Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe
Resource
win7-20240220-en
General
-
Target
2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe
-
Size
9.4MB
-
MD5
5fcd19e43a5fcfe20f6dee239392f78f
-
SHA1
fa7512ada7534d24588770397dab058628fcd002
-
SHA256
0ca3531e74c3e93f7f313db6fd2dd66db5cf279f869c0c64688854a8b2f08a0c
-
SHA512
b99ec55f549ef137ff9428c7b28c49407dbc81d513ab330fae2df763fb2dd59c7b6ede835511e97cb307ecc67f1fbf6cc5d7d719e1ac6dea0b85ef43fdff6003
-
SSDEEP
196608:8/oQ47ZAOgxeS66w958KxcK9076tXL94VQBWG:KoQOZsx+589K2G/B
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3312 alg.exe 4924 elevation_service.exe 2864 elevation_service.exe 2892 maintenanceservice.exe 2896 OSE.EXE 2448 DiagnosticsHub.StandardCollector.Service.exe 1412 fxssvc.exe 4464 msdtc.exe 644 PerceptionSimulationService.exe 3888 perfhost.exe 4244 locator.exe 2676 SensorDataService.exe 4968 snmptrap.exe 2592 spectrum.exe 3488 ssh-agent.exe 208 TieringEngineService.exe 5064 AgentService.exe 2288 vds.exe 2840 vssvc.exe 364 wbengine.exe 4508 WmiApSrv.exe 1864 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
elevation_service.exemsdtc.exe2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exealg.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3d678fb5205991d4.bin alg.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exeelevation_service.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe -
Drops file in Windows directory 2 IoCs
Processes:
elevation_service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f24b68d42289da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001b12cd42289da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4e2ad42289da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ffe3ad42289da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
elevation_service.exepid process 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1356 2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeDebugPrivilege 3312 alg.exe Token: SeTakeOwnershipPrivilege 4924 elevation_service.exe Token: SeAuditPrivilege 1412 fxssvc.exe Token: SeRestorePrivilege 208 TieringEngineService.exe Token: SeManageVolumePrivilege 208 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5064 AgentService.exe Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe Token: SeBackupPrivilege 364 wbengine.exe Token: SeRestorePrivilege 364 wbengine.exe Token: SeSecurityPrivilege 364 wbengine.exe Token: 33 1864 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1864 SearchIndexer.exe Token: SeDebugPrivilege 4924 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1864 wrote to memory of 4140 1864 SearchIndexer.exe SearchProtocolHost.exe PID 1864 wrote to memory of 4140 1864 SearchIndexer.exe SearchProtocolHost.exe PID 1864 wrote to memory of 4632 1864 SearchIndexer.exe SearchFilterHost.exe PID 1864 wrote to memory of 4632 1864 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2864
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2892
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2896
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2712
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4464
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:644
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3888
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2676
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4968
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2592
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2936
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4508
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4140
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 9002⤵
- Modifies data under HKEY_USERS
PID:4632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD575708240cec69146b14c1cc65651d083
SHA19109db72d613041e57b536b94e5fbea9991ba928
SHA256e870555e0c1a9993b84c47675bafb5c0bfa7bf236ad9de20e420541245010c49
SHA512506aab68d0bd34299cd89de911938489f047300d4c4705d1ff86169b2217cbe6acfc3de51147f71adf37072952df257d0c2f8195cc5b0fcb04594d0bca257530
-
Filesize
1.4MB
MD50fedc9cc79043f2df87401ec52284fa1
SHA10914c27fa470f6b6c4a58d98054c9b30b3f7cf27
SHA256ece54f9d2e74e2176d7391b5d07a0034c62ac9b22e74c7b43b7d958a6ddc43ba
SHA512fe3388e946a7aec64779efded0b7c4cacb426e2b6179cdd395bbee53cedfaa1c4903dbbf0c6a370f4d7cfad8f3a8702e824e6fd9d067fb86bd237d856b44c1ea
-
Filesize
1.7MB
MD5ed6fa8a26163832fef6b38bd5a65f25c
SHA10e95b7bd38a61034af21274a81f79e9684501ca3
SHA256a570c4e81fc724925d0e9de8554c75c10a1eafe0ba16c092b346f4b35c1c0949
SHA5126428f5d885476948d1d6848724d07ceadb51000a0c99ff3bb4255280bb2bfb5eb9f980813f75e2d8bb351158dcffd4648e478154be55fb2501ec32dad2678f60
-
Filesize
1.5MB
MD552ec48cb9d3a49d15b4e028b6216e271
SHA1f6e3fbcb5d86bcca980c7ec67895563368273b6b
SHA256348b5fe780ad2dfa6efa7666d69346e5d121f4fa5932867b40ad66d792bd8e2b
SHA512bab43b2f9a7bed7328b36166e0e0ecdfc9ce255417103c6929e4657e2e1b884d69e4f54879e8c7c1d08aba788103b5ee34081679f6d926cb60af29e3ef377572
-
Filesize
1.2MB
MD5ec895e4a9aff36796667d8ed34158d1e
SHA12151c3461b6faaf4736ed2e06640c2a906aae6d0
SHA256b9cbc99275556721d4f3c97ce9cda88b35b81d1bd893326d0f1b2e58f5387fbc
SHA5125b527057d9877064193e19f349fa320515a82e6ab1e7e728d0d946008f9d4a63cacc1e10b1f8bdaa3a116597c468f3a792f207f9f853a5afe801f10ac99354e1
-
Filesize
1.2MB
MD5d99205d7b5d93d874a63a49329e81b63
SHA17490cb394ce6ad5efea3078ef3984ded9d437eea
SHA256b38971a580b1821ace6100aeb1b20654c6ce57f0a1a33b0c2ff51b664af96f36
SHA512ef474093ded945f8943183480093927afb61f8b5286a3373a40eb8075e7c7f530a10bbfb0a3b66d5b5dfa7e8c35127f27003b90065d91dff0cc7fce829b79fd6
-
Filesize
1.4MB
MD52c142faefa497b33765f2056c516a30c
SHA1d00c0609f2e0caf6898bfb50119573385b36b232
SHA256e3d1f698190db7b0936be12a5c3ab91aca393c325e6c91f0993b429e7a420ae2
SHA5124e396ac4caccf48f16519311bbaa77df4201849ad666598a45ffef16a125aeb014cb7e1c1d7b955ce820d46fb58c15262afd63ac14d800eb0a2c1a20e12984ba
-
Filesize
4.6MB
MD52d0ee264d87a17daaea846697dc8a067
SHA1a7d8380742f105f7dcedde9e997c21fb555f1d86
SHA256e9ee8043ed8634889115a61d995bd582f64f39e6126279f283106b04133d60a2
SHA512cf788d710935a03f39db73c593f14dfb78db59aff51e1f149587582ef5767526eb1651b2ab0b1b4f49f6085c01dff4cbcd0b692bd1517ef43f7c5c37a0ffec90
-
Filesize
1.5MB
MD5ad1f5768d07bcdde7f65655a7e88b394
SHA1beda583a3d593681f20a117f1eb6692a5b584f1b
SHA256873065ea03c97c30ebf2859bdfaa443cb8a6263b20b517456e30601fe9f78c14
SHA512d295f6b2111d0f4c0d7bb8c9cbf274c637b36f35d3aefd9d606bdcd2b390f4d3d802250b89e33cdaa9497f3c652545a4af76ebaa0a0304f4868f863f4a261cd6
-
Filesize
24.0MB
MD5587b7d951b4d53a72e2b4efa89f3ceb5
SHA1286eb63dc53a5f6e070fc0282d702ca9a00f6881
SHA25655fd0539453a2f93a435ab824fffbadfce00199da01c350545e1ac169a4b5ff0
SHA512889f6db7f579ca51509041879016e16f1debc4f4c766ada6ccd3d01230075acda6f530fb5545728881120dd1b96300c8910f8cfade1eb7df887ec114be9805b7
-
Filesize
2.7MB
MD5d3ec538c494198f41a237042910b272b
SHA105e0e6b4bfe8a569bb2ee47b4469527802dc7ccd
SHA2560e4895a24d21f27b9cede400f9b2545e2d40420a86ac4e010189905443f905e7
SHA512ad1a0df96192b062dda777aff17e82bc392efb28ceeb7f6c9936335a3eac73d37ec3ffc987d3e0224ed8c213933022c5cf4662339e03532b05afb42ee213439e
-
Filesize
1.1MB
MD515863d621686602f0075ed08f1ae222b
SHA15ebaf4a7d7fb988749ffe2bc1b50aae362dd1349
SHA256cce59d52490adbe475a7bc183251e31dc67000a894ecf91aa307f719d27c9c10
SHA512152831bc4bad4f2115a7e0f41d44659bb9db49929013697499795726bebe4e62a5d2f66320f14d52a5c9cf7c227363d97e22d37141edfc342c3b2d3e8b0feff0
-
Filesize
1.4MB
MD5a507deca35043f50e7be95fe4487886b
SHA194c1eb1b1938f00ffdc0be49051a25d649ca4ecc
SHA256e95233856e0fb53e85e0b70e77ec60d8180842066e3a577e0d573afbd670517d
SHA5127693b37e4c0164ba150e9fdb7ed51e0e33f00e79f18371aff039adcd3dfc73b848cbd2e2efd8b0e055bdddb0cee7c62ac26ea70c62a6a61df7277a0971df7cf2
-
Filesize
1.3MB
MD591596f55f065958822e2dcd52a5d79a6
SHA12c6052388a19698033f9de70b1e7e348732ca1e6
SHA256c07b4227603b6706a5a020e83643cc419b0fdea687a6def9f215b2688e965980
SHA512b2c6fe23ca51dbbd09c598b7fd9e8be601e0990bba83c93dec981d2b1f127e48c8f70a853c1128cdef95cd2aa222a3bf02d547ae16912b680b72a19845d847cf
-
Filesize
4.8MB
MD5c98116c0b2408afec64001f2816f120a
SHA1eda56c330704533f1d2d0086ff29c792238b5918
SHA256e6041a2900ef923caaf9b088387fa4d5b4e1cd740c6db64d79611ae48309082c
SHA51263a07b4cdbff097ee1d2e31954be6a8ba56700b37fa03dba1326a0d5f6611004d7ea1b07d280864f0bcf35e7c558c2c916f8ef404944001d1ba34231b8b4a414
-
Filesize
4.8MB
MD585fc87461b2837d4ae04aba85a8a5382
SHA149433a86fa4fce520364a56b096085c5c089f846
SHA2569409aaa338779ce52315d60ff6c6bb5369af90d3c9f215c045d4f15f43ac7ea7
SHA5126d683f72984524eb44331f87ee686545f577b401ae878728bee3e57dce3f5851fcf3c2ba1d88384a5745ca2b5473a917599008693b3177f914e34c7ed0c81bca
-
Filesize
2.2MB
MD561b5016e55b342eaebcccb926a91be3a
SHA11667f7976c0e3ce2e04f2e9480b7663a3fde850d
SHA256c9489d83d0aeb01f6b9cbf98bf1de05eed2edcf9483ee949010bed373712865d
SHA51280727b320bf288c7232caf17f0158d2c8a2a28625405ba4a24a98b5a735af130fd0d818c56d1d172f2677a2fbb948d5095385521a8ebb222806995df6899e595
-
Filesize
2.1MB
MD5b6e8e74301974205c79c59d18119b8aa
SHA168c5363e64289e3977a6f4bb5730e5526a3c7c7f
SHA2569b22326e0dfecbb71f563dc97e021ab985900f34e6124cb53f9c2c336aa4a3f6
SHA51236a8ae64818a3d6d42acb2b1538b6bd4a03d7c37bbd32f01e55d7d87b88fedea2ea4b23d9b9bad1c0795831fd5f92c08a83d9078fdf8d658bd78dcdc312c10cc
-
Filesize
1.8MB
MD5b1fd13195f72f832208e6777fa782f8b
SHA150714b0567f495c6ba912feda99003507c460424
SHA256293736dbeb387d771f9f3ac8348a26105b6129643f4958bdc097dc3e8e97b65e
SHA5125a9d09eb43287fa83d8f876ddef441509bf7e51514b885b910b96ed3958738241b090b0c97b6a9853642c460e2deee011577d4deff1afd629aff860576d22c99
-
Filesize
1.5MB
MD57e36afa76202a30140f41e63d93b9455
SHA191c094a486e415787a86aaea66fcc662d862577f
SHA2566b48bfa3e6df5c6ae098fa51a03e8ce2957866fcdd7d69759563569380192727
SHA51209d8eb713abb2990b1296b7d34e88fe3baba44d17976ed286075f93cf90f24807d8aa158cc1a4d5e9a677742340927659bc3845cfbb60930c5937ada9f749114
-
Filesize
1.2MB
MD528767cba1630809e245e8451f65050a8
SHA1987fcf770f889022cf039f0c729aa2f2e6061ad1
SHA2569f01beddec437c196b41f3ee6d4e77a0ad9863c221049ee27ed5d5a3f1124fc4
SHA51212e1c9a9c2b5acd85ed642ae094972edde61f28f0d0c33f2b35ffca3d9950e97be582fcab14370d51b6ef4fcae7464a3aa5eed1dfaa07a9c8296b9b54b632db0
-
Filesize
1.2MB
MD583b2faa5cdbc41d8c55a0de105ec36db
SHA1d1e52d095142dce2714ea9c5befcaedb3cf2d2c2
SHA256829483976ac4a0cebda9caf5191d133aedcccf61472d0300f137328738c88dcd
SHA51253563a95039e0346d742a876469585ed8a9e9b173ab25e2ead47834269054d57cd14ac2789519ac95c77535590f63977bbf12f885d3e549aefcb2f698aa37271
-
Filesize
1.2MB
MD57a4832799cd8206266dae1b4903fbb76
SHA125ba0d5ca6caabfe6ee4bc3ebb3e586bfba4cbcb
SHA256b273f85fd97a101f952b374ff549b65d8a23015dbcd28ec4f739666627b66906
SHA512fed50c4ab9069b82e8e128804d68dc3b6baec0c0d834274d69f06447b47b9231282189956fff3f600fc56df85ba9a33a2fbb360c5b50495f16319e8457f59d71
-
Filesize
1.2MB
MD5e6fbd9fecb517fa1283ef8d562adf7d6
SHA140a3847a8a47ad7db934116dc63bf89236e0d515
SHA256f09ae61b8e2933343b08ebf49abc0b2ddaca6b239fb5be588a11e8b0a14b1d46
SHA512a7a9250da58487ed730fd6ca938d61c44b6a4af6e3ed94eb093092dc31c5231c80b94b94bdbbea0925aab0e9d7e02bb572f262d1b2668597a94fcb3280e0ea40
-
Filesize
1.2MB
MD51394be67266883c06f83de05ce57b4ec
SHA14cae4de8a1ba9d8176993a8c711d9ba3519a229a
SHA256fdbf76c1087a3372093412bf7cea54337990503d59ab0080faa3a600826b1fc4
SHA5129a4a319f80359ecdfc6266ca0bebdafe77e88281fd286831c3c14437580256c79e0e0e2d0c759c75f5618a2366dbe764b6844052af458e17756f681255d8727c
-
Filesize
1.2MB
MD5291fd0748cb024a5eba4a92aeb7553d0
SHA170f91d45ecebfe46b240eb924da46279d88b958c
SHA2563e95fc0fd54dac8b7d72b8e155d5c20c86a1e74ea7f89315fdc507c65568d3e6
SHA512d47733e8629b42aa85bba05b929e0607f4ed154738b5edeecdbe5e0159a9497b628d153315bd08463d65bdf25dc4e7a0878730ff451fcc6464bb6a5d79f430b6
-
Filesize
1.2MB
MD5c21db8990e119536c869bb9361fe071b
SHA16db4fdf0c2cb45d2e2de7f190a8411067dfff755
SHA25698d82d858eb0c8690e05c794bfa088a88498c7d778f41f5a7eefabd8f7874eb3
SHA512ceeff289acbcdf9878d92ea3ad336282275cb84972597e4eacf3f8cd1673fc885f6e7ee8cffb47195f9cfd8f344e0612d90b77a38b39949382bf755d2577b6f7
-
Filesize
1.4MB
MD565d1d6b44c5c4f67006cb6486cff62fd
SHA14ae36b7a3344c30ae39fcfb9b2e3d085539c8416
SHA256a78b71e50837c95348079f09687c24ba5d7a792535f3bbcd16166bc16a96ca45
SHA512636c9d71d06161ae993c8aa3998cc233ce458253d0e99aa04bdbcda67370fcf055c58bc609f3359c5bfb39721bf28030c8b02904e9fafd0b8313a3b63f452137
-
Filesize
1.2MB
MD5c5d1fbaee9517d3f47c55951c9340013
SHA11446d6a27bd1762280fe849ef77f3c67a816ec02
SHA2569ba18b621fd678754c47c4bbb1838e289ac04b078828045d34678487ae33437e
SHA5128b9879feaebba9db1241e385978dde40ab63616e451540215bb0ee4718bb24f5d40b1c3d65d3f829562ff6bb2a96035af13be966d93ddfe44ae55aa5d89df557
-
Filesize
1.2MB
MD559e9b2096d0de0464cecdf1a725e8ab8
SHA103b10e59bcb4e68191deedcf26b38537a46402a6
SHA2563349b17f1673a5fa3940f8ec6ed5b0a5e83677f88d6d0d1c216eb80ec9cfd7c1
SHA512915eb808cd032f00e6552cf72c8c2f5345f8b180ac882e17f78f0b0cce10e11858e587ce08cec2d7c58f769a1610c5d4a19e1919b3ba7d4a27de6abff8d79ecd
-
Filesize
1.3MB
MD52bacec987975d3306423560fa1c538dc
SHA1bfc90ac78d0bd75d4854beede685e10241abb79a
SHA256b5b925aaace9afebbe899bcf7623d55f42353f830d327dfa3ae088419d34b0ff
SHA512a56bb2fc542dc17621413988b44165feff91e9d5349108483a5213c69c841ac6f1f86103160a6b0fed439b66cb622a81381a558d792a9740dee92320251d51cc
-
Filesize
1.2MB
MD57d9acad6aa7996c1b1fab70add68df65
SHA191eba4786c6fd30c0573dde6c46f596857410bd8
SHA256de509bb02e34023c19add1810f32b49aafb90bed942ef954007df980e936b70e
SHA512146bf6bdf9d5d4283e2822cf593f1d478b571cbdc10502c72d5c9bf54915c99bbc1b73ec7f6fbae1525d1205326a0a14612939b1943ad030fdb8464be5a9363d
-
Filesize
1.2MB
MD5e23876040bc00d8e9b6a603308928c03
SHA1ec442b47cde47230ed6cc6c6661e7048fc7dc478
SHA25609e02ff8c35d65205b2b7e8ba7516f06538f06f7b42dddabb7d41e784a54d9e2
SHA51267b7bbbd64626e749bf5aac6f4f7ab5303596672d6ac35e98a8b1750168dd6cc953c76f39795059614f8d4e32f8c65849411528bbd9b05c4f57ce4b2b2fd4ca2
-
Filesize
1.3MB
MD57cc3353bdf3e5f0f0de4814d916e5c38
SHA14a52dff8b898120d338c78787e284feb82942051
SHA2561b72d0cd8a4bb3502def538ce29e0978e5d59553280886008ec738270ad8ae82
SHA512d54654d8bfcd67830ff0456231070ff43aa1caaeff2097a7c1ce80625a5db67f2e428cc5dccdc3e9d939db44d5b3255a90b7207fb1d50f04fd7682fd37585053
-
Filesize
1.4MB
MD56b4ede017e29d6d916729d48baf25b53
SHA19b5cb9d8496b50f7a692d123dd2ab9fc2e478c55
SHA2565ada1a30aaa78497b0b7dff0a5593faf41877f15b7694f08578fdc71cedb6478
SHA512d12eebc50fc309fc5f377cd48c882dddd6d3295fbae88bc11e952775c767bdf2b864501495cbd4ff4b97007c09ecbe7f27a8933b52bd1b1af0ab0994f9a214da
-
Filesize
1.6MB
MD56febc52c5579c2fcd2e158a51f21f39d
SHA173fdbd2e68b454f25f284c22e82c0f3fafb17007
SHA256083036c3b865ad9b205a2d73084a8565ed181afc85d52d8da639ebb3d3104067
SHA512835924e31a829ce71a9cd75d5124f4116294c9090d02f4a046ecdae572167eca2e4d8c42fe6b1852b3a64cba65cb6aadf73e8d626f454154b220f12b7a271d93
-
Filesize
1.2MB
MD575cce27a4ca546a80bd6f0031426ff21
SHA1d6a25b936777ef711cc2da1cf3b5cdebeeb078ee
SHA2566dbc2ab9587e5294cca8a61ffb529eeb24b8dcca505d681e61db00031122b2d3
SHA5129129a0f4bf7aa133ee0ae6e8a26c1066b10f94558b69df4ec73eb3ff36a82d2d32c4332aa5a883645e6245d59acf50950304b3324a706c67da80e7db8e6077b2
-
Filesize
1.2MB
MD5cf0f2d68a819af18f7f9f7293adcd8fe
SHA16558b7333f4ae16ce383045dcb727d9ede39251e
SHA2566e00f31bf587a8d679c3b095f827e899a872de17e530c753d23a50f200bf98ec
SHA5123e62250defc421e6fa7d9d106f8a5314b7f007307c2a36bd1446f92a4a7f35612a7035ac19d0d538ca6841c40202eeddba5792db66216c9a94abed0b9a3fc270
-
Filesize
1.2MB
MD588cab4660c780e6b8b2796f0d60e179f
SHA1903ec748eb0e44559008413c80c04635d8e854c1
SHA256f3e595cf4e51fca4dec180b09117282c8e736802811a92ccd60d0e915621411f
SHA51244296e9846978893067547bd6fc18e7a1e029106cbce160380bcdee7403d3a0026a396434392b17cb0593f8dafbee718088ee225956b75a7530815717f8bd92f
-
Filesize
1.2MB
MD59f3446310360c1d5746ba0f9879397ca
SHA1a225259e297ff4787626adeed8c42febbcc76575
SHA256cc258291312df82083edff19ff7febb9be266c0b86579cf530e10f255728e354
SHA512cc4049fd0ba0ef96c720ba51b6b40a9983d7c21ab105ef2a5957fac2c7a1c485fed4f9113cb335e9f7ef75bd97f3ddb18b020211309e6f5ce1433dd549904ae7
-
Filesize
1.2MB
MD555ef53309db181fde2497d85b12c83d8
SHA13347d5f1100ec1242de733069329aa7008815c5b
SHA2560d44854b81f1db9095df4dfd2e5b649d5a81f426d6947f6eb44f218c39304f98
SHA512ab91ada708e007ed209c83fc90c3f3505674aabc833cc8604e3978cd48f6174b9f1ece28a340538935f4fbb67713add2ebb1d4f4403589bbb49e8cc6608dda7b
-
Filesize
1.2MB
MD5934c4fd80f0f049c75db93fdf1dd8d5c
SHA1d05483fdef24758c39190971c8cd6a92396451fd
SHA2563702e18b6b65cd440205b12bdf521c188adad5a0c2f08385ddf55484909afb67
SHA5128985b81fd9644966a080bd112aa59caf83894814a2e0c27f86a158b9f97af1ffa8cfc8b7c994bdc1bd1d62ca3b8611a2fb75e55f9058cba9c05fd7854feaff3f
-
Filesize
1.3MB
MD557aafda5a895aa09f5b26c4e5dfde275
SHA1eb3374cb7495ad964558fbd876a649a225775157
SHA2565ca2892b18d67a1343056792149b5e1b35380c33d6eeebf68e1ce6929ae1502a
SHA5122460e560226261110561ef3376bfa951a9b3108d1ac990799d11fc33d0194f407c69e699f882c0f83553254757e92c53db12624681f80c1c235621d884e4b460
-
Filesize
1.2MB
MD5abd444d4b689045aa1e3411655a468db
SHA1d6bb319f88bce47ff9071968afcfaf391964ffff
SHA256833471297cca4ce535e491bb7014c25b43b7037f3d096c852b49619ec2717a2e
SHA512997a7d3b9732e5fc381c6098e230c059a2e6d61bcbc0b50d7f6bafcd96dd5ead4a02bd511d29d4c454a4ae8eb019adda93cb30bf40eec229f65e14d6f02821ee
-
Filesize
1.7MB
MD58578c41e7db761d8f5be1a8e60c066bf
SHA17d6f6906a3101724d583c5ec11b2b4029605880f
SHA2568323f338304df75b2aae4804c9d032447479c663ec83d76435351201a444a1df
SHA512c52adceacd78971fbe5109c6a676ab07be9479b3d269a10b209d485fb6819f044a87a34f29f730ce7da616c7e2ac2767e28c6e0a6e52dc03127df1753e1c313b
-
Filesize
1.3MB
MD5cddcdc5399de088aca32652066e176eb
SHA12eb95bfb80c976fd8ef608ac74c81fa277881840
SHA256fb291ac9551919bb7129f1baf4809e632e6f54d6d9fb5b44b4267d2fa16717b5
SHA5121d5b289e6b96c7f845f53b428c80811002cf2ad5f38400f87e071424190df8e57a6ef82fc4d2433b871e0b5e0fc7e8584360b62417f23a30ad078a88b80c1c15
-
Filesize
1.2MB
MD5fba9b3ed02a346514f2cfa6ffa44502e
SHA1775f7455036db5912991928bb8e651d068414145
SHA2568673d64e8047ed4edd9f449d34be4b131908eabedb3cc7ae19fcfced258a1b0b
SHA5124034a3fde7bf0bde31c4258ac1c344edc50ee2c2c56919b8299361a99b24420172a5c5a282fd7490b8245f05c374938a432b0a1795684d71ffb6abd5961d4e75
-
Filesize
1.2MB
MD5cba5b6b053339a25006c6596be96e931
SHA10f99e7e245f78836b2621ac6ae219ee25291dec3
SHA2569f79e4310c60c8fa9da012a3c2b3302abafa758b674e1e9a10dba2a54c56cd2b
SHA512225bb81bcec1f737f6c23885ec4c1e6ae4382278835f4c25fc574a98bbc440cbe99003c751ebd9528bc3f9eea95b3bb566ed5173c73dea9089b94e8934cd2fa5
-
Filesize
1.5MB
MD58f5a4af2cb5fd26e3c548c75ba0d1e51
SHA10c85f193d3e99d037f35b098384b4a42d962785a
SHA2560a0a458ee4a036cd4d72ef95b3457431d36cefa471e72191f8ac891eaf2b1973
SHA512270e86e9d01f18cea59fbb173febdaf3674daebc625f9a59a1ded442d013e470a943541c9bce7a7ba01941fdc3375615a650e4875b5895e0f1ad10994c12ec5b
-
Filesize
1.3MB
MD51983a0583e3558b6c807bd50d59088c2
SHA1a01493d76e9389443a0958aa94771501727d13be
SHA256a42adeb90fbe0e022f618726b9b491788f59c6c59f7e895ec4fa379824307b85
SHA512e4011f125d21d38355c2d54f9c4a7690515d7e187297d4fc458ac762b779b1a9a6096dea30f419c3b7cf362ffbbe02623c63880c417638d11adcee72662c2505
-
Filesize
1.4MB
MD5fd4083b6e93a95108b9b1bb5b1b74139
SHA189507629d24759ad6b5d72a344e7162c92fb830e
SHA2567ed93d4c35c4d4b4c1752bf72a14b4e8ee09e23de209b1137944ed9766f6863b
SHA51273b0a75c015e0f1f5838a6b7aadeeb2cae03ebf1237ce925b67beb48a5060c0b29fc9c41b5e7ba44082d8cd660633738750ebcef89a20fe895104d410e0e6b35
-
Filesize
1.8MB
MD575bbbdc4c3b7fd26fed63f01f9dc0d6f
SHA1436be25b7095506cdab63dea970716806f8ecada
SHA256cf63b4bcd96d1b77ccdede5a1fd07f958fb26804e3b07c1d0d0eb4fc7783200e
SHA5120d7c8972240cff3e9eb85c7d3ec852eaff85cffed0d9791422b0a13f2f967694f277f240866eec4c57d649e33e00cd50a7fdfe8603c10325b613ac138c2e763b
-
Filesize
1.4MB
MD5a1879ae2abe448a586c29af69c310194
SHA1f7787c2389dd29180a6dd72b19b495d62bd89b60
SHA2567089480813b27138aaab81aa165d0d47da419647730296d556be507e532b9137
SHA512d047d21ec2f2f6ea13442105cad4e7fd7b79f2cf00d90afd0bd224519e1141795879278b1af58eb479b5113ef1d6d6f057aeafc18ca5602a0dce831e405a3512
-
Filesize
1.5MB
MD5986085e7625418bc692ec430f9ee1c3c
SHA1ae7953e9434ec51e3eb6fc2adeba6423454e7a66
SHA256990432baffa1b2383e384f7bcd623551701d4b47a68d684c848085060aae2243
SHA51255332f184ab084aa237db39531939a27c9aec5964b43644643ed2d592315dc7e800968f35a6bcc3a79f8459c55e7d2697640348d5991588b09236aa32da18f0a
-
Filesize
2.0MB
MD599fb034ebb33dc68a0b8b5baae73cddb
SHA1476a05cacb7e31952fe4a44c94e8409e7acb28eb
SHA256ddfc458479211ad2f499abef007d867e5908d4b5f4dd07a8e5d1ff39840306b6
SHA5127edfcd6df14349ad539086f967112023a6d2d819856326229ddcfa5873afab5f6ca1061bdafa701ef8fef71c30bc702250257d5e39491d583949b9a9aff0fdd7
-
Filesize
1.3MB
MD58d458006554dc908e1b16397ec3444c1
SHA11c5d7dbf308db641cbd99894fd4003ce44bad5b5
SHA25698f9ebde07595be0e82b7e7b6640aecef1c961e69c049182a7062a5bbc562804
SHA512a79c99412c19efa643a23c2d68dbfc51331524247d86e5d7a7b2a6f57a3c870105aec8d87faf281688dba9a701fe6f894bced8af42f8533bb6e6d1e7a1aa92d1
-
Filesize
1.3MB
MD53c01ee404fc0055a0b37a33a926ce44a
SHA14ea4f88185f28fe265291a6573a69182a2a9a36a
SHA256b625873e613de5cd02dbd5088969c1a087763f3b0f2094b706610aa553df4af7
SHA5122d5d71d98719d9239b4484e14e36f9abf856da01aef693901836ee2f6fa6f04b5eaa87d28ee1ba35bb4340bfdcac8dc4de99baa04566c466fe448c68095e4c4b
-
Filesize
1.2MB
MD5a159fa7681e5e0194b7379818405a5c5
SHA1811a868e1f5ad175f6466269fd0a09819c7c466e
SHA256bf590dd42196b434c70381271b923f6dec67d66a616ae5a29e9dfb93c794da54
SHA51240e82c82d94b8732b68ad593f0a47fb6890a8bbc734fe7b6fa78863580c5fe8678c53ec5cd60bb0c89d4203f3a2f9d058da31c9311ff4379b0c3b2cbf7d11b89
-
Filesize
1.3MB
MD5eb822172a474ed54921efc1b21247a7c
SHA1331adb4625d9a1fc5932b9e04ef9bb831a2300dd
SHA256a9780c112ff8e9b3d5dd07000c0e0fa0579cf68af278d6a328983cc28fa19229
SHA512df7ce5bd10a81dc376e9012ed6a148a3187d80fc602b886006d57c224118ec0e66923f7b8b8b361084fe2f465d4d09f2d046b6808739a61ad4d26bfad76ad721
-
Filesize
1.4MB
MD547781c8d0a2139863a633ae65ac0b594
SHA1104dd3be2b51700fa86e90e267a7462a08ef877e
SHA256cfc589e1960f06082ee929eb3432ea191f1910d3bcad107f91bf71e911e19cb3
SHA51225dd5dad69a384f93e5726e5e240ff16b490dee38d368da1f89fd50c3e5d95703d77f11dc34aeda2f5c9afd42dcafc9e5757ecb1c80bf5e845d8a76a50f96f70
-
Filesize
2.1MB
MD54eb477c1c00db38be29621b6a5c2c8fe
SHA1ae8d64cc06a78cf11ba03ed721ca8d3c4011e1e6
SHA256dbace5e7134402b40a7452c1db08811a9a1c39caf3b987e2704bf815e71736ef
SHA512c3774651899a852321f808a3e7b9e4b68ba84bf3692f6f876ca051db7d32afe66718cb7dfa150709364ff84ec8c1e60c180b724ed78452b95eac5d1777760090
-
Filesize
5.6MB
MD5ec5ce3fb49db6347d5f7c808f144b2f7
SHA13a0fddc0dcc0bb2b3ecfa741390e20e1599c8c14
SHA2561de2000b3b5aa2f65e0fd51d6daa4ecf78dce7c21d141f36cd6e503a7c6be6ad
SHA512db6bac9fff327d09bda5c269309015997bb0139bd168b9592fe7a7cb6492d89aa852d2be0d89f2ea10c9a0c83d6691195ffa937b49a01435a6c166e7d08c6c0a