364 wrote to memory of 2240 4364 SearchIndexer.exe 122 PID 4364 wrote to memory of 2240 4364 SearchIndexer.exe 122 PID 4364 wrote to memory of 4588 4364 SearchIndexer.exe 123 PID 4364 wrote to memory of 4588 4364 SearchIndexer.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2312
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1040
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4996
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2420
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3672
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3716
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4532
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3692
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2932
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4936
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4044
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:320
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3696
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1004
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2856
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1572
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2240
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD59d664863dc498ba9f369b9ceb44a9103
SHA136373e42393ecb340c354054ae72c5548989fff0
SHA25689e0bccf61e0004eed4a766ecaa742c0e89421d7bbb43644a83101e630dbbac9
SHA5126f0baa959177b2d5471c1010e37160d6d4ddb2449e05d310431a93d6ffeccd3d62ec9529016ef7c1417e760b6c8c4ca8871db062ba4cffd691a04d3c85da36c9
-
Filesize
781KB
MD5390e29b8c2f04debe0c0ae762412e4bf
SHA179b298c81bbd7a7195c0c098189c292af6f3c4aa
SHA256e6a732559d8960529cfdcc253cda64165ba896e832842cafa7293412a137e0f3
SHA512f98636bc18ac7b18547a8a6308e9cc69db3d7c73df9ec1a89492bd8c736ac0606f41051fc5b584ba40389701afdcd617df78331b5cd0e13c1505464b81444684
-
Filesize
1.1MB
MD5c8f2ad362a66a73cb285fbabe982b88a
SHA1594d01e3d739d2ac48b5d60906183a0b609d03cd
SHA256d76f764b72fe6b30b7ce3a1154feabed5eedab805585c47dde17cae3950dae57
SHA512bf3332fe40ab69d2e1e31a4015e981c5cf53dbd9ab00eb6dcfa32c7f3fde65193be8a43f4c443092dca44d2a8e404b50d0206d94858c02c4bab93067e0d100f5
-
Filesize
1.5MB
MD503ddf8f65b8583e237cf4dadeb0bca26
SHA1b12e5e0455953d0f08ce2997640a9937ea263879
SHA25684e35563bf586464364a9fde7b75491987328744a66d2bcb9f7c71ffe6bca452
SHA512e11b3e7de6bbb8284e5a0c81a79aca851004347435e251ecf817a4181c3eca1325e3551e21ee46493e8773744a4ff8ee5b3b4b6a2bcf544c07b33f17e7d773d8
-
Filesize
1.2MB
MD5d886431ed8c86781e54d978c288699df
SHA1606922fee027cddcd2ca4ce1d7cefc3523d3431f
SHA25664c3f6dfae8330acd8f82dc64ed6542b9cebf45e8c56a0837ba671a215ded344
SHA512eadbad7753425e02e604ea23f0690052854c3a125530209df0b233601bd88f32faf8b6636238e4022e2d66f93259d21511045b90bde4d5c9a6c304c6261a28ba
-
Filesize
582KB
MD51f5e7a002c544d38a8e261abfa6d02d0
SHA19544d559113050d2df87bf9a7760a255104f0ec0
SHA256af7f77c596d9f6c507382bac14a43dcf85e7ceb1152ff273b4678ead5c614da0
SHA512e05cf816b77f473f5169cb72dafa1c382cda2c26b311245aa0e5b2c2e75971956aa9724b15089cdde5022a08ecafadcfacf1eea34de0e2ae9ad6b845c10ab0b4
-
Filesize
840KB
MD545ff32d9f02cce32e77e0a10588f3926
SHA156964ccbf0e66e66b72e9a4b36111b7a87e1dcf1
SHA256f427945cd03b297310f96971171fdb4f870934378b2a217759c8f5347530f083
SHA51204a7cd9d71a0cacc4e1902e35a29cfffd8a5cca91573945aee0b0557949d072112ae4eafb39d5e2467bdea7498ce421d4bcf25bd92ab42e9779b9f93de077bf0
-
Filesize
1.9MB
MD5a45b10cfcc3e8d5689cbc22e738aec78
SHA190756dc833c2bb69e5a2541c2ee2e364c422e742
SHA25667c836fc069f7e32395fd377ef34e80779d98b6e77816b80bfdf57766d32f40e
SHA51231c9aedfc03d677b691a88c945ff52a9dea6d2fe094afb162aaf1d7bf993ed52b02bcd5312674a18731aeac043ef6a95f19dbc137094117ad38f306b767d001e
-
Filesize
910KB
MD5aa75ccb0c2b085dd522ebca29bddd7f0
SHA1d0864bc2ceaa542d97af69530ab5da90b436fb65
SHA25632b9c3de9aa9e26ad3ba52950ff9de97859ae666cdf0406ab59201787e15685c
SHA51288ece331c3b2876c9098a1834a8d37d0ff73d7c6bf13afe3328714a2a6e4efc9d860182f6f7e6c4ba4341b6bc1dded3139d771d1c0e80a69799b6544f9b91a10
-
Filesize
1.9MB
MD5caefc9787cb6f105789718bd0f438744
SHA1c1787c3ae9eed5461791c671615117d842dd6c85
SHA2562703259387feab3a6b9b3ce825789ed1453bb4f1d42dcbe909cfce204f1442ea
SHA51291ba811b0bdbc00d1ad2c0f83df44cec90053d02053d22f9ee4da019f127e98ebbbe5bb8dce5d766abab00a3ee6db732464a84ae35156f1eeebe2cf72f143b72
-
Filesize
1.9MB
MD5c2a27adba96accf334091dabf0641f12
SHA19ef54afa609b7a285588a61194460802345058ad
SHA256075e14269448ea50cb9c9c3e85c96c9e2015711a7696d63704c925520b4f8640
SHA512916624cc8b0373fdbb56cc32184472b1c12f88a8bd53ca585750999aef765e9969805e51e2137b520a7a3be9630c3f589570070db92a5670a93403bc85a594ac
-
Filesize
805KB
MD50f0d8294f499000a7d7e306db5f3093b
SHA1674fd9d854f348e3bb22f7d5114e65fedc795ed5
SHA256bdb6f5f2d4fc8aae32c36365ce8df06f392c5991c76dc74aaf48a3ba44add40d
SHA5124b00cedb50f5cf2c8d21c99b4d3a12aa7495cc37aa90c726bb9916835b1cf219bad55be2fca30c095e2e962a0438c686ffc05ca896be37ba511f0e0f7c21ef6b
-
Filesize
2.1MB
MD5f4f0c06b0c824e9ff99bbe683e4d0e9c
SHA1f3b8b9729a527db0f5effd93a6e8c936b88c0191
SHA256228f87a166b6f4809b99b956dfec8189652fe54df169c7d3240b86c78d9a93cd
SHA512f99ee4a959a3811ba96008467fae52f22099d421664d5c39b4a66dc977c1517f0b82f372b444e5f774f6f810c3a819fa1fc7b3cf284f4a1f313bddeb9a2a63e6
-
Filesize
448KB
MD5568607446b977c1766c45f25d958a7f5
SHA194a7f357518aa0686e77b798a060d4c92f20410c
SHA256efdc5796249361eb5c058520dc0fb6fdef5db84c9ea95db8f178b29682bd2fdb
SHA5127277b5c9f31103c23e37b0df4bd6d60b85e952486378defd31233811b4695d864b7cd7d834c7f090a397497721e780dc017fc6c84301a8c33160e4e1f269f538
-
Filesize
448KB
MD5e54a30e15f86ec02a4a83ade50fb4d2b
SHA17a6c286e0ec9524e8c7fb8a16256b033d7b43e5b
SHA25676b29a14a354d2f72b8a33a8d12753ed4517447efe96fce955e269b8839f3e0b
SHA5127c24833b8e4e3474a1e085c37392bd04875690a353ec7a5fe4808c4c03784c011435bec677f9fa6c3d2684da1be7951592c243be7cbe510f57ef479a7637c64a
-
Filesize
512KB
MD52574c34591ba2be7ad05c471a402c634
SHA1779783c23d45be078968668cdc5c48b15d827c6a
SHA2568029159907eca17f7b97b6759dd18634da8d27d68ee65428030befb26e27e6f3
SHA5120bfd28a4d7da900b95a73d954cd12b9bd41caede7bd830ded9bf7955e574855bffbaf41815ec2a99165cbc801a70283842733914ec6e7f34615122de0cca18f0
-
Filesize
512KB
MD50ebbf8b476378dcba78f065ae65a12ed
SHA1be5b03fa30f4d906ed224dd864248b333980346c
SHA256280bc43b96acdcd585bca6b49f47bb5f97b4c7081f750bf6edf51ddc03ec2332
SHA51247c1135bbc8ba4f6ccdbbcd520e3d4d4504e58ab7bf56a567f3d5e83985d013f8d50e9468a5a73ea5bf79a217c09f3ae060c419798ab30cf0f53e14100d512e6
-
Filesize
512KB
MD50ab155797b4b5f4832b0c62f49b70c79
SHA1f51b7cecb6a02baf9aa9271778e6a4ac88242bf0
SHA25654cc278ac52882eb2b24770f8b6be7ca8853dcfcdaa83d9793debd20d86a8352
SHA512d681dbd6fdab4c9ba0d89f641bb61c23150e8680e4cc013a2bd127af8186abcdbfa5a162ab7606abcaf38946e3b50be5c65bbcbe12d8fb766ee879b344e0a410
-
Filesize
512KB
MD5bc9d4aae6283fc579c30c588fe2a436e
SHA13274c20a5bfd17b168157817ca0af4ff5efc2359
SHA256b64825714eb1106d044967d04e16916a2a7e5af73dd83e684442372f83abf25e
SHA5121ad000452a75c7e379d99fc46001372d6d8d4423e977744ef1dae677f8fa22d79f3e39c3b01b46769ce65d7c818e92cacdbe93fb52a96d1d5bf000fa4b480f20
-
Filesize
512KB
MD5c5e6ab7115829c51136e80146424d143
SHA141b3d599d3dd14d17b923dec60b7a5eca42a6732
SHA25697e3ff44b1065df9d66c264ffd72475c6173c09bba028ddaa2ab8b7aaa2f54d8
SHA5129f6540555eaf38c284ad02407883d44515e82f1d81bdfe170e811e48f2159a581b2ccba3c6ed9daaaff34ec37306a6849eee0cf088073961551f463e9df5a88c
-
Filesize
384KB
MD5305a0da2e0c844857b9a1855f50b7c98
SHA10cade7cc464136449633724cd3df66b646f03364
SHA256cffb6225b17f21889ccd80fa9c1f19f32564a1e1a8429aaae024608f50d910cd
SHA5127061e7aaaaed16b6f4891d1e9bb912c1c376e19254b200444a9caecec01caf99c28aafc2e3d4c1464c211221822d89a59ba4694776c56739ce3e7e2315d2829b
-
Filesize
384KB
MD5c6734e579fd9e0f5c30918f3b403b3d6
SHA1838094b6783deb42ecf60dc6bc798ae17b5a066d
SHA2565b791f7d8737e9567a918ba4019833b635ad909c99c98e071793509b80056314
SHA512c844cc71878f74efffaaa11d5df57058690783483dd1a3fabdfe6371ce2f7b05fe9aad8699654821d485f1b65b711c2581a55cedf025abecb42af9b607127684
-
Filesize
384KB
MD51b15877aab4fbbbfbd5bfaa1796e5290
SHA16e179eabc4ccee0bb4d0c3428b9983b3deb405f3
SHA256e4c1897ebbcbdac9adf043b49b9062f49dc48219390fb47e16e180bffa67a7e4
SHA512caf97eb164381bba8622b3a9378a33aa184fd1c41232b5ac425d4e20a18cc3695bc45613f600510acbe4c3f1ba3ce28adc11d616195b93d8b5d01434ba46584d
-
Filesize
384KB
MD5b399290c49f8839742cade29af3a418a
SHA17a60a0c0afa6c0e37f34aef6d46e99b0fd96d0ac
SHA256d5fbe890639dcbb83440a0ba31a32e379587ba80d7bd976474c27c4f56b43e5e
SHA5129565bb7ef18855bbca2cf2590e935b7b9f2e9231f81fa43715f6330c1442a3674f467f24d587ee45ee8b66a2a6f3840dc5187dc6c330b2ccac5662b5cd0712b2
-
Filesize
1.5MB
MD532f7ec3a720b6a80c616d6a87e554822
SHA1ee441c4370ea374dc8d1942c9c3ea8b608781c82
SHA256451c81219827378d343215bf0ee7a600a66e24bfd6ea164efa13f684be594b31
SHA512c3af46835d7c506ec30dc83d4bfca213a32a9626c22c42440134babadcc7d67d04ef25fbd46a787dcfdff2b5d23f0993777bac8d32e4d8a9cf8a590e5a57132d
-
Filesize
588KB
MD5facce650e16ccae27b6d5a2ecfbfb15f
SHA1019190aeffbf00a8c66904dd19198dfaaee67593
SHA256895edcd8ae3870cf83df4d58e3435a24058b6d2a6c586568473aa2116dc9c655
SHA512054e39405a0a34d8444bd3f8ad5293866b3c8e44799072e6df7eab2bd822f55f9c8813378f2b58d29bdb5f6423fe8cce1230440e9b40bf0953d94006859be7a9
-
Filesize
1.7MB
MD5f0c1a764db90ce34f32e045fb0a8168e
SHA12b4fc5171a1226d62a0ca62cd7c38b7f9124403c
SHA2562c328850db050254ed0d83d87d414d20ed8ac7693d472e0e544f7846a6e49c79
SHA512cb196748a3c2b12d2a0b6a62b2b27799cccc4bbb70ce51e7e9ba0ccb8081e95ee62009f3f4dfe6ae627f16676a454e2c55a12a0ae36232b0c54097b15bb65e60
-
Filesize
659KB
MD555fe6c4220def7e9aa9ff1b63efbe1ac
SHA124ed4928a9a68ed898cba4239d57f0f21a1f8a5d
SHA256dd3812166eccc6d3caca8f67d9468ad4ae27f6386a9869ffa8a86d175c400c8d
SHA512f4ff04ebf4756ca9948cf49f5382fb57ea0e407a8a837d8c90924285fbc3786f0a3389f47d2586bca97c1b5b074b917c5dffec42cc0f2fa70fa7e4a303c6c9e1
-
Filesize
1.2MB
MD523e9eb69922fb23831d66270f9396de0
SHA1f8ad447ca72abfd643682b106400edb85d51f60d
SHA256798812ab6a2a1b0f09ebed92c006d0dcbe7d4e1b28a2f8ed9fd075d118435f7b
SHA512d39016ed8ab83f90d3ee54a123ed43029a9eae0bba3d134dbb0ab7b9161f9480c8e01fd6eac8448bfb37e8147e6a6a5abb8b59edb4991eccd22c4b3cd60e34e5
-
Filesize
578KB
MD57e8f29a602fb21660f2720e56dbcfdc7
SHA1b5751aab9c2ab51e9c7a38f7e93dd72a67b2fa11
SHA25651c75cc2a8c16216896468ef560dbdca9213dffe9c0f64afda79e457fba23bf1
SHA512df6fce8d69f3f6b737a93c2a003be92370e7238cb2d6571f854a56c141e9cce659e6f3e1e825d9ea9ee8798a08ee91c1d06de3ba1e2299201cc3f31d96fb824d
-
Filesize
940KB
MD5b5aeff542d708c8ea6715d7d692e316c
SHA1a3aac73dfbafd4754e5aa7ece79f04106fae82af
SHA2561c5d60811912b937610dfaeb530d6ea92d3a275420afa24bd1e0637fd6fec7d5
SHA512837452de327f08a33e360a4881fe3ad075f4748bd0aafe32792e8529498722cf806e2e3efa2ac00a061d52d06db1f6f29d7c8e63b629eebb2a2b5d8a54a52ba2
-
Filesize
671KB
MD57e29f534f121515235b2debf29965a48
SHA14af9c3a748cb0789c0bebe5ace7a5173f0170976
SHA25684a74fcbc5cf3af2999b02b615e081eb5412dd9199bd284717aff20a4c5b833d
SHA51232e9732ef722bf7e93dfc41c50ff57279da11a77cef6eb5b8f0ad641bcd7611662826e1e69a37e10d301d7921ec60e1fd37a23b37f686ce5a90bffc01f069132
-
Filesize
1.4MB
MD5c9c0267725b62a6670d7538908a09692
SHA16f6fcf83c2ef74e2e307e14344340594dc324a05
SHA2565853069d18c2fe828062c12728e576f3cd3e2895fe019553e4a10adc8860f054
SHA512376c30c9970ebcf66ce37bd70a1b416af51a58ed886e6ca0698275505184f3cc7604f80837c6e113e216337051bcf645d68adee88a1d9c23f34574a985cd3a8e
-
Filesize
1.8MB
MD5a3983c235ed0e98a5991b874adc18f61
SHA1324a12cdf4a1458e1410b54b2e0e914186ade4a8
SHA2562465e3cf1fd4be7bc4bff8e13b328a76d53377d2708b345a915579b173726eca
SHA512526776e82705928f3fcb22768e2a1d5be9f75eef81f16d7963f0d7b71bd4e1223663dffabde8c2b9c4fd9b61aac65a8c55ca3eebb669de5d3c49e8e052431835
-
Filesize
1.4MB
MD5c183e3238990262c83ea25d0e5419f4c
SHA1bee32be46f81191541fb44244f181825e78681e1
SHA256b0508555b37cedfcd5ca974aa85e5086e178f4c4468d263378e26dbed4913ab6
SHA512f8ba77990e6094b7bce8fbb4522f2c824cedfa59914d4f8f403624dbb6329990c71d0ee212455469268fb406cbaee8ca492398c4496f8b085712e09a86ebb523
-
Filesize
885KB
MD5199b2a03c669859bdf64cb853c972535
SHA12586ef5dff363c8bf4e69802342c2c1c1404c25e
SHA256d30840268dff014bdb8d7929001f00ad5ed574799bf1cbd94ff0c5da3929e435
SHA51253869d40ca2e92dd8043ca644416ae3465827cacc50ddd136aa211e6111fbed3c70914f72e2f950a580045643687e04ac1b98af24b433ed8abce2655e17c7f72
-
Filesize
2.0MB
MD55f50d74224b23dab012a28e07ce1adf8
SHA135ad9e9cc5e7e6684eca2314b862ae25d6ca0993
SHA256b642e61401232a754757a2656a160c5bc347ceab93777627dd0de44eb5a59fb2
SHA5121a9bab4a25fd4cb0289a742adbc73ddd875a541af5ae87281ae64994cf2b403b5304a8f9d994293d3f95623575c05a7d43ef975eeaa857a8bf4b26bd2bde7d8f
-
Filesize
661KB
MD55e25fb39e862208b3cd2800cb3d37dcf
SHA1fdd00d30a27ddf10d7783adcd8e5be194c527486
SHA256081e7e0177b69dac86ce37793724c8f72bc2f2acfc23fcd896415005118c1b30
SHA5125458abe746247836809f640e6ed3cc12a85abeedc2bde5b342afef717e104fbe6be918c812743ad22b113c8670de6a5e8e19c7777211e8ee97f0a68ff542b3be
-
Filesize
712KB
MD512fdec9bd749b43dd61da43d0e78070d
SHA16e1fe98d191324a7a7b88a0a73c69f6c1d3c6fe2
SHA25611b3fca7af56b50f41981acfc12dacabcb95e9a44556d85895b2677e4578f824
SHA5129551ad469c70dedf49bc54a4c6940a0c65f61747edc5996bc50ed4814668e303a0435c4e66f2cefae62fb3754adda02071f08eb743a4322c6df1622e038b906c
-
Filesize
584KB
MD5585675f46d59554cfab8e2abcb7759a1
SHA1a69207c2d7edbb5a5d7c46fbedc0d2861e2bec87
SHA25663085b864c5ed42e89c09b9048f152d8e5e0412502dfe2f2db89935fc53dc06b
SHA512009bdce782a4bdd4f1152e45cc77dc44681bf6e51f97dee3e01c65179909b320c13b2caf07fe4dddb6a7d579eecf4ddf93f3b125b634b60a90f5f4c1a13e290f
-
Filesize
1.3MB
MD501cd799b33663d504f65750509435547
SHA10568ac9876a36120b078acd764ecaec94e708688
SHA2563256a8b07536ef9fae1661e1940e9afebc157b7d55bd40b2d55c8f4de27cba7d
SHA512b5b9bbad2552df9d99702f907a134a21cd19b46a0a1c9fcf1124e986915cd80e05478cc5ac8ace3c3f66b247f17341f660a22985e1a25e9a82640a0fe1210a34
-
Filesize
772KB
MD587f2761cf7fb83349386827c2948b1b7
SHA1d977eb3df3536bc86a2f23b014552f3888e0a44b
SHA256beb39d76921a0ed0913ac42ab3c59891a0b13cc418a7e02b0fdf95c020a592cf
SHA512f115124e38e1246ed8f868ed4d0e1045cb2762d8042f199753c73a9c6cbb4bc23ab752292b3b75929e27e2d7437f49ed27d4ca5ab9e3bb69986eab63a0c4ef97
-
Filesize
2.1MB
MD5c92933ae873c86c167564346b896f06f
SHA1e13fad3a6095f5ba6f9250b90db49e74e0f5bd8e
SHA256d3ab08a11095a1db2644d83bc7b299977bfe16771e17f0f8ffc538a3712b557f
SHA51201ab77712933417376f1b77a1ddc978cbfdb2ae30d767a03ad62d481f9943a7c20b1067bea24d78fdb250b7051808012c44ef875e71c45446eea1f793ea942ac
-
Filesize
1.3MB
MD5c6c6c62dc1fe69ca17719def82827924
SHA14e8fcdafbe4e6e2d0cce43095fbaed1bfc8f0715
SHA2568f2ade10ae6dbc2b376f37278a2160b8560f0dd1ab2ccd91264138796514a524
SHA512faf260da27d6dd9dd807fef2bf02e9c8722310f01f3cdfdecea87be6705210b68e0ff9425aaf391e9b3e12d8f68a4c45681969e10af1e44ee2ef23451986de1a
-
Filesize
877KB
MD5407775fe52257bd13feaf99e8fbed70d
SHA11fdd299db95f26affee7dc3c5c3ec98e6f7d41ba
SHA2561b6b9e3a20abe04250f57de3dc8c81b43a676c0153c3937acfca48d62d82e770
SHA512ef2a846dc79dcc9c930d6e266f7a7696d2666aaebc1165e15c508cc199ac85e1425e3f4bdfb75159c74547ec13a316ae7e5e5b7a1ef6c59407d2cb60e1d4f5d5
-
Filesize
635KB
MD55536ed055256f4833fd6d8d005dab2c8
SHA17b8f70dac7b981f2e2dd412da590f37997642bc6
SHA256a2fc5879852201eb76122808accc41956821cbb42e794d3404c6351d84c810fe
SHA512f19ee9057268d9692cdcd23968b31c0e8883b01ef5880c2059a52b35fe6c17da0d1b47446c5716a1c9a7a6f954e2da646510f56162d74e46a7b36eb193a009cd
-
Filesize
2.2MB
MD5c47f2fe85d0352f6f87cd8e784f213db
SHA125af8e489fb1119a2e40b640f122e01e8432587f
SHA2569e8d3b76f769ca9c912c7f36647fa2df594ed499e255a1a337930673227b53a4
SHA5120d8e83756ec980d0bba931c2d1813ec0c9942f002045d91b8dc6c5b57c1d5419f093428300cb8442ac00096cc8054a2edce265e984e23bb9013b4fdab3ffcbb1