Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe
Resource
win7-20240419-en
General
-
Target
2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe
-
Size
1.3MB
-
MD5
cebb3fe73f34a06ccbab1ffde2529795
-
SHA1
e68f755b1bac9c3904ff0db471234176befee4d3
-
SHA256
2e518600f713c2bf94f62ea79b44880e1bc38336893b77fca846007bef1d70e0
-
SHA512
14d049759bfef9523201d68e36f4d2195303736c24a5098c3ec3c7d0619f25f4af90593a5de2e18d73ed4d42a51e76c37e8cc36514efa7658a1acfc68a43ad5b
-
SSDEEP
24576:w2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedQt/sBlDqgZQd6XKtiMJYiPUW:wPtjtQiIhUyQd1SkFda/snji6attJM
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2032 alg.exe 1956 elevation_service.exe 3952 elevation_service.exe 940 maintenanceservice.exe 3880 OSE.EXE 4576 DiagnosticsHub.StandardCollector.Service.exe 1588 fxssvc.exe 1624 msdtc.exe 3464 PerceptionSimulationService.exe 3136 perfhost.exe 948 locator.exe 4180 SensorDataService.exe 4464 snmptrap.exe 2392 spectrum.exe 3612 ssh-agent.exe 1836 TieringEngineService.exe 924 AgentService.exe 1012 vds.exe 2688 vssvc.exe 1160 wbengine.exe 4328 WmiApSrv.exe 3488 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\20dc9d691ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1e9f25eb4a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a37b425eb4a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014f5fa5db4a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004190365eb4a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004190365eb4a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc57fd5db4a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed62ab5eb4a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dcef35db4a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c062d5eb4a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1956 elevation_service.exe 1956 elevation_service.exe 1956 elevation_service.exe 1956 elevation_service.exe 1956 elevation_service.exe 1956 elevation_service.exe 1956 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3032 2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe Token: SeDebugPrivilege 2032 alg.exe Token: SeDebugPrivilege 2032 alg.exe Token: SeDebugPrivilege 2032 alg.exe Token: SeTakeOwnershipPrivilege 1956 elevation_service.exe Token: SeAuditPrivilege 1588 fxssvc.exe Token: SeRestorePrivilege 1836 TieringEngineService.exe Token: SeManageVolumePrivilege 1836 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 924 AgentService.exe Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe Token: SeBackupPrivilege 1160 wbengine.exe Token: SeRestorePrivilege 1160 wbengine.exe Token: SeSecurityPrivilege 1160 wbengine.exe Token: 33 3488 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3488 SearchIndexer.exe Token: SeDebugPrivilege 1956 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3488 wrote to memory of 4732 3488 SearchIndexer.exe 117 PID 3488 wrote to memory of 4732 3488 SearchIndexer.exe 117 PID 3488 wrote to memory of 2296 3488 SearchIndexer.exe 118 PID 3488 wrote to memory of 2296 3488 SearchIndexer.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_cebb3fe73f34a06ccbab1ffde2529795_avoslocker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3952
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:940
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3880
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4456
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1624
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3464
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3136
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:948
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4180
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4464
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2392
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4360
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4328
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4732
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD58cd1ab5a923764fd69f187e305a5b132
SHA15200b707ac70ce3d4de0b7271ce0412500f497c1
SHA25635d05c6ba4caf9579e9ed24ed93e817b47dd5d6ce7480e3f22a461bd76535f24
SHA5128fa63b10d4fe0c8b945135e6666d3694fb95d14745d09848ccf635a2a3cee22439309e31bb03d99c4a18daa9cd47cfbeee6962b7046c04269e186554be1edd0b
-
Filesize
797KB
MD5fbecdb55e788d6186b3b8d117db13883
SHA10685a72c0b1d9583d54905322008271f5abbfc89
SHA2562199286dd29f4b37c6462324d3c8d294fc59c20be05cc56d5e3167d1880ff3ab
SHA512009dfe55e78069ba2363482ae7a6bc94fe36187946b4e0b9ad0f39655e15b7541a6cd1fd8fa5d905448fa1f79c7ca16763ae093c8e35a04bf92f739090eda867
-
Filesize
1.1MB
MD5707eacbd2d3792ba6b98833154b06fb4
SHA10ebee081b74c96406004ad8c20c3bafc2bb019f3
SHA25650c4e005b4cdcf401126018f87a85445efd8a6391b4f42107682e2f88fce6977
SHA51276cae6a885c5c71c150dc4bde52133eea5f7686741aafacd620e197aae2c4cbdc1ccc9e21796019f6d9a75a8b4109d02214256acff28d124e5915e7391375eed
-
Filesize
1.5MB
MD56c93694d2b8b15dc7e66ba3aa0810021
SHA17ffe0ad2c30b7007d86c27acca030f936fd79d76
SHA2560b9f7f36c1c42632bbcaf40904f8f828df87ebcfcaac14be6394fe41d7638ec0
SHA512afd66113c3dde62044323305a2b6f3db151b52c478f78abbccb1ace25a8bc191a23670851385b1bfa23ba1a46307df5ab0a8cbca9df8e9d381cb38b0072a842f
-
Filesize
1.2MB
MD55a0158957cf213c41d6d6aa8ce8715ac
SHA16280460bdfc8a69c6226bf2915d42293dba16fa8
SHA25646601e142885e3d6c2725c7f9c149664553801a6b57d605dcb3784de724439e8
SHA51234630faa3b491a4eaa54b08f049b8f6760e3fd1cd8a510a5905d4f65f3b35760269f4396274e6e6bc8396ffa2e8cc4f87e62419a4058557f909a4c5b9e350711
-
Filesize
582KB
MD5d209a4cd2265999e0278a91377e3f408
SHA15268e64a5ddcb4525741cd743f95fc3962a5ad2a
SHA25695fcb818e0741349e7488a02e7c15a256fe3695b7a36a3aec25eeb86717b122b
SHA512f41d50bbd7889f3e48a3cc47e6e1aeca7cf12a46dd67cef25a076dbdd41c19ec56eebdedfd97d55e9c7979edee5af138e013e518ac7e79ba3810147f3669c660
-
Filesize
840KB
MD5b870b89dc4855c0bbf0d760404e0a6fe
SHA1b464f7b6bece1ea61155d4a25ea7c3a2627351bd
SHA25683b71c18f752078c22ee5bb4eff31e1f47f90aa764fda4e0d7b920aab7db94e7
SHA5123e1f633552ff675c10df6e891e814e2d768ea296a7885fb2f9ebb3f360a52a841d1938637e6ed7f331a36e5e668aa42c7e36beacccba08ce77155b88e96631d5
-
Filesize
4.6MB
MD52ca5b7dc69ef4ca2fa67d5a9cad1cd26
SHA1031132a24b8e96eca34c57fd9db0b5d3b8fa6fcc
SHA2563d52a27493fea2bfc5ac87d7d82ab720fddfe9563af7bf6eb50832802cfe68b3
SHA512e578aa8f571ee8a10ec04479d2a9833963343ae7047010d27cd8d40aaac6e7ba0aafc09f1c457aed16446ac6c095085fa2bb50cb7d8bc3b0ab883a2c40d3fed3
-
Filesize
910KB
MD5ceb9ff04a34927033e1fd0576e5dd0eb
SHA1a3167761ebc48fca452a7c8579413e31bccd8e14
SHA256c0a3772d2eef70c0015b7e10437b819bdd5b210ff0610523125e547f4c99e663
SHA512927ac4edfffb61e689ad262dd236d35cd46bba0811fb7b0b5feee45899c10f8d4c587ca39320ffde723611b94bb942446b2b5d432f8873689b5ca1e2c9293cff
-
Filesize
24.0MB
MD51432668cb73c37e517c382345a6f7fce
SHA1fee5929737aeacc5530d23db778a5fd5ca3e275b
SHA256f800f4c456cd87c76e92574b51da2b5bfd897dea1b50949a833432fa4928461a
SHA512f8bac6d13d24c2e7976ba20bc3db9953ccc32e08eecea2852416155105483d8daff0b26d91ca4c4b3e951fb723fd68397c59560da87f9cbe04536a762ee90c95
-
Filesize
2.7MB
MD5e8dfca4c3384a470b05cac2fda457bed
SHA1d82ceca64556fc4afa025a0b787aedec66336efd
SHA256c2819b2f5becd8174cba2661a55e7ff42622d3e7b39610d65a9854264e4225cb
SHA512012305c469bb5e3cc64a7c07bb32e906e6c949b484ce6c812ef45e1c855290614c582fd131ad5f1ca8dffceee0d373bfff12cc63adc27c0b3f838bbc18f7c6a0
-
Filesize
1.1MB
MD5a17606c3e7af0ec5935aa474c215b3b8
SHA1088c7bad83f826ffbe1f88aa96eecce7761a29af
SHA256575846829ffb607420a51b4cbeb824b51642a96ccd8fc8c7b169869d7418c22b
SHA5127e362db3417708b524cf1a7b2aeec7c604c7cfc4d458b14c8a2a90d4fae43dc8440871754fccb0af0d529a0c4eccb93b2259f15b0587a5330b911151dd7fd484
-
Filesize
805KB
MD504089c6f7de758fb3290854461632f5f
SHA157f524255bd27b3b494f3384cc3b4bbae2409f17
SHA2560a4ff91a9f605c7b2efd80bc4399158ea8ab5b2054d950328a125a998ff80675
SHA5126b0db7a9b4271461173806b0ee794e990f5b9642832e4c86cfae4b59182b546b7404f093886714ff0f0eafcfc8fff3a68b982846b82239a6ca620720f3a13253
-
Filesize
656KB
MD5826cb09e6816b4e82cabb64da80cdbb5
SHA15142b67c1637646aeb89ffedf5bfb55ba94a3359
SHA256cf600f0b9f9f8f8153482446315ecdcb16954849d3912240f7fa726e6ac6ec6a
SHA51250956cb9701b4854d2b315602710343ef1be927355daf65518eac6399e5b3f5551f396168712414b7e32e2407199fb184730a87e0ff7f1ee858a7822198fd162
-
Filesize
5.4MB
MD54050e6728f514468848f3dd1bfe2298e
SHA15ad2cbf28f79e84fcf01d930973963f12300afa8
SHA256c0314dc8890806215af38c4e388a0639449882edf5ca4e30245832b089bd8710
SHA51237ad692299d7d44e88f1769c3f502f71c6b352c7e09ce5cf8587a9f6e192a1d3d566f9ea28e0e5fbe729b969b4809329c6a021a4fc5947fd5312957e9e6d7489
-
Filesize
5.4MB
MD5e8a6b1b2ecbd9848fbfb24cb47871081
SHA198c1a7effd2eb8e5f0d6c9a2f99ff39ad72b4968
SHA256d0e47d97a38f1ea17bc6d8d63baf1e58133dd32f836a6b84bac5700948a11070
SHA5121aef7dc5e7a95ed1a510f1588a0831aeafd77507dcefcbe4292ec04fbc23cbc09c84e8d2edeaf381099a7e46644eafddec6758098e0193b8d09ed26f6b070f73
-
Filesize
2.0MB
MD5fd597ddd3b1271b93e1c2266636fec2e
SHA1db369aefb280098817e9e6ff4309cfefd36080dd
SHA25672293dd6334794027f21f80b073cb88838c48cfe6079170675f47cf1a55958ac
SHA51257fdc1d6a653a255dae653c1d0174ee197c0ee6c77465fffeb38290d7ce4b07c801dbcd6161f8080a6ef475ce7d0d59c552b4eea0ef208dd55c36ae19b641bce
-
Filesize
2.2MB
MD5980dae20e08057cb9aa8a2385a91e26e
SHA1bec2757a97edc8803c5815f420f53fc41ae0d5e4
SHA25611eeb7442ef14604d1ac75e07f4979a265231afaec7fd70408fdf7387963c4ce
SHA5126a05b09b7778ce6a7a1c0223ebfcc8dd18282230750d48d27b719f089601c04be52f310ca6ce10983cc6fb5b0257a4b6a4adf65770a9360bb0330ea0fdb90eef
-
Filesize
1.8MB
MD5446063386a631a4c68575bf7caf7b967
SHA1859a7b1abb284fc82f931d42331e0b6db0841b8a
SHA25638f6c1bbc2a0c3521fa2a584bf77e281594268eb582ec22448fb8738107f5b7f
SHA51265b1bd69ca50d55fffa26c86819aec66b742fb216f7629076ef449196a310986fc679536be3f41569e7ef3d033655a357a39999037a893fa517afc27df3085ed
-
Filesize
1.7MB
MD5665ed47e2e0de073e8f9138de8ad9dda
SHA1ed521f0137e993fe843b0bc3e53d6e4750e9a3ca
SHA256fd607a91bcf983b1b60bd2bd7af62e2fcc9b5a0d6a528a848ebfcc0f19fe3db1
SHA512b9e70a8ad7cbc2f0f63de625881dcf262e65e9035cd1191686082a4b97f2edb78477f0de1c745a331e472cd6c6efc6df387e300e6c5b9ecee19479a8c2c058d7
-
Filesize
581KB
MD59526af733b1f977a71310c76d041dbae
SHA1b78d44e420c396fd611a36a0d274682b9792aa54
SHA256f6c160bf3d04a9d1ddd364235348febe1633de2e908d75bc467c4809f4fafb34
SHA5128b108300379a6b735b363c9bd63069757565ccb58c034535b2244cb18fd6f619d5b2ac02fab83a2cd19bfe7888753b59d66d4b4fec85302a83189e3e5743deaf
-
Filesize
581KB
MD5009320f462237fc9b82beafb84ba84a2
SHA14eb18e548312408dd43b6318904cae8a2f53a098
SHA2561ad1d078d661aff2603a44aefd9c03ba156813c5cba3fc663836cea8745fe411
SHA512142123e0f16923d0724f97df3089f5276bcfb6f16e11e67d082839d1bc2880ee1f26b7461d649ebe01ca4bbde4b63cbfc1239b56b59d25fc65af4ebc2a9d7f2e
-
Filesize
581KB
MD509d6328c2113f6be0595ac11e49040d2
SHA1bdec49100fe8f743b2b148191a4c44be0c1208e0
SHA256d1fed57f4c85bcb79d9a78f7c46d79daa6baf15e83da5fe1cab6da72eb91cfe0
SHA512313abc9480aa0f1ab9542e48d50156db0bf965c19c54d98a65623bbb1d270de8e87ab0943c450ab6fe30bb1f598c0ee278b5667e3a6ae874e86e56ac28c21e86
-
Filesize
601KB
MD53ab4ced5e6b13ca087b98157df5bbecf
SHA1524446ea0b7e9ccac46983edcbef0444c90dc449
SHA2568d41795ebf9e98e3a87a08acfb56a71a139c1639d680d17e7f113b6cbc46b4e4
SHA512b67dbe36c15cceef4590c0d2c3112e5c1003b6d5b0ffa2817e45eca9dfa31937355d659a622fc77eeeee8d4a128cf73859e4a30645ae287a2d7f03024a3f3405
-
Filesize
581KB
MD5396733a7432020221ec8da95bddcb931
SHA199c7e63d233a8e564db7f7409d009ab86e7d1680
SHA256bdcd87ef9ed8028aefbfb61c866dab9cd44ff7c228c32c4c096368b055c0c7d3
SHA5126f16128fe1e7faf31a61dc194cd592090b34d94cd3445afefa65ce612fc4d3c57067791f6b710c970c73424c7e7419d3906bbd8df4c938181f0dfa6fb82cb5e6
-
Filesize
581KB
MD575daf5370ac6619295ab205e5d0cbf14
SHA19d0e4e7c4ec5d56e82616084f7d509d3e3cfcaf0
SHA256ca39fa4d200f3f5e45ac1a420378e2b9d0126a135ad40114659d6ad6453f20bc
SHA5129ab717595945a1025022eb9ad8d5b10e1c503fcf32b8008b47f82b52bdfb37c3502baf758232791eb086a72c4274ef4aa90a638eab5dede02a84fe7f61f0f80c
-
Filesize
581KB
MD5a1a91833efcb31e6ac5ec533949db266
SHA159c0ebed3259114351e40007502386878b99f694
SHA256263292b83e73ac059aa1b71b7df1a8c1aa794d91e63991e1ad7a13640e31ec2a
SHA512b457bb05655c262ed1f88aaedfa190147070373e3d03066d88c5314b6ea0c2ce5cf7588aa6c1f291d478bc7d6681eaac3df97f5be127df4dfa22b76effc4cbbe
-
Filesize
841KB
MD595c3a83e70d290ca0f400895a899a8ea
SHA15e8585da53399acd3bfb76c62d73d57515dc856a
SHA256bd43c1ae7fffc85e7e750e59c21719d97e48db74be08c49f34210baf746a4443
SHA51259c8a801a1ee02761e631c3e43f0d4fec46fdb6f5c43af17c6562e1c844372f81ea2de7c5db6e96b2276b8d47c39ebbb6b3450deb29cc4052a4ca99249088b82
-
Filesize
581KB
MD54c12ed9491f01f62344ee71a6cb23b2b
SHA1c183880031d600162ee859d3accb9257534adfcd
SHA256018797e841cf656d74d2e08859300c81cdc943b2d237ba8a97a262ab3d07dac8
SHA512609c41fd9dbf4c9711d4632df04218449fe093d84fd325f25601a5bd065a7709e40641e82ff336ca18372e2d0b9c21c783ea4d7aad5ddaf27333e8dee883657a
-
Filesize
581KB
MD52e8ade61bbd0c1acb9d4022e5b268283
SHA10ec8beb14f07d9fade5ab88fcb12904ebd92b3a8
SHA2560f82b6e79a774d0f55cc00a36e602b2ab36909fd27c062e4eeb77221ec6a5797
SHA512ca3f02f28489cb475b7e7bcea54a1dd27549a9de89b20f1cdc264a3bcb80faecab5c2424249a44c3a8b6031fb0b4d3d79e8ed10a26ea5a41d7d17b3931a13d0e
-
Filesize
717KB
MD52497ecd6649a20aead591a229cad4b8c
SHA1a5573916bb89fc5f24eb3a1488415c8c29f33d7e
SHA2562f25fde30cbb20a72fe3e08e20a9ef5f8d1c1bb9d5a1656b2f1128b97324a6f5
SHA512a35f058f0db9c97462e8cfd8ec54518b4b11771de1a5661b9d96d3d0ee551935d18d1a91019e74400145c449c17c764af4557c46d1e3e328d69ae29732ffd41b
-
Filesize
581KB
MD57794fb60448db3479d68e2cf66dd25c3
SHA19d63846bec30300af7839df14ae5512979841356
SHA25695e0209e03c3d9fd5ea9a42dc2b0ce110d55009391d6824a0170a1c5917fdd6b
SHA512c957bc856888e96adaa6537dca7ccca6ce44a71e74763e823e8d2885753329daa0f2945bc5229445253b9fe477fa0885c9ce50a0c7fb8e95f549e96fbc2e9bd9
-
Filesize
581KB
MD5e278ac9826a12e9186906912c2433dc6
SHA197a2be204db0e95c7a1338c0b2eea13f64835249
SHA256a1e941116a1df8f2366c0066ec1cae1ec71323b0f353f2cae5e0747fb351d7ae
SHA51207fa0fb27c5882f1151d46b76f43af6a1efe69344f98f978b1f96eee692e936b7473143c4bd4567b9e12ee00762f95ed629a61d80e4726c342275d8e342327b2
-
Filesize
717KB
MD5f7fa30175c2042cf3a01d6a78989a76c
SHA1259406982be05368143281cdb8b17155eb5b7164
SHA256c483dbd69583b32c0272c30052b864b6990baa5798911f20ceadce7a2b8a2c29
SHA512a742d543dc2b285e1c7d606e0c233f89d1028cd5feab2ce720a87914a927e51570b8a7bdb70cb3be848d7b42204e500b770a97aef635351dda402d346c140a63
-
Filesize
841KB
MD5fbc7ae226a69b33beaa829ce10ab7f7f
SHA1edb9ebcec2c49c520a3d89dc69a4a40958497b8f
SHA2564ca5014f7c613890823edb218a37100cc883371606abf5306a7935181dbcb932
SHA512e547c7947d776f10f51b98fa92c6323f115963cc5bd79d5de6c0940a03f87a5d38578a239614cbfce0cf9e9303de0c0fabbd42933b882339c3a87c40824b9b86
-
Filesize
1020KB
MD5a7dffbd5542391e279f68e773fadb951
SHA10ffad56855661f76c93c31e1b02d7ea8627eefc2
SHA2564bdbf308a2c5245349ee645d999a8e03b0a63fc2c09c3b7a2406fc310d52cec4
SHA512382f6c45fd28d67d3c3d10426e84cf4e5234d8806cd16ad7eda1b886e5cc4683b04a532c61d0d85a3984989fdf261c2e9976e484a99b3b03ae9c0d0b67707226
-
Filesize
581KB
MD5a028f567e322e5a7e1c09b8586640ce6
SHA11498471763699ae7ed70d60470a9e56d3129e4e9
SHA256495aa3693753a80f7a87939344238b7fe70ae4fc48b2cf81b9650826fcb2ede7
SHA5127bef68f25dd4bc412a6ea90d8a16c2e6b7e7aa16fa00b8af1846ce267c1764b06838fadadc863bd11c65d09f6706fbba3a44e56fe5e08818763d1385a7fbf83a
-
Filesize
581KB
MD5dcbbd56bf0bb7f99dc2e6ac47973091a
SHA1265e44f16bf34beca6bd030a2098fe5453fd212c
SHA256371dcd8a4732f3c00a0f7270af98369d4b19ddb4f59e9a5b41be29aeb58ae8cb
SHA512aea156effa74d69adacf23eaf736f55f2f671b193d66bf077df8e2b083d997b7751de185845198d30071aef4e0ab238704bef6c2a2e2aeef09a0e88967f63b17
-
Filesize
581KB
MD5ec344e9ba7cb8e2622dc44d8268a95ba
SHA1758305ed5b60b18a805f17688811d9ab46b8d780
SHA2568e6b08ec4369cc9382a7ea4edcf4b3e10b5457f988b77b577b2c62fc3394074c
SHA5122b14ae2bb054a71e92e501a54639f195298cfd590e84e25b630f46af3139ee00bfd3433e04ca767df7d91c8f1a706193f80c68bb8240c221b78ca8e0676f2aac
-
Filesize
581KB
MD569a31bfb4fd22eb1f52332fa4d7e1cc7
SHA182f59b19d470b2d1cdc9352406c7453ed3e3b2be
SHA256c012ce587b6e3f1a126656914eb1c80db850ad0eaeb85e32b3f5c453061972ed
SHA512e86f34df80201ddb59e8d7013ccb60f099fe6c934dcc9ee5f4c430c9ad269825bab3e245e6901054ce91e8957226cd2d23f105469907fd58c171ce57cf12d535
-
Filesize
581KB
MD508d999a57846c7143e859f52469cbbcb
SHA19ddf0bb780014679d96cb94a62ac3f313c3da30c
SHA2569ce179250ebc6fdf7b6c38b4d9dca6d915b958879e005d5a9fabe873da8641b3
SHA512251d12e9b10882847e75a51fa390bcf5de7e1434043b988880da6481e0e53f87692b7f7ed461e5768b6de2446e344e05d2d9abfe8c6313e56ec2dbf59120eca9
-
Filesize
581KB
MD5b1df370500de511303fe41f774d9582f
SHA1b2260b318855fe0b4d979fc0dfdea2e607fe38ae
SHA2564b622026d9d9e19f167abd6334299833e8fead8bc0cebfd18e7f4d25be5d75fd
SHA5124e405d38485726cee910689d375c1f1aa3dd8ecafb7c6ae23808e5b5c9befe58dc2f775b1b7c98b65d601a0835439ce7163e6939184f7cdac67d315f7711f813
-
Filesize
581KB
MD57e22d950e73a33d8ee277b313a0ff713
SHA199271f5eac2625bdb4b70171a28e3c7d585374ff
SHA2562262e21b31e5b8fb62f0ef8d497e58a0203ad74191e1b9ac888e29380ae88735
SHA5128f386a979434185644b92e3c646b5280c544cc322b63e7a3407347241d516068cdf111c2835e9cd0a93b891665f78532bbc4a2920cc7921a424e7c3deb11af81
-
Filesize
701KB
MD5072ba4627399d6970a0fa4063ab93059
SHA159e16599c0317dac19d5dc453c94203d6ce71978
SHA256c64a4cf76c26019ab1c453ff9ea78286ab08967b63777afbc2e084b626b62bbf
SHA5122050a495bbf430b15790a6b16f239d5de197c57ee8e0ddd47e744b8a2e59e99077fba4973c8a6537ef46ab33e3b47d7526c5958aea64eb936f3f617f098ef81e
-
Filesize
588KB
MD58752805df3457fe9f0e292cd49d00d30
SHA12c0131232729f060c7c031b9818ec4bb75fc6641
SHA256ba4571ea2037208431e613ab8f99c9e659fd31eb39321dd5018ede55d49ce90e
SHA5129fae9ae46ee5ffa9f7a74ffb9fe56c223fe557c4536be300ec2e9fdb9df140f5100f8a3295dbbb23932bc5896e43c8d76b214bb506846b10fb6bef292567d322
-
Filesize
1.7MB
MD57a1e9d291394e8a289912a7b82f99bf4
SHA1b248ed6278536c4c5f47a220805045539c996ee7
SHA2564db4a16e12be83bd2a622c0394f4f08b2029396cd705815a33f2c9c026354aee
SHA512ffef946a05d6369f5dcd8ef78612f51477f68df60b06b8d0326b27c762cf499e377a302fc565ddd0da7f37475b0cd8b6afb7b2b518be4f8f8f95ec00d5ce6f42
-
Filesize
659KB
MD5f5deffa4e46e3eed93c699355a7d2afb
SHA139275f18ae5614ea5ca2927de870c7442fe6e62a
SHA2562958cac4634278880136b9d8b6cf1b2308cdea8a080edd0fcd84b0aa0d42bc79
SHA5124f0e9133ba1e2636c89a772758a6364968d5ee443bc5c45f8f73db160835a69fce5454a56a29de1185f4392caf30f34eff8eb72ee9862139c841a895f6c8d87e
-
Filesize
1.2MB
MD57208c038ceaf71726a3f5141cda029d6
SHA17a21653ba4edc7c0e0f43beabfd15080f4454baf
SHA256a2d9e7d0f48b015cdd36c537e411830a846fd1d6326b348f052bcb4eb208a543
SHA51250bfd02e611e729ed9bb78a2214d1a4babe9d8b6d0a62290c17c80651e69f103ff605f756f1d6239249649833a5a21578af48969a4b948f352956ef8e0c7fe3e
-
Filesize
578KB
MD53b2cf4565e85ab8b35eb5ef0b46aac5e
SHA1c0ccdfe86e1c02bc9124691c75e8aa841b908017
SHA2565ab019cc5de8691817e36c149273ba9a0e2b9885bf2f56a7125fee3195831fbd
SHA51261d3451f562bae9029fe9bbdbcafeccbc9e1e35490746e0492491d204a320bd5347d2b64f9c1f8843ed4ee9bd6d5679ee33d27f690e5463599c1f668368e152c
-
Filesize
940KB
MD52360ebc701ec337b3ec68bc022811a68
SHA1148b52fd0c734534e1972e7e6670297b1f27339d
SHA256888789b66cfb264fec5de92e1e5f32cd716a0cda63b0f631d97f84976d560969
SHA512e4b7a53d479df13fab66fd2b955072576a6d08cee93cda91501d1fa63830a1449c6ed3ae7aa2805e8ef7edd19f69fb2aaebf64942a5425c956fee14b7e84893d
-
Filesize
671KB
MD51429b85f29b479d22a0b5b1e37c00b94
SHA1a6e72a55a06c356c41829f74c6d0329d63e0b1b5
SHA256f15a15194f8f943add1accdd00237544d686bbec85ac4198fbae20dd86386ca7
SHA512c59c0e288e4df354ef43ee4391eba740119ff58a15be420bfb8bcb218e9ee36efa639d0d000d0b894140289f873b869af13f28b3fbcb5406c7787b92b9eee035
-
Filesize
1.4MB
MD5aa9fbb3031ed8c9d1947033d903b35cd
SHA1d8c2d607a0520a866618b5a5f182d3d2d4b4cf6c
SHA256a447c47207fed5a4b9642615ffd04ebb76009d85b4a8cd1fe8d55847e67421e9
SHA5127c4b121b1dc9fb744f5b84b629ff436d7a875986a8bb2f2e8e793a06d6917e3a677f1dec24b93f9816e1fdcde462300936d93b4ad7bb64e8c627ec2df478e55c
-
Filesize
1.8MB
MD5b8c966d60f7b8a39a6d50f7f64b8169e
SHA16a1e6d9548406b726faa546c9cb657b806149999
SHA256dedc911fa6e95cd71eb6148851f6c3fc8d1fc3944c9d7f6709137537edcac93c
SHA51258b73d121e6723941abd0b2d3fb94b1318dcfb1a0c5ffa864011f910432b12064feedd9a68692666288e375a7885283043d1b91df90e8f760eb8a40696cc5c9f
-
Filesize
1.4MB
MD5b04ed2de1d3339ca846a54b053fa23cf
SHA1000de30064599f58fcf4776339fd2a068ca5f005
SHA256482e3cbcf78e535c6331435b9b6ca8720d3373cc95e918703be0cc8d68dc86ae
SHA512986cdc62baf84ea8a563628bf9edbb63b14592c22a03a4c4655f4ce753c4d8e293ae626d475d0944db4eebf28d9cdb0fe7d63293983b80b64815cf269b982292
-
Filesize
885KB
MD5d2c78782afd71efdf84ae3e637b6d0b2
SHA1b31a4ac5b49a578c0f677ad232869d3ef6712424
SHA2561beb87ecf3587aa63f710939aa531b3ef42b3ccf69f6163ab50d7cb667da1090
SHA512afd7c76f17c255f8f24ad7f7b1df8ca0209c2b7a3907044ec77a1692d8a9a6d36974b58fc5d56ec10fa0c34f724c2826fae4c12fe0e1e1b7a643314488dfe90b
-
Filesize
2.0MB
MD54d5e8ecacfeeb4c0e013eddf4dae4d65
SHA1b43c73278e1730cedd9260094de391d16f2b12a4
SHA25650da715230346bac8543775185d45b853331b25f96939c0482fb3809c824e1e5
SHA5127f5e2346367ca264c8655bae6063a125d5df7d770abbc3cfce9f8aea00181a2fdbbf8d402238af42de84eaf1e154d8df69ab627a4a495737c2ba17ec8469a472
-
Filesize
661KB
MD575f5e366f344d35caac0c09fea6eb7c9
SHA12267beed9c52397ad088707d16d1a1a1ec3f1a34
SHA2569533000119ea64bac46fe439de4797174917082f1c3a9b6733c2aaea0fc1ea2c
SHA51225a4d2d2af0555b6777b941cf83b3064ca6d572b18ab5f6d6eb928fbf595f6d321d87c49a47b55320dac7366c3a5ca9fa8cb845c654f46ab0ad04b9a95b0149a
-
Filesize
712KB
MD5cce975e031d913cf3b46479c5b37ff1a
SHA1876b61fbcc6ee604f8b7e1861605c06ede5ec768
SHA2567aa893a1a35b40e4246754408a569f0b84087bcb8861d13b11ea9e9cdde47597
SHA5122606ca299079affcd674a8e5c18bdfc6fff98bed743a38456d9bc957ddd3ec70b488f3d4de04c7f3f5bcad0f58c4daeb49dd076186676a8671e3fd7a5199ae51
-
Filesize
584KB
MD52e65feb17a260ae7aaedb4e2c8d3dfcb
SHA144e8baa4b85cd995b48084a642c177375883de2b
SHA25600d3563d12ae4139b923f40d9ad4a39c4c151a5a67c1651a0895ed0b93a2b3c6
SHA512f2e99aebc4e0253eba6de194d8d4f6a141f5e09f7b5f6124eed4d1d55b1794bdd0617abf61f38cce42b48d9f3bc90aa7529f95853c0281429ec26b6afb2155f6
-
Filesize
1.3MB
MD5c142ff88e1fd690f15c5e329edd45fe4
SHA1770afbd819015e18a4d43296bede44a8705982b1
SHA2563d821f463c79d3c8badbacb5578accfad4d9832b0ef3f0318c2e9e2837a038c2
SHA512a10b515c0e9634aee6b4694829b62b816e3eef3e3758aab3307c4cd4f6dc76093cc7a9d78168ec65712928096acf25bd7d20f5a5e2cb937b70f7f96593d1d534
-
Filesize
772KB
MD57296837eceaa19417a64392147773e44
SHA18c1381e05cf506529a9a2c279b9d246cf16857bc
SHA256673baccc6b153850bb4bef732d888d842b00bb0ec5533115144535b90fc21a5c
SHA5127160b2296470db87f5ac9fe9412bc3f01a671c09fc272082b0c7747dd6ed7a2b2131687e6594f7885aec7dd1354a37938a8d2844c22dadf5914fd8f2fd0c4237
-
Filesize
2.1MB
MD561e6ed1eedef212b04d0ffa8e9545222
SHA19e1def5b5d41784a4889172a09950383aaa35b3a
SHA256629123906938efbdba6188d40641cecbaf3de7fa56c1de0680d8e46db4e6a666
SHA512673d61c0018cddc112eab7e5e831bfaff2fc6767a03aa4ff7c35b80a35cf5e090879bae1331dbc2d990e4b4d40d4c7f752c569bf0512381dd7ec0eb42d603b0d