Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe
Resource
win7-20240221-en
General
-
Target
2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe
-
Size
1.3MB
-
MD5
ace93e4e5cf167e3636e0e0f6b43aa6d
-
SHA1
3b789ad469e67ebb3307ea4e6345df0299baf047
-
SHA256
cc36ad76f4c4156dc8ab9aa8fe88a27039deb778949ac6e8ca078555f2c88fb0
-
SHA512
31841cd8c9028ec10723e64ad39909b0ede3619b716d1b24f72c8b038abcdffddf70745c4fbed2d064c3b32752fd8215e077a0d92a72bbabdb6a0899f3e4973a
-
SSDEEP
24576:o2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedIsRjhm0Ijr/eax8JXO02q3A:oPtjtQiIhUyQd1SkFdIEjhMjSax84
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4076 alg.exe 5968 elevation_service.exe 3732 elevation_service.exe 960 maintenanceservice.exe 4688 OSE.EXE 3832 DiagnosticsHub.StandardCollector.Service.exe 5240 fxssvc.exe 2520 msdtc.exe 2376 PerceptionSimulationService.exe 4780 perfhost.exe 4132 locator.exe 2104 SensorDataService.exe 5800 snmptrap.exe 2176 spectrum.exe 736 ssh-agent.exe 3228 TieringEngineService.exe 5044 AgentService.exe 4552 vds.exe 2928 vssvc.exe 2368 wbengine.exe 2112 WmiApSrv.exe 1740 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c6f9698892be0f3e.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0b1a484b3a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af61b584b3a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead5e984b3a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c75c884b3a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e9fc84b3a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2d22785b3a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 5968 elevation_service.exe 5968 elevation_service.exe 5968 elevation_service.exe 5968 elevation_service.exe 5968 elevation_service.exe 5968 elevation_service.exe 5968 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4776 2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe Token: SeDebugPrivilege 4076 alg.exe Token: SeDebugPrivilege 4076 alg.exe Token: SeDebugPrivilege 4076 alg.exe Token: SeTakeOwnershipPrivilege 5968 elevation_service.exe Token: SeAuditPrivilege 5240 fxssvc.exe Token: SeRestorePrivilege 3228 TieringEngineService.exe Token: SeManageVolumePrivilege 3228 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5044 AgentService.exe Token: SeBackupPrivilege 2928 vssvc.exe Token: SeRestorePrivilege 2928 vssvc.exe Token: SeAuditPrivilege 2928 vssvc.exe Token: SeBackupPrivilege 2368 wbengine.exe Token: SeRestorePrivilege 2368 wbengine.exe Token: SeSecurityPrivilege 2368 wbengine.exe Token: 33 1740 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1740 SearchIndexer.exe Token: SeDebugPrivilege 5968 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2580 1740 SearchIndexer.exe 123 PID 1740 wrote to memory of 2580 1740 SearchIndexer.exe 123 PID 1740 wrote to memory of 2296 1740 SearchIndexer.exe 124 PID 1740 wrote to memory of 2296 1740 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_ace93e4e5cf167e3636e0e0f6b43aa6d_avoslocker.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5968
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3732
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:960
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4688
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4052
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2520
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2376
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4132
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2104
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5800
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2176
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1268
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2580
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD524805374e5452e9106d158dc1e51dc55
SHA1a778740d5c495b5cfe16e05457df6e4ea0ee7d91
SHA25692589680d89e3f6c61f63324e887a5d730591fef985eb19ac90355dc9eb9c1a5
SHA5123b5058eef541a64909d7e447349f974d1ebab7d89da4293846c117c79018f52e1b3d72a11633d38799281bbb31c96b542b960bc18cbc20f439ba1fac9fc11335
-
Filesize
1.7MB
MD581e4aeb28a48338b16d36341938cdeb2
SHA10bd3e831bdf20329ff3244f72cdaf74e8a393f66
SHA25695e64afa22f810e4f55c80974b673e9165799ae9230edac9aa4d760258e02dc7
SHA512c02413734217b38810eb58987a64bb9c644bea6a3febd355c3fc1d9d2c09eb10022229fbc9fe7da4d8ec4231cb2183b37b1d688f1f377c9c0461172098552ba9
-
Filesize
2.0MB
MD50f073a810d6b3348c0b156d5cbdddf09
SHA1655b182724a7cbfce1628060980a2d265f4b200b
SHA25602e8e6f2051957be257759900a4259e7e5e965a7ae957416751844dab8b4e086
SHA512f86a2112ce7514cd3bfa78f78e934f025f797f961a9528eac3e7349515bdcda95efd1184ef685b77f5c5b171db768130464709df4c18f437bf0088e21a76fbf1
-
Filesize
1.5MB
MD5ae5abd7367a122f147b039bb9c7666cc
SHA1a7f95df1c6c1d5cb055ff7a0fbcdf9f2bd724d10
SHA256858485fce75abac1df1e857742f222559137ae7788b0005660d1d894c213a5ef
SHA512d0d3891591b5990272213a355d2de44161f8afa66c4068c19bb1f927487f8454327704eb2dc635c12286b8946539200192be68053a8fce36414f2b6cf51f3a21
-
Filesize
1.2MB
MD52a716ecb654e7277e78593a482986237
SHA199e87ee35dc12998d4fe27a864c08c3b41fb7bc4
SHA25640b775702edbb34b4d1ed0625b277a2a25e5f233717c7b4d70a73115a16c3735
SHA512b1c165c2a658dafebcddb6ae8418c87e8a1659545065046ef5a26f2a5a0c4e904dd59ef2b9d6162dab9727a27fd7d6dd8edd98bde360337a533e350640504b3d
-
Filesize
1.4MB
MD5434cb7b24c5255942a9f9436d4747722
SHA1cc4bb6b66271db78e5ddb4665a0bc05e9633e036
SHA25601de26edc7ae3c5b36d50e56fc9bb98d8c68b08abedb1ecee7562f027b079e06
SHA512b09fe3d3ee422970bba26be398375c9db0d1151398cc10623b3d57c58f9aa590132cc893270bfa65b8285b9029ad3e6e9955aac0d0dc1dac99dd0e96f8f979e2
-
Filesize
1.7MB
MD58bc2054a62f1f414bc7be7ef1a508547
SHA13031f067a6504ceb5b206196c299c14bb8e77a17
SHA256791ab888f250de9ea4ab6b3967d5ada21d45c8cfb2610cafc1a8f7b886701ecd
SHA512ad6df639781fea826bd9ab792f9b506dddf4ddcc65f8ba98e76718c2806c2fcb264a806d285fe9838181f2f8dca7970859906f45ba7600fa254c77941941825a
-
Filesize
4.6MB
MD522ef18ee22f8f79c120c91918e637e95
SHA10aa4805991d80a6fae2fc7debe79b26c5e82f119
SHA256f35fd651ba2b9755de48c31020972fb0ef9734fce67f345101a10682575530fc
SHA512dd59e89524e0434c6c7fdcd08c480d3acb2ecee1a079a02193d67b0faa6b5700a9cb56c2e54ab9c570bc6a44a83aa22487ced6c3f44dae980b4c682820aeb41a
-
Filesize
1.8MB
MD5cbcead92efada181894d9c5638ca4adb
SHA1630140cd8c42ff67a036b47baaff217e16bef170
SHA2565e49b0501422f8c11c5b581dc5d530ddf838353c77824adcafdb8ef8312c3c27
SHA512228bf61506955cf9de7de470b370e056f33276ec58cba9421f31f1d8f0462356e57daeb543c3039e876d017d5bf1f89630da033e91f90e187a8c45664d9c5327
-
Filesize
24.0MB
MD56c056ca79b5caaeb7be79bb772ef95c8
SHA19e48de58de1b875821043c22000cac37d0ff39b2
SHA256fb12704bbb84cb9a754fe5361a4601b16c2d123ee667e480754a99bd65f7849a
SHA51277156879a7efa4441aa469b313aedcce5819253226c50b3f2c317affad56d5148b55233538b02335fecf8b3cfa22ad63fad83d9aae9792bdceaae845a7961d86
-
Filesize
2.7MB
MD55e751d41ba3897480c5c801f7f88bfe4
SHA1c71d215771f1f301a7f22d13c45a5bf17ce61f7e
SHA2568d7ac56c8546ce43574ad7ab9ebfb24e88103393cb931f7e12ddf1b1993f8b20
SHA5122cc66e497cb48005a7381c69abb912ec0c15adb91a47a01ff229718ac02010966f22531f2afe9cf65a2431f8d669d9995a2b1dcfdb15497edbd8229845dcafb9
-
Filesize
1.1MB
MD5f1a7fe336b1d8dfa329f3820cd9c38a3
SHA1edff088cbf8f28b00eeb729db08477c3faa7eca3
SHA256421a3651f42dd61d8a6fe6272e1fd607e6261f6ba792aabef037103aada7c8c4
SHA5128f754554e2ee0bb0f4ad876ccf0bc82fb10dad9711e503230d39e98008301faa17919e63d65f6564617decfdde9d886baa608dbac534826583a1a21e7cb176fa
-
Filesize
1.7MB
MD55367fb86dabc9c644036b850f86dbede
SHA1a43d1ebc5ae3c2a3625c3efcb318bab8f845d886
SHA256d313dedca79fd24cff2dde21e6ed3c3eeb55a51ef5f748b9abc7a11d21c92417
SHA5127b1d0b3a7bb9342dbb2ad977ab623b10fb4a7ed2ccb97c1c1625dd69ce3cfdf95b2bc727d6b0bed219595c69df35baeb6381227d8c60c079bd18a4887ba155c3
-
Filesize
1.5MB
MD5bfbe90c20284dcc1ef76c09330911ea1
SHA1492ad4a65ed301eb47a3319dbab5d1662e8fe4dd
SHA256c9bb28c91fbe286fe56ca8a78f23e6b091ad43edbe043e6e0f4af912571d8837
SHA5122dd7c0546cd2f1bbf339ce459c7919048977638263f55dbf486cb55c23cc004be24b10617d01caac83ac01b4a29a1b57814a6a33d84ecd2921d4910f17a6cb92
-
Filesize
5.4MB
MD5435c8a9e821e90514127dfcdca02fde2
SHA121dc429605d756ca74885ab972f7b13be528268e
SHA25683394a80c57e748b97a0a1bfd6c67043b6d13bf10e889daaa8bd0eaee386e6d6
SHA51276a49d74d37d7b64f6a6205f51469fe7f7c1cc3b3e95303393d08dc19bc0929bbe1736dd5de17bb5f8d0f62bd179fd9493c55ee6a99a9a16594803a9961996a2
-
Filesize
5.4MB
MD58069234e5dfd5bb7f9000c0e458f918c
SHA166166e6e0809e03644bb395fafb1f1a65c1717a1
SHA2562034df44d4cedc9311204324ee5120161294f71c202ff3522700c72f85741660
SHA512041dde4f31fb456865475eb9336ef8d4f4052fe409013760d4236dd968bcc7f336d86c46c3ac26ad78f322df3740552533ff7a527294323bf1708c51bcff15b4
-
Filesize
2.0MB
MD5c3a792882259a8f82a8f0177a778c408
SHA13074e2969bdc40714f8f940145d1e60848f95cec
SHA2562abf4edb4a07ba09d67c3e73a6d97aab74efd6738f73abc047689f90e938424d
SHA512f1285fd74ec07d7c532041ca656efa48d4c15909e72682fd3fe4813d7410712fbc6bf521f547218e8d8bd51d01c8197cce9e3be834a3e3f3d9b1c403106eace5
-
Filesize
2.2MB
MD5fcf45e1c882670dd2e78e5da77b93692
SHA11d38b61231f79e2fe1731a3f0ad9ca71690eacb2
SHA256737887d659b44eb8edb0960a277aad287668ad5e5d3ac89d0cd686d96261fa77
SHA512621c7fe893c028644f84f27bc55bd9e4c5f8a75febf9ad2b4d4a546b2fa4a773905b0ede6816bdb2f6dd927e343b79c70f9145d0e840b4f27b9ec0e85ade5bf0
-
Filesize
1.8MB
MD549905255c29d303ae71c64ff9c7c7ce2
SHA1ec100d1bf9ceb71b9dba758a51b74edb45a0757f
SHA2562695cc12b3f4904a046c9a5bc169963a5aa9cb328e78f56b4a66316d8f58b671
SHA5126c4cf028c9cd0f51abfe06ac20457c4487c7e85cdb8999f6a373c220d778e620a992c016692a3fb9429f31a9ca67ca18cc25f2b66041785f8d03176478ab65d5
-
Filesize
1.7MB
MD5e092d755a17524b8082d7523452cf45f
SHA11bc2a30c9f7eba2091b30d202f6af215a7c0511a
SHA25618be9522419f20f99f1fbb10879efa0ac1230001df4e508b47ced1798b775faa
SHA5121324698aba993829e65012d03f0f8f6bf47ffacec448e6b08b3cda69e01c00ed692d8a431601a7609a7b02501c1f7ed0931c15c0f22bbfe8ab6727f365181754
-
Filesize
1.4MB
MD59ef2ce7aec265cf6568a0ba9c0b48774
SHA1a8e99117ce06588a938534443c581fc20ba6d777
SHA25647f65e4a1a82ba4a31c3c0121b48c29c3f550ad8a7f54f048bb3bc51cd54c7fc
SHA5129a55368a4196171642005b01829df82f8afc5be8d646de915a44b77977d8ed2fe5a342422721c73ab30fd4324d9c6dfb24f8efc145e4f7697e0dded1b16b9af9
-
Filesize
1.4MB
MD5f929e690631d78c29342b6342bd133ba
SHA16893ab193b4c20f77f07c15ed6b6ce8ff58cb217
SHA2566b1f16baaf3b82039e6486cfcfd481493df3622ee5242c631934c8bedabef926
SHA512fac80dfba1c780aa16308ac5740a9bff73fb666526e4292349b73e1f0189371251f62251fb0f0086e092f3fae2c4a2c690972009a468e16ac78ffdcb6e0933c4
-
Filesize
1.4MB
MD52292fc4e3f64a9e8f340a5f88ee785c7
SHA14a5b22375feb5d4ce6d14bf9abe594504ac9ac5c
SHA256fc5ca7e0c1c2ed57d5e4e6de3435eea7baef30ae13f166477dde43322f9c55c1
SHA512e7dddf7897c2aa5e4f67a82e331088ec3c9ed0f5346d6da494e8eacc715669eaf1cd2ce74daa40acfe92d676a5d1b8933b1ce75c9f1549f55d1a1793e46f4396
-
Filesize
1.5MB
MD5be79cb5b0d28ee4a2296bf0f247c94c7
SHA108ac216f3aa2773e19fefa26f838be8614cf6e47
SHA2565b1bb43401cb2ed466bf394075dc19ead4c3270116d47b5a550b28b9b89a35e7
SHA5126bcabc0c4db38ddec58d75d8bf3b497541cfa57ab1456d7295d5edcdce4013921cd84fac40279550422409a997b5997842c487fbb0a4eba53376d68c6faf2983
-
Filesize
1.4MB
MD580a951fb67446d0d7e5d7c50c2febdc7
SHA148af8ec418f0c57a2f26cccf84ed903fb36de801
SHA2564f3c9eb6570a0db68d7f9eb4acf8cdf48879f2751c00c4bae2ddad3871f6e770
SHA512e4a7479b95800bb50c0cd5c0941c9d88c52e1ce437f203e09c022e2f4fdfb8a913dc042c5ecd1321f392460673811b7516d1ac815481c6c10f156674ca0cfe1e
-
Filesize
1.4MB
MD556849df40edee15d1bbb85fa9e09887a
SHA1d6aa73ffa2d2b43b403accf44aeed12f8b4989f9
SHA2568335702649536773c0071839b0c526fed5ce2f9c2bfd8df90a111a287225253e
SHA512c6005f2d69f5986c30f9ad1bd1a146642ef7fc5d97ba412d75c49fd735dce0d1d2d547f8a9005dcf90423751e4decc89d229ce4ff3a5eaf311e5a36081f3384b
-
Filesize
1.4MB
MD5460b23b54dd449cc647bac7f169178eb
SHA11a2e35c46aec2b99a2317ce75f5989b2d3d9001c
SHA25641bff49b735adb960cf68a55f5cc0f144f7fbe9483602fb61f208cd668d07bac
SHA5125c4c25ab25db95400b58f4f02a49ef2f93c2e889b19071e06937e9bcf5d923277c7787b7c11144f811cc01a5e49a28b0565d26d5b5839b75e982a30f350bf727
-
Filesize
1.7MB
MD5ecdbb6e4489b57f2632add366d793994
SHA1e2aef2a19ba12df8e609c2b226b2b21b37ec57b3
SHA2566e41c0e810c4f816e0503fdaa850f939cdf9be5bfc8037039a6c1f674b2faa9a
SHA512737a3c61bad0dac552e4c6028ac68224a2634151ff0fee3dcb4891a4823e8897649f2bdb995cae97ed25561622d076dc5a1904bc511a2b92ea9cff77034ba695
-
Filesize
1.4MB
MD572b4282c5dc5fa1d8730c221f6a6b2c1
SHA1c3d0549c6b5a91b58792dbc035bb28d053f4a6d4
SHA256cf240fbad12c818858e2c79bd11fb76ccc9ac87748bde9a0cb70c64aada4c081
SHA512fb0c03157354269f59faf19daf49737a6e26c5086b1e450a7ce9885304982cfd22988476303de15fe4ae93e4a42ea5ba685e972e0d9c53ad0d8a4aa62fd12612
-
Filesize
1.4MB
MD57c92fe023d248c1a2037b2e98f3e9327
SHA1aa748ab42f2e1d547a3b810f4021f4f87ac57868
SHA256810d7fb47782f5b22b9b0ef4db9e78bcb483890f0a420f0a12eeedf87f3e2675
SHA512682783c1689b46ee7f85b484e5bf15e5ebf1d8b962d2f6559dda6a26d096b1ee1bfb2e9d6d8f2c77d77144432ffc3a05027b9d86f1138945cd8685d38ce00ff3
-
Filesize
1.6MB
MD5a18fa8282230164bf60cbbcee20e64e3
SHA10f9e84b62efc78f78340bb5e1e3dd031ede5ef3b
SHA256f2af89a5aa5b85b55a3ee80363815d1105b9d3f715c24ee7eb3a3ec5c93e5dd2
SHA5129039135d9721cb51dad00d8690aaa5f2f1f89b75cd325e3037cd33c1a857c23692ec42da68651ace7c8b3a5d1941c26a339f3a7a82ca83f1eeae376162a74575
-
Filesize
1.4MB
MD5ee690fed4468804789e204c7c8c5d8d5
SHA11ecb5b92533e44c1126db951f5dd263bfbb3b59d
SHA25632b77f44b32854bd2dfbe68e441c971f14647cfadcbd75f1f87854954d22c5fc
SHA512c1defcf0fb5043f667d7e8d00c3bce8eff6d942ddab2b1063770eb48d1ccd0dfba46541d24883f27549763681cecae7cc997418ccd02696b3c459a4c52684f42
-
Filesize
1.4MB
MD5af105b0674a5e23a35b9b4a6745d3b61
SHA1a9506a87f880d888b2380be195d23a940a2fb403
SHA256e64d96520bb255ef9bd0be31bed4db94e9d1c52a2de8be7171547b9b5daee25e
SHA5123fc37040be37c2aa3372b323f3ee298b14a71b2fa4303295609a6cb5d71306d614fb37455245d73eca526b5894a6464135dccba3d41d8938f0d73744ec721893
-
Filesize
1.6MB
MD53c2ad556d9cabd72055a36a58dae6ac8
SHA196cb48655a9f5c1efc701f2201cc218f6fe511c0
SHA2562874051a199269b4cd42e41395ec03317fd57aaf988b9dba2bf57439b642ba7d
SHA512035627a058c3239839ff3bec4f7127d810f6cf9324e1a3ee137a20f7d10c2c21496c0810faa2dc22ee32c0346c3adb2e4c877a38b45347cc5fa6786cc9031531
-
Filesize
1.7MB
MD5d97b09ab403e521ea6b4b8ee265a205a
SHA1bbe0918ff7c9f9cca50a02fc3f45cd81993c7b8c
SHA256cbca8fe9d7c0745e075fef57512e02b77e94b8c56f4255aa3757e0c1e2d42f6f
SHA51256dbfb33a6739a98fd180278d877fe984303e0e5bd28f0f98c2b3391c7ce14b0babecec1fb7bf92fb6b5d5766ec93385c8632b177eef806265ffdf3d78ec8cbf
-
Filesize
1.9MB
MD5761fd0530d7ead74565c9443fb367c47
SHA1e4556caf301e76ae24d2c90472e25dbb7ee40a72
SHA256a589165706955d506adb8100c5b1ec62637b90f2b189155f408cb3ee996bc20e
SHA512405f2b1673e68d656f56abea39937e51baa1c01966a44709cdc765be53b2c7e3b3843f0e3d0964755f86f7444347d4cea07141cee58274665403ff9483a33362
-
Filesize
1.4MB
MD5c77069db9fa35061d670347b52a5c9b2
SHA1e22c87787db349ce405adb63ca858c5cc89948f0
SHA256e93d881262b8ffa836c28daf27cab9787503a7777b3e2493b133a4179d1039b9
SHA51214904ab900c898b5e04f8d15d9a5fdcef261190e8f804ad2fdaa570c90bb401e49062cd8b721b4579cfee354485c07cb795f70ea1f3a75fe62df007a7415fa0b
-
Filesize
1.4MB
MD511122717688ef00236fc3a83ff60860b
SHA1eeb748343de71af90cb710761fa9d475aaf038a8
SHA256aaf209ff7df246d97bc7f9274ef721bde9a62a366ac1a8deb2f7b005de1b5705
SHA51295fd577bc915f34b85ddbadbf57727e504af6b41756ba5e67930b36eefa2bae55ac6b78348056d402a9b5692846b5f48c6f41f8159e82c9e9598d243d55d651f
-
Filesize
1.4MB
MD57e80e15902ef499ed112c22a03bb4c6b
SHA130364713fc190d8af8fc24ff8c4ec9ab5e5f3369
SHA25670a3b30d6e0bcbde46154c16403e14b1c889b7e7103632d13ece1b3511c4a650
SHA512059af7e19839094365ff55758beb9be132eddb7af345b8d911e8655ce1be2adf469d900366192292e08e8061c3a52602defe30dc954a3a3eabbf65848310e57a
-
Filesize
1.4MB
MD5b5f063670a8369dff6b5fd6a50be7ec3
SHA14966e083ea04f2a116621db6030ab85c9fc8fc58
SHA2568466e4eea30fd656052921d174ac41ad2dfdca14e6c8e68e7c79ff4b2487a92d
SHA5129f161a94b8701b7eea9a1be1fdac1dd113f78cb3f2fbc25b7746b49fae7179b6ce274170587160809deddcfbb28e2e89d50914f4023b7b55705fe3023593f018
-
Filesize
1.4MB
MD5d9c0d5cdd5ba9bf3402a5c351da5e17c
SHA1f9fba8d0987c83605cb63c73e5c369efa05d8a37
SHA25680d4adbb5401eb5bd2620e896e118816f11e1e6b32bf75001baa056e5d1ac00a
SHA5129d75dd09328354508875e05958d3d5af639693c514063ae32e31accba495155856041bb323c5579c4f2b45d4d1faf4c7fdbec396dcd621a7f701d17e4c3d2112
-
Filesize
1.4MB
MD55c6428dbc49a13efd60eadb987a2651b
SHA1f27750a08faba88e02e84dcf1256f871f82f71c1
SHA2566ce124f6e1a0c1307fde4a0787d1a5a77954e534586becf6f88806c91472a15e
SHA51257528c779144a6e06ef7e1c3e9794a3b8276e624b4eb39a34a44228cea93200ad850402550fd73738cb9cdc26a54e7b8b6bc494a581489a6d0e572206b924f33
-
Filesize
1.4MB
MD5e0a3f6719bace1d19495df23b8233ea4
SHA12597e92c4f147f3ecc40f84466cf8059541d21ee
SHA256e88fceae8c35eb1ac08d9c0c7509cab40ab182deed2a7686833e8d8f173feb00
SHA512edae3ba16020cb505bd7e2df4a9429e6e0544921b71084d6d21d3b350f00c3325b8a7783586235e8344c22ed9cc97070df1f10136753e969771cc3a405f83529
-
Filesize
1.6MB
MD55b438b098e54c7534dc1e03a277f8e20
SHA120c4bd1c4be714f604f55ae9882f39e5f8cae126
SHA256b92207bef9ff484bf938b175e67ad56a6241e16bd9b7efb2ba93a08ca21735d1
SHA51227d69ad8f905fdcfe4b0f947d750dc382fe3f4747f9877c310411fdf452878b8e34cb1a7e39d2a5d5cea8ce92d87f8f5513c1d036079f3d6ff82765426caf625
-
Filesize
1.4MB
MD5697804019944f637af1a771636311218
SHA1eb00aa95da9985196bcacb165a5ce18fa5aa27b3
SHA25685f1d4b03991d3e01ce88410c602db283c2bb1cb24c92b6d4faeddc5a6e56488
SHA512a78ce4f4e637992d08f12e075b4d5666b4607fd3e3433495e5a687006305b68f33d6b480749f7f0cae875b5417a5fe23e9d7fe470db9c77294f0f72e652c374b
-
Filesize
1.7MB
MD5ac52f1b912c68c83c81b7b4aa8bab57e
SHA144f7e91cee8fdc85706c8c89a9e8d25059f57db6
SHA256fbf837b73a82853c679458538319c289f0c9a1056dcd61f4d521879f4424ce89
SHA5127cf645206a902783f99eca6cec81a02f01af6efb5d66110c2d7c7aba0029e15966e57be44f40a1744976df44c40be194e8453c71ffd61d45304e086bbd6c0c10
-
Filesize
1.5MB
MD5cdd3655a1be1d6fb42b306d8d4e1e50c
SHA130ab03b9546193f23835eb68328db565a6fa4acd
SHA25636e083d06d6d36168753d8baff2438d4da2a2da25c6d77b589503fc4a7d72f86
SHA512afff697bf28301f56c37d0afb95d2b562f847c28054f43acc34b2473f28e3bab42250e794efb1aea032031f5eaf22109bb1788b15d669d9a047b275b1892218b
-
Filesize
1.2MB
MD53ac5174d41ead2294a427a0e9e739c67
SHA14f440ca4c8ff3ec0cdcad24fb24646eab9e4a2d1
SHA25636d870246e75e970861b672f97201a5cae7ebda592054285f2fd366d1be83ba7
SHA5123398ef0bd0028978e6a31d271f43d3bf875c2d8fde49b6fe94ef209f6130b4ba7aaabe4e846cd306a521540e46b28d7dde98bf481faca611bd9ab2701d255932
-
Filesize
1.4MB
MD50196ffe0e3135587d46571b0e717ef79
SHA16b60e196e39e29798e976d41418a0e16d25a3475
SHA256d0fd828b16f5ccb98255bbc9838d63e90265dc3811288104ef7f11e5a1ee6fb2
SHA512def702c3c0f90286d81cb7ab53f5e7d2d7347018f4e210c9630c5949da492ee60f3e68ccf0a6192253843333abf2fc4a35c22cf44233f7daf24f930b7c15bb23
-
Filesize
1.8MB
MD5f60826683b9de81eb38b31fefda6c23d
SHA1759b697aa35f1f3db448edaf0ca102a14e284f1d
SHA2568d706fd6f439d828bcc645f4592d85eec59ff778d4fbcf2689271f74db93a593
SHA5127be781d5600e680dbc6c7b5438cc060dffa09297ab483ccd8053663b0ae3d4398c626ab0e4545dbf6d94619fe7433c27ec2c6da33b004b131918b583fdab6957
-
Filesize
1.5MB
MD59c4173cc3b5ff45deaa40e502dfa6d77
SHA1c917c0d317195dc00261943247bd3fe474185581
SHA256502f03e7cb81e25ad631112f8428265511bd17949980c37f5030955a706d186f
SHA5124f7aef98968cda8a81e6780437e5676746f03c6be46b590eee96d817e0432f3de8395a9d298ef07702507abd8256586639c44e6dc1a0f1aecd11228b115af94e
-
Filesize
1.4MB
MD59351f7ed53338d49190ce1e23d8222c6
SHA10c8aa8fc07b082de5f749eed2cb1a620081a7aea
SHA256fdb45bc401983d4fff270d29e611cd1414ae0a43c68dab81cb409a4337236f30
SHA51209d41a5313991ddf60d3db5009a6dec61b0ac295c585a80313b5ccca9a698c7c1057f4f32457a8727bdea6d3afe9dfd6c252d56bc846db93e4eff9114bc090d2
-
Filesize
1.8MB
MD5625bdb126ab413da1ef84a8df8a9c36c
SHA158579dd71b7d017fc80f9fb660cdee7069e87315
SHA2565edd7d28edbed218ec17d26c75b3b40f8afebdf778e2a0b70f9ebc270ad131ac
SHA5125f3a90daf6b00b05e05be8cd092254eb160938a2485ab94543a845d39c7e3c748a32b30cddc372f5d9775bc99c855002abed289b343c5bee215ed2057631ddee
-
Filesize
1.4MB
MD59470850ee29d69175fb0fa60ae3da9d6
SHA1bd63b1124fcbd3a93ee0c3b21254db9834dd8326
SHA2564c96c1cce8df5fcca335511c0199b704f2586b2b0f87f3965d54934650c891fe
SHA5123f541c330cc138dbd515fa8f572ded409bddc39e749167fe9b0911fa5dc1bcb6ce38bf43659e122735d940edf2a43a75433617f4c8ea803c3a2d3e5dface41af
-
Filesize
1.7MB
MD58b474563a7b3fec62b9cbaed854b5e71
SHA13a6166141b1349d3e108e6babdc85bd5a0ca8c34
SHA256cc57e15600c136d9e1ed33e31142050f5a846bdc9a4569bb00433a4d0ab2f4f0
SHA5126a18abc82bce7025d810ecf3c0f56966f6f2aad771bad209307b9e1bfe12e68c92db5ea439ec2e7544f6843a24c63d64ff4ebeb11dfa4f629e19dd70822d102c
-
Filesize
2.0MB
MD55a6a5b6d52e0c8fe2dbc4792056bd4f7
SHA12f6bf84aeab626752218f0f9935e3987d63cd5c1
SHA256c803f355e3bebd41ccf46984426b280c222a0cfd72b7f6e4c862512c2a10c9fc
SHA512b0a16ed2bdee6ca01b425b46a248739f0d6918a90e36e001903ee5cea974dda5e5b1915b0809dcf334bbc436a851e76c61ad895bb0f199e5ca974a8f7b7b43d3
-
Filesize
1.5MB
MD58fd34c521b8435729495f842ec2557e3
SHA17b3bfbfb0e19347c42f0fe98e24ff6d5f6a10a83
SHA25603dc85c6cfed9ef29bd1dddc05baf0c2249ff9a9faebe034db65e62fb062b58f
SHA5129e710d199bea858db89243a2dd0e2fb8c0506472fc97848e97636d33e272e5f25ade43ec9e2cbc796e0dc6c29d0e384d109f766f3ba0110ac6c6aa25ff6add3d
-
Filesize
1.6MB
MD56acb4e3ed022f89b6bbe7967a0d0ee43
SHA1b6c40619392cc473d82410e50b453aea944e15b1
SHA256b0b1f267af2ef26c4a4e0d64550f78186e062615f47409123ab961679176f1fd
SHA512ff173945f172d1ccc5626f70ed226a78771882c3e1fbaf2a9d8aaade7485952834536993ffc3b9fb388861a25829ba717da98be9402ca27715db40e3d3bdf4b1
-
Filesize
1.4MB
MD57d8d7728a376d216c1673f1c599204b2
SHA16171c8a292b7805255cd4df742e05d62189ef261
SHA2562791ffd162b74aa21fc5f83b5df6d36b25ecb87f9eb1cd4f649a7ec61e1dd9c1
SHA51244c79eabdb1b5eedeb566abe00741ae9cb38b731338c73e54875fc92d4a1b4dd88c9064be56ac5c1fbc2fc5bbca981b5383364d74c804886432fc0377fe8b311
-
Filesize
1.3MB
MD58a76e1a1bf98a31bce32e346e9e89420
SHA12b3dc2f0d91201492324a01c9d38687da25863d5
SHA2569680681180976987a73de0255a4dd3a451321369ba48af8d9deb62672c5e14cc
SHA512d35d113f013190fcdede4bf4e2a2af6bc64172527e7e92ba5f114dd09257d0f9a29b54888863cece4bc6d1dfee3275034328960fbd16a7d066adb6e1199dd09b
-
Filesize
1.6MB
MD5cdafb0accd7d589f238a2a45671307bd
SHA142cfb4f33c8d95b257cd49621423d938ea3104b1
SHA2563915c7863c81e93ff860b276659507b5f6e4af2e44ad7ade6e1a03b0ddd6f681
SHA5123eb1c4a65e29329304099658fb4ba176d5b3ca3b793cdae39edeb62562a436db800882f4b6098aa7a7d3f32957a5e4e45ee4f006bb69ad25f8aaa60c728067d2
-
Filesize
2.1MB
MD52d55314e41e824d6fd9263516e0a2777
SHA16debf36b259324e9c572aa864471e2ffef6b23c5
SHA25611331fd37a5886526352f92bea4fec9d89136b1650c426a3231920371ce088b5
SHA512f4efd43fe9204bc9db7fd432edf643772602f011e306061ef8ef12dbad9dfa0a3db1b206b0520c7233aaca5017a5c48bf9777e7a0a0aefb4aa65775022616988