Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 09:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
97480e9c56a6dd102b546ec45740e324
-
SHA1
025e8eefedfa4f9d978c128126b66af0639f0de8
-
SHA256
46f56d7a89834c832ca861571f82f69bb1ed437b5e6621f1d51ad07212524f25
-
SHA512
39d8ae29876e4021f37c61f272325f03e0ee5c2d3b80a066d8ced8587569d810b5d2ef2da889030ffec11cdf2f1b36d2d5fea54c920066b56b42bb85f9e5b58e
-
SSDEEP
196608:jP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018d:jPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4444 alg.exe 4084 DiagnosticsHub.StandardCollector.Service.exe 2520 fxssvc.exe 1352 elevation_service.exe 2868 elevation_service.exe 4704 maintenanceservice.exe 2376 msdtc.exe 3612 OSE.EXE 3208 PerceptionSimulationService.exe 3424 perfhost.exe 4708 locator.exe 3108 SensorDataService.exe 5088 snmptrap.exe 532 spectrum.exe 4352 ssh-agent.exe 2460 TieringEngineService.exe 5040 AgentService.exe 4140 vds.exe 1364 vssvc.exe 1652 wbengine.exe 4816 WmiApSrv.exe 3332 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cf4e71024a48edc7.bin alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d86426d83b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2aac26b83b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000690fa66b83b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a999366d83b9da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000052b4b6e83b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eae79e6b83b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae877d6b83b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004884616d83b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068aca36b83b9da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007da7c56d83b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeAuditPrivilege 2520 fxssvc.exe Token: SeRestorePrivilege 2460 TieringEngineService.exe Token: SeManageVolumePrivilege 2460 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5040 AgentService.exe Token: SeBackupPrivilege 1364 vssvc.exe Token: SeRestorePrivilege 1364 vssvc.exe Token: SeAuditPrivilege 1364 vssvc.exe Token: SeBackupPrivilege 1652 wbengine.exe Token: SeRestorePrivilege 1652 wbengine.exe Token: SeSecurityPrivilege 1652 wbengine.exe Token: 33 3332 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3332 SearchIndexer.exe Token: SeDebugPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 512 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4444 alg.exe Token: SeDebugPrivilege 4444 alg.exe Token: SeDebugPrivilege 4444 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3332 wrote to memory of 2420 3332 SearchIndexer.exe 112 PID 3332 wrote to memory of 2420 3332 SearchIndexer.exe 112 PID 3332 wrote to memory of 1804 3332 SearchIndexer.exe 113 PID 3332 wrote to memory of 1804 3332 SearchIndexer.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:372
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1352
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2868
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4704
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2376
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3612
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3208
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3424
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3108
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5088
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:532
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1452
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4140
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4816
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2420
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5579e4c3bb9780a5e1390fce4a692d173
SHA14e090ffd67b41dfbd7aa83e796eb07f2b1816f1c
SHA25680ef656122003046d0e1285c977515a23320f072a13eeaefa545a0624cb3d128
SHA512bd88f7e46ed66cebcc54138fa4e5ebd6788935b7842fa8e83038a2cd84088fc5f6a6f21d167d5ed11dddda21dcf662156cbe5e698296bc4acf31487e9573b001
-
Filesize
797KB
MD5988e878a8285ffbedabcff8b0fb6dd05
SHA126ef0b7e05d8855bf79ffb7c3438257d27cb36ec
SHA256802a17a68fbb577339702f00123839fda88cceb58679833d482731b7b24533f6
SHA51286f0c4d9fb8925c2318e8dacb765a1aa1effb6ff09a48fe7bfb1ad246683255601eca006449f51f6a40981812cd3f7188790e8f717ba182667ad29878f37c313
-
Filesize
1.1MB
MD5fa9ee6bbc6da8177680eb3bb392f6057
SHA1e2112bb36af84f42f8fb0dc34ad51f1fc5d0c03d
SHA256fc5eea7687365fa06730de896da0216719d656969dd32fcea2b1e38ae9ca073f
SHA51277f7b229bc8ce27507a1baadf9ab1e48fac1d5c0bf00e49c8b3315fea132a70da7fc70f1a1664219776edc476ffa3a2b5c8d05f1b2acfa61db4140d06905b83c
-
Filesize
1.5MB
MD59838872929e0ad4ba4a623fe8b47fccd
SHA1b67a013280c20e100ada36105a2aa352d71c67b9
SHA2568bc0f5a19caa67d4b58e74c77124a7b71bd42ebb949f19fad31d4ef6566bfd63
SHA512a36dc3004ec4d56139b2d464aaaa3253e0eb2164129d2d399c4a062f5ea4b9d3c40626c33268b71784ff352a09ecc7096b4826c7fcb92cd14c00926f948089e0
-
Filesize
1.2MB
MD5e8e14d5e94c867de4b9022a1e4374eb5
SHA1132891ba6495065d5b7f4fe2ab5227bfaba560d3
SHA2568ed701476f434559c5bf4ef41b4814e8142e804813e9eb37617a304651ec590f
SHA5123291a51e2957a5c403333d78dbf207effa3c183c8d7a76ca158914de26e24c143238b8b090c35fe7e8309ff10bac3a52ed1834b76a71725d414387e2246937a2
-
Filesize
582KB
MD507e5916f06778bd2a18df97b6699a23c
SHA1915982d4daa655909f2afb484cb2cfb1de7b2290
SHA25635620dadbf846372abb7129a88c79394540009e5b97607f842acb18f88d9814d
SHA5127316e7b817945f94ad199aa2f1979210ff42907e99f3b662869e02597567fff6b6df7a596f5257b1888c30294b71fab47f1c66f45e8c9c63d740bc57dde9593b
-
Filesize
840KB
MD5a170ba8e4aae6ef97dc33c93902327e9
SHA183b1ea5c376f19ce9ae9553eeacec74f59ca12d5
SHA2566ee040ced9ae95a663aec079a28c722ce16e3a4297f039d4bb2d6dc2992d3a71
SHA5122f8e9e5dd11ef21a75d35b15db376d458f195263d97e8c7c25f80dec5ae9357f157b5d94732fc212bf0fefd88a7400037ef98fb386d0c08e1a49d75407ff7071
-
Filesize
4.6MB
MD51fdd98acf94fde6283a3ba1387a13b33
SHA1b16c13161557995835a8390c24a8f53991a95482
SHA256d2b06b95bb80c82acffb31568c5b22f3a15e976e558ea711238b03d021a460ef
SHA5123a163dbc6ea9d85f69a290917e74c447d4b768b537d499494db46b7d962f3ff0362fe782607a3225d1869da8bd4f7a43ba2cf544d914edfd2a790b050837c670
-
Filesize
910KB
MD55f315d8687339fdf0693570a95569f47
SHA1e8aad2d2a2b6f38aa1dbae79a6726603ec9d2783
SHA256c2986cd4a6e5eb3c7ffa4cacda28d05c2399aa8f937f422e3cc5c31cdbcea0af
SHA512277a6486de22b38e4ab8e89a0e727a58e05769b8ceb0e4a1f8cd2c6c44643f5f677e7dfea11165630a1a6602e8e0eadad26659efc92bf4105cca39eec096e02d
-
Filesize
24.0MB
MD55175c237b3622885fb70e82aeef9b001
SHA150b28886f0d949d4bdc7a5c42b606cee3037395e
SHA256c93fdcee35dabdfa031b295b5c17d63393cca9872c3b5da17e317e01fffb9597
SHA512e8a682cc9617a305c4657366b55153c1d513096978c3eaa740106f043af47cc4e5b18629698e183f40e67ed6b87544a629f60e514157406ea3e30bb723d0e457
-
Filesize
2.7MB
MD599e6226f63cab36f4530f471a14d670e
SHA171cfeb7083235a0159d897d3cf7a880231ec600e
SHA25691349e3d7322be73cdfedaa446e747e19e41b962b4503991b090ec4bc1783d9e
SHA512c1b74771de3672a84c385a8cc5e48c9ade0a2d8efd32059ebf6b739834223394966579d95b555b223f4f7b79dc26b185e7118fab3da0523098bcc2c2ebd3eafd
-
Filesize
1.1MB
MD535f36b74c5d845f37a01024613a5854b
SHA17a4df300ad17ee8c7028adb7ffcea7ad55cce4b3
SHA2567112528d47d028d165adc23f12d764fcaf4e7262ec263af9ee0b0cc273bd22f1
SHA512aaa4f80a720037cc50601bb05648cb5b50f4ecc35aff328acad9021e3bf061652d301ed94920edf2724170df986505bc62cc4a1e5f0f7c07f09d3429ab502833
-
Filesize
805KB
MD5f16e42c07fc0a415ec8ce4d1ff4c8841
SHA1b6867a23a4f8599038ccaf53b93471e7ffe487ab
SHA25616464db1b7cf000a527a0fc854d7305ee2ab3da8537c8036cb29fe4fbc720fca
SHA512b457e4155638a59d98a4ffe894d9338e13bf3604509f304892d07c2a4b6f5bf3cb956641167940074592fef58dbf88531179f105aa8767a4d4ed92685ff5da3a
-
Filesize
656KB
MD5aab95e87c72ad5cd7e396253595f27e3
SHA17d31e79863d2d7d9f65d381aac66c1db71156f0e
SHA256076255f8c1325f67a9e8cc86f562605749ef3f9fa3d1dd67d5c9a2d5f7ad43cb
SHA5126cdc25122a1535550cca6d0abf5ab321a6956f02f94eac89aa8ac2402c1d9d6b1ab74bfe545ec4afbd298911018b3adebbb5e4bcaff1a28cc1b9e6cc33223293
-
Filesize
5.4MB
MD5ae9f8fd3bdd6a8991fedae8a825081d6
SHA1eb1bd28728daa08799a5d04ab36589be045393b8
SHA25653fefe4f09819be9b477b6aecdfb846479cb517a7ae3aaad351caad5290de345
SHA5120eda68581c831e540485c81d29fd10a04423ebe1131f1264e0816c469a742a0eb4a5d8b1260574bdca791e7489695c328bd8866bf7bcbc5b477b1a08a94a54ad
-
Filesize
5.4MB
MD50ed2a32f9e31158cb626ba4a96d892a6
SHA1039fc076ad62873c8e1aa70e0894472dc043bd3b
SHA25625e93b9d812c79509992ea26c0f2116f80d221c21e766f5c681e094910144b5c
SHA5127f9ae11632ae5fbbe7c503cff466bd1220ca6ed4e01ee7dacaa06a979241c777f4ca0081a46cf013f71238815c16431cd0a07e5587ced650c1be071dd0173ebb
-
Filesize
2.0MB
MD568516bd66671277cb48c587aa2493037
SHA17432c83b706dfaff195bb16627fb29cb74431cee
SHA256d9cdae977ed61f3fe237e569afbf1e3aef45e742f738d9c5f04289b121034b3d
SHA5120ccb26605aabec50c8f0068bde8179f52d4be6b52736eefffb8b5c0ac3a644b6a5caa604d1906ad986dc43f4e7871d88afa9cb84385cb4231085cec3e858555f
-
Filesize
2.2MB
MD564046e7dee75f1116f51bedfe140214b
SHA17fa51d4115bc973132e76afe9dff974223084d37
SHA256c149689a265beddc023a33a81589fcff152860521334deb0816570079caa5662
SHA512f34b5bfbd572de7217f42a4584def9c0d81ff6d17715d328e8aab2d73c09e501435adfe2dac68e6fcf16b52825bd07d803b743db89ad16e1f0512818dcd5c530
-
Filesize
1.8MB
MD59e68bbdb52560ed8e91c832637677cb3
SHA1a725e81bc3a106550091fc3ee23b070d7a804c65
SHA2560e9c13e0809f69be4d60e38138f77bbb822cf2ba354621b4d089bbc8363fa09a
SHA512af5937138d0a531c320fc1974d4808d9c6a9e9add613c00cef7eb8c1c475cf3fc588be566a0daa56c3a2c7f158f385c8bbc15d634c37876938c6f79c21bfa7bc
-
Filesize
1.7MB
MD5b0aaef1e8e9201752005788192610bd4
SHA1ed5016b938764fdfd9b3a8d2147369223b52bb4a
SHA25679380473534b059da8f5d607c95d508dbc786b5460cf34f62574b7e25a909e09
SHA512a9af86321fa8a54759c06aac7e2a226630dd3eec40a79b2455479cd1b1fd19d58396722efe63502670342deee742e0afdb581eb74d7d215b7419338374472240
-
Filesize
581KB
MD5afdf7e65c8a0e01c68cdc59ac8a3bee5
SHA18311ff52ac6bb38e213ffd8bf4b14631b79593c9
SHA25649f864fae3abfecad89917d957d1f3dd9b3325254f7040651c6ee2c8d780eb8e
SHA5124ec44ad67425e276b3c162e3d14a5a3d62f36c9629e370f376073078a5329e35c1e64b8c48e04d377be2f86975dd60d1718bda151b0df9d97efb997af7b6471a
-
Filesize
581KB
MD505fe629e107ed2b43723577898c6dd5c
SHA16a9b3adf9456941d8b992af5e8a6083b93b65789
SHA2565bb3cff4d64bc3a455dbd91987eeb3cdc1bd662ebefd4023a3b4fcf87572239f
SHA5129a42f4addd8f5be1db68cf47c0c953da5e4eeaa8548b94daa3cf360f31c70667da693bc0930c3259f5ce751408710f420102f2b2bd27441e3f159e0e06873066
-
Filesize
581KB
MD5f8e30301c155c16c15a02dd2a67a68e3
SHA10f731da1996b9900431f1d754df8046bcacfad8b
SHA256a9a5394634f425d110eebcba172a4621daf885d6bc2e6d756dd7fc5f8a826872
SHA512fd0e14c29332b58ca27e7ca40a0160d439e0b8e0fbf77f52e1b3c3e44de229c462761a305722c7775e700ff84cef38f87f6f830fb277d4445a5c4b552e740fed
-
Filesize
601KB
MD5d826b83b419d8b8de91b8f22b3fe6874
SHA127b84b752efe4baf32c75e15c8f8dbff85c46a44
SHA256fff1f5b3b9efa58c4b0836099bd26b11f0591eff763ed22b33202cb68ae4b42c
SHA512d5d9cc8a4c9457b363e5cbf52f8fb21f317f9d74a7df1adbd0a444b5bdf4a367778d7ad5897c09dd87a7bed4347d840fa63b39bf7d10eb0f1fb19aac94524347
-
Filesize
581KB
MD56f0304b839c650aa9334944a51e3b723
SHA1b4814c62623968e2a167650fb3ec649c265ce7f4
SHA256193f0ebd0d4bc75c2c5a7bd32e4d0ee5d179e5961ab947c85c527200ec717620
SHA512ac095eeefe0ed1cf9826607fa7c48be53feec310c6c51ac114507485f541474776d2584144e0f6a9825a82600102a4c9096fc7184eb98bffa5fdce78365a7a76
-
Filesize
581KB
MD570742471a070edfa56a4d19b3ba82d88
SHA10b3ae459a303710fa8507f21d156e611cf1aaa3b
SHA2560330d76eaaa69a7e59419a27528ef6c0be3bfecf04226ae8fd65714ede22a26a
SHA51235015bf6d0233ea7acb12a16dca8dade6db0bb71d37d79aa343ac176d362b6578fa659a17734978111853b71d6b9d422a2e098c78147d99ba931e349babecd69
-
Filesize
581KB
MD5f91e40b7095e85314a58054dbf598baa
SHA16b20834819fa340377e7fd51346029b79d3d6456
SHA2564dfab7a3eabc6c17886e488102339e35d619ed966e68163a809fd0056f22c2be
SHA512d309ff001bb35b2dd91db4f198f307ac07e1694a89cf2da1fd5f860bc0e61efc0e66ec2d332e1cba87cc2676c03c4199378f2ed6418179064499a1fcd203c55a
-
Filesize
841KB
MD536fbc1ad842aa8121ff4e84d8ec0f581
SHA1354c980985f061ff49171a4989058af79a263ceb
SHA2566c26bc84298b51a0e0c21dfad86398e6c83b62cbcb1a3075fa753ed613736cfb
SHA512eef7bfc526f60c3df4811968df3e69d4e9aa37b1bc2ac0e709b1a1f9b63595e53e8557c7f71466779c0c39eec59f7c08dd01487e6e745be663767a5dccc4e020
-
Filesize
581KB
MD52c63cdd901a0e553c1e578a5b611a021
SHA144ba48bb1f701240f02354abc468cc6a5573baf1
SHA256f97851626f432bfe953dbb68f467702c0c2d71e5f74b9c47919118385d9e6c73
SHA5122feec5b1c35986c217eb2b40a664ba96b5d051f82105c780fa2fa79c4f51daa9445ded6e97e8843853e7b502e21708ac14a32e3e66613b0ae6dc95adc3a38764
-
Filesize
581KB
MD58a490d4d09d7e8697a347ab6bbb0a5cc
SHA1641c2d3108ffc337b29446fd4d7d96dec1365bb6
SHA25655d8854df28f8e6a9447c2cb1604c76375b495a0c9e2b0b45b2e9df926163576
SHA512f04c29896cf7d0cc22a97aca95829b743e3b6c0c11adc02072a750b35fd469b6b3c58c253862b48bf05b85ca2c9177fe074f300a0ff46e54810eecb59c426ca9
-
Filesize
717KB
MD58464be22331bac2f95b8c99aec8e5675
SHA1fc2af8c4ad90c81f6a705bfb27c87331be963b27
SHA256e5e9ad2519f44fa6bdafa724119b4997a707e34c92edac481f97d976e1772f7f
SHA51220c47a1e3711e7804cfd6283a282a180722c04b532334fe7f9ee3f534a77625921a10d2dc65a3017837b627bf2311b6cf3b90d7fbc33603549d45ad6bf80855b
-
Filesize
581KB
MD5057859d8e2fc2dbd611671dd17d4da91
SHA10ee410bed07e351aa2246696608f6d37e5b12fdf
SHA256b760744a346024edaf065e535031a33f159ced3c49825deeb64fbd4dbb82d87a
SHA512d0df92463934b28cb56850a8ec07028b02a2961d44dd239ddb57376bdaf26b8c09dcb2d565ca6ebb239708ba3c809a299117de6809e6c340d1fdf5032b65598b
-
Filesize
581KB
MD584c2b8ab3e86d2438526f31c68159e40
SHA1da356a4bb3ee5e52d81c9e64f7149c800920a804
SHA25699fb9caa8d63e668ee3d88ba8c0b7d254dc19ccfa5ce2d075e7117a296c0184a
SHA5126bf94a2f85094848013b36e3b836313fa883f5106125e3371bfbe88e898a4d9acabd50f0a9b04f16e4e3190a23b1acb25ac37e769f507237cd603747382dd598
-
Filesize
717KB
MD581284d86295b6bb8226e9b07c7b29ee9
SHA172cd7bda2f9a5921c8c44d5f4486e495e2c3ebd8
SHA256bf94fb5ccaaf234287d1db3b5dc8748f9f90a049de51e05996df524eba6e6c21
SHA5122a5fd708cc33b0f1610e098f9c57bc78cf79c6be63ecae8bbba28ed6bc33e0533e3363223ff9b8903fb01edd0a4f968e4c7921c5a656f302d9ab36457970ff53
-
Filesize
841KB
MD5336af515c9aeeadc4b055295cb77cbee
SHA1b9d71232e6176ccad89555b111a1b26fcbc011da
SHA2564a58d42c4c83f2265164711eb6a5a09b61e386796cbd53c4909a42ee12b54979
SHA512339b43d43186c14aed80760374a215b80e2d0b24d4f01af595541cb395af637b49e3b2e016295863e666fe4dda64db95bfe0be5a69f5feb1af30bb55e2df0f27
-
Filesize
1.5MB
MD5bb7fe01cd9ec9808d834fdd994d7adee
SHA1d05030c1922cc9a0703f548d41755ce7b0cb7ef2
SHA2568620b0fa12261809619efe4f25c10d7a6b3c03fc2590259afd563e452c2a2463
SHA512a99897625c131c277ab2977e0b91a82f75ffafb4f1f727e99882ed4714d633632bc73de6d4117e0d4247b32ed9ebc802d089a357e89239aafc2df2b541409a05
-
Filesize
701KB
MD56423cb8a95c5f2e0c45ce84d155f399e
SHA1c19ab98a2123b10f41f3b91123281ce95a8797a1
SHA256bf09e65f6cf65e1d149806a585f480eee2fd03e5a998bd7f295f7fc2582d7840
SHA512886eb9ca735c0a8dbdaaab989212b4af480b6ce961fa3f40273fbb8e50176d09683388cac635531ff3d8a7c1a0303e86fbab81bcd619662494bcc7d75b45510a
-
Filesize
588KB
MD5d2337c0ecd62e1389ab7037e881ae1b8
SHA1b49075fd912807bd694cbf22aa5f7075c1637c84
SHA256bae87b2556eb8793c2311f4977ad05c0fa71d954b68a39e5972a07e35a2e6d23
SHA5125f9034460e7eb8ae1f041809cf5f9cbe7bee89edfdc25c1f963f300097e7ad920c126698aa57c5d75eef416f30ed47753b7f6489f39c46c9bea002a658c99f64
-
Filesize
1.7MB
MD52c79cfb375e4ea164ae6a2c503ad5482
SHA1f571fe075bad0cdf7453ef0957d3a6f6b6327042
SHA256a0f445ad45fb897f17f1f52d745f038a3564f84fa121be73af9e0c7db846faf3
SHA5120da014a32d20faed1798a3fea080fa93036fef96951a15de8f019fc3c768fd5db109c1ef542af4852e81d81de50752824ffea870ce8e86cde455e65b00a2b4f1
-
Filesize
659KB
MD5654e833e3d240c6fa0fa8e0c1a9bbe9b
SHA19d572f3d4d04e837f93c972efb01377e89ebc9ef
SHA25676a744eed042648fa87ef417a67531c69ce03a125ecaf6aa49339de0bbf0187f
SHA5124d35e2ffd1d9bb02384c99001b22ca6612ce3d9814d866d95e639bc0981174245f5e31015c0a51768f3116b5c2836a4c690b190f15e50283d10121edc714ba30
-
Filesize
1.2MB
MD5f178e19eb04bb07c625c4988503e4310
SHA1bd6c655c082322805e9bd9a9b13ca696381a72ad
SHA256eb5b740df01312025573fce4de23bff4cf5e4d35fa96a8a41f604aeb8c4991fa
SHA51238177034165ead4d7738b13585566068fd1f4223c4f088befd1115507cc21f4fc7180bcf95630ae3cd3c91747c4e297d48b5376ee41b4eb395b9ddf95ddd6e20
-
Filesize
578KB
MD5b43f11f381695f5756a5ca96947f227a
SHA19a47daa8f5efe99ebe32b67e64182b93b49a2d56
SHA25604cb5da52a28f207095a28a14157ef720aca569a1b44c31fc2da96e36baaaa27
SHA5126b6c241fcc9b28961ecf55473ff29547b4e9c360fdd91f290902a2d3fec1b0c13fafb4b228c857036c7d110786593971f2097f9fd7fcec6b7d614805897d70e8
-
Filesize
940KB
MD5dcc28515360609e681e436849f72ccb4
SHA19b1b066c550d6c60806d772c3a2d8e40e449fb94
SHA25659bdadb35c8f71a481b4904b9c9bc617827d83d3fa3f0e88e9dbdba3ae39700f
SHA5123705c7ba608859b2d95e089e847fe0d444dad609d2c15964dad44f5b9ef0319f4310681674b122036189c1a1e060b3b1906d9b064b9677aaaa602c412cc51e95
-
Filesize
671KB
MD53a06055aae183befb41d00c7cb6be4dd
SHA1a1abd7df8f6707743ec4438fa4823284c04ada99
SHA25621e7814aaffe2dcadda989fbfb763165327cc3516a25f6845af1242fbbe8cedb
SHA512c1bd36dd3caf70cea5332dfa054b5154857288a226e455ab449023e35ec77950975f5103ddf44f5a33018726b7d0c72b24d52b401cb4a7360e2b2afa1f31c07c
-
Filesize
1.4MB
MD51271759a272c3a5304680a7a96c62fb0
SHA1d2444301bc677dd9f10e88647c3702d119171860
SHA25620d6bb1ccc5804b8e8611e88b1ff1a6586db9842f84ee497a8e4f7c2c187ecf0
SHA512c1a32963ff876a72160cc918451728b4587e6f81386b3d0c2a0ae63b60a2991ecfd9066ce73f2bf74b828c947510a891b2e127147537ef6d158fe0d8824c6130
-
Filesize
1.8MB
MD5bcaba8e2d0746901e5c04f39ae085c6b
SHA127789afc45783e4c4c4a40041ae92fb52d2ee117
SHA256b249fb6e766498493836a59a8c4b1c7055dfa54690b838ab34cd609cef129ee4
SHA512fdd6f80b66b800b3e2836016a97df2c0bcf529cb27ca655434710c6dd320a4c099d94e031f7d284dd56db8b1c51b01832e5636d19b006050b3f28771fc21b3f8
-
Filesize
1.4MB
MD5ba691c35398c8bf3067913ef40ebad51
SHA1e54f41fe5bb5465303b9bab339411e3a5c046169
SHA2568cff5410c760951d5dd4f6253c9d81affcf722997fb1ece9c8468d683c701c08
SHA51227e582e469825f73a70b7f873c84a9ed36fe062366c1e7df229298118e9e9b0e7fd59b856b65a705fb2feb79125322c2a88d4468eae2c2d5c39dfe2a9c2fa659
-
Filesize
885KB
MD5c3bd5fe501be57e63cb41c6236a303e9
SHA1e971c63e414d0bf09fd0ac0cc3ff73655732554d
SHA256db1f968b973b9f3f9bc4a7f94cc190228b29bf939579d557c6b0d860c63f4ec7
SHA512353e283fff220125950382c3a8dbe663915b8e34486c6b2a57b5ae979d10a9745cd5b973963772898d3cdbe6f56b7d6f7fc8768ee6320c37881089c9244fb985
-
Filesize
2.0MB
MD50d0d39cf88b40be3201104bdc164851b
SHA1c352f900c76f468c3aacff36d53bc2bfe74b099d
SHA256c91630b80cb2a771c778144f9499a5a84ffb4c4e81f3564cf407976005e637a6
SHA5129681b35c09e2efd637ad1f50b75dfb373939846f85c9de2330106b8cdfe4b214ee90ecc476f90d651a1e712ba81edb4cbcf44457538935d9ca33c839dca0b795
-
Filesize
661KB
MD5972d2da56a0af055078ecbaeca6e3510
SHA1d7d55859a20134479f646a88c3246af5514124d6
SHA256fdc4e5cc0b3c1cd5f1af2293a862d4abccbdd05dcf0543315b5c589bc40b9f00
SHA512ca391eaad3342763997b459654022cab694d3d89994a5279b872b5f5d00d3504ed9647e5c130b70cb063a46af59e27490570fd76afc0ab1856029b8cd9c978c4
-
Filesize
712KB
MD5a01fcf55e447ae58229731414cd2491f
SHA15019819b78f015f1a459ff804cedb553a3def9e6
SHA2563f443aa0e5c628a6412c52651af61b481d95ece1a79e1653b84727ed6d6bb900
SHA5123602750faf0df763a9477762969fb27e012ddd6a13f68d8705182b3c2395b92bb6de9c8cf5eeccf44c095e491a73e65fd394aa8dd23cd28c9885678c91cdaccb
-
Filesize
584KB
MD573a90c174e9ef5c6a636797a2dc4491e
SHA1140341d64ad2a9e1d6293cd7880bb38f13caf5f2
SHA256cbc9bfab1971917b1ec49743adb2c29022cdfa33852f437fe68c3727e01228e1
SHA51241f9c6f7e050eceb238938cc8e9ea18b621b8bf4887e8c76670f9c64f59eefde5fa868be7009d67540d96ccc34c47f0d3b191765f79903f0bab750d3c2f0d5cc
-
Filesize
1.3MB
MD5311b17ae5cd98e00514468520c84d255
SHA1d97867e6ecf9ac48e4466e3d3eb152a970bfb583
SHA256d86ca42e66005308c904750377ea3f0d9691c87907c43388d1cade97bf016af2
SHA512ae9952bb4e8f79973e5820740dab240533c7b9337348152d302424ee07524e00939d8d8973b1e4fa310225429eb3a6dc8add87101090a8dec78d38853f7c9f1e
-
Filesize
772KB
MD5aba8479b8e24d2c9ec0cabc1df1cb0dd
SHA12d77502c14ae568805c57fd147554cad07f5c0d5
SHA2560653e89c5aadce0a75b618bd21b14c3b3b89b6befeded206dea943ed1e027271
SHA51203ef7337d1868d60454704d28af13c07d8ebdb5f566ca95f70b88a489755abe3d8a0bc11b6ccc40f65d9d006fd49b77fde5cd17c7f158e9462f2f67e9c3ccd3a
-
Filesize
2.1MB
MD5f274576a1e4d6312b0e24b9e411d9761
SHA1341e42134a8e82a5ecd88073df9d70cbd1f6d52c
SHA256e7401e8550df92fd5cf3ab72578957f60fd1a53a8dfed0a1de6d3188a8fd767e
SHA5120e5aab96baf0cea73413ff0e191624efeb1c71aeb33e8fdc83923dd9ee058249bb548ce48b8759b99dca00d9cd4582b48d75762288c9211c3e4062dd2df178a3
-
Filesize
1.3MB
MD54fe20287d4773215db0d22977d1c4144
SHA117150b91843ef82ea082d0e1d6afa794ce4b5abe
SHA256400e3d6705df2dac9414d085fdafc9f174000141756cbdf75d8222e87b0580aa
SHA5126090cb4444dd042c7c6ec35c0128dc745c9dac4e6d854f6c50828b23d185e83b64e138c89ab58bdb8bf2b15ea743072393521cf05c373fccf5d89feacfa98021
-
Filesize
877KB
MD595963b101ee1e279c1c33649b9f01ef3
SHA17b75e9b2bc6c75f433c5d123f6b7fef95bf95b4e
SHA2565000105e71ad6533a80b88ba8c494d1caff353b751c2fd0e234b0b086a2d765b
SHA5121f2ba31c9dc86a38c2530e7ba25ae1091c9091c83f058eaaa46e7768f18c34bd1f5e7c116f17f0941e77310449325970c459ffc6ab1ccd63c9c52bc52defb51a
-
Filesize
635KB
MD5463d03e280d3f7059570692724916e69
SHA1345c6dc8e825d609cc85dc6a0c42e30a01d01e2f
SHA256d02c9266dd1050e0a2b397392a3d69dd7c2441667a83be765fb4175e1f7a8378
SHA512bd97c70d793d37f3908ee027b1e169abb9276a3a5ef04c56b307db5c1e7b4d4bcbf6afa243814589a6c864bb57fe0b2745b0f1279307c8750080712075c634ae