Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe
Resource
win7-20240221-en
General
-
Target
2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe
-
Size
1.3MB
-
MD5
e04101baa64f67cd2009322aa4c80571
-
SHA1
4acd8ba7f50437d84af5566be4ac09b6ae6c6bf3
-
SHA256
1ac08c536faf9f412fe6f10f64feed01092f80b97fa7f8e522462e60a3ec6bb1
-
SHA512
dd8f3a693bb5ef43b5f828007e88a0342ea38a0059415fc5c5489ccb3e2a91cbe9fd2b6b776898756e16a13ea602dd40002209abc1baec0fafb871dc70922a39
-
SSDEEP
24576:v2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgede6J17W8CX32+KJNA80T:vPtjtQiIhUyQd1SkFd3cW+S8
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4432 alg.exe 3412 elevation_service.exe 1172 elevation_service.exe 3988 maintenanceservice.exe 868 OSE.EXE 2336 DiagnosticsHub.StandardCollector.Service.exe 2608 fxssvc.exe 4816 msdtc.exe 4556 PerceptionSimulationService.exe 2196 perfhost.exe 2888 locator.exe 2088 SensorDataService.exe 3872 snmptrap.exe 4768 spectrum.exe 3312 ssh-agent.exe 1832 TieringEngineService.exe 4852 AgentService.exe 2892 vds.exe 224 vssvc.exe 2680 wbengine.exe 1148 WmiApSrv.exe 1072 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c8cea03f92be0f3e.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea841a83e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f856ae83e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766f4583e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9fc1083e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766f4583e8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7360c83e8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3412 elevation_service.exe 3412 elevation_service.exe 3412 elevation_service.exe 3412 elevation_service.exe 3412 elevation_service.exe 3412 elevation_service.exe 3412 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2180 2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe Token: SeDebugPrivilege 4432 alg.exe Token: SeDebugPrivilege 4432 alg.exe Token: SeDebugPrivilege 4432 alg.exe Token: SeTakeOwnershipPrivilege 3412 elevation_service.exe Token: SeAuditPrivilege 2608 fxssvc.exe Token: SeRestorePrivilege 1832 TieringEngineService.exe Token: SeManageVolumePrivilege 1832 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4852 AgentService.exe Token: SeBackupPrivilege 224 vssvc.exe Token: SeRestorePrivilege 224 vssvc.exe Token: SeAuditPrivilege 224 vssvc.exe Token: SeBackupPrivilege 2680 wbengine.exe Token: SeRestorePrivilege 2680 wbengine.exe Token: SeSecurityPrivilege 2680 wbengine.exe Token: 33 1072 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1072 SearchIndexer.exe Token: SeDebugPrivilege 3412 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1892 1072 SearchIndexer.exe 119 PID 1072 wrote to memory of 1892 1072 SearchIndexer.exe 119 PID 1072 wrote to memory of 4296 1072 SearchIndexer.exe 120 PID 1072 wrote to memory of 4296 1072 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_e04101baa64f67cd2009322aa4c80571_avoslocker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1172
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3988
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:868
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4656
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4816
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4556
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2196
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2888
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2088
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3872
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4768
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2980
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1148
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1892
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52eacb85e0b1af8207732dd3a57c42d9c
SHA1d9bbe6a5a6b35b4f329b0b3e3618ee19896d3494
SHA256fa9bb03a3ff2fa5888d40ef14288e43a0838d58e0bfa02dbe11e6e0525d45bb3
SHA512b9dca9f4ebd589085f30ef2360fa184792f1c424aab2e0d2850e9f3ce2e1cdec870266763c52bf792f3c168c4bcc50aec7345abf7cc24089150dc94cbfc5e172
-
Filesize
797KB
MD5c4a84e1f49a9e6bd50ffc05b512b2882
SHA1ffdfd9f73b13215286c3b19f5d5472048bbcfb13
SHA256416b2cb7c9a03454fb3f9f3a171c137fe318e22977e972185f84beb883a8c3f5
SHA5126fd172c45d63d3150bf5e3e9e7ea4a6e67e919a350694cb64b2b0dbecfd7c29cfbf6e71ab90c90ec42f634f7c952b687e61fe06a375103616b7aabb996494065
-
Filesize
1.1MB
MD50dc3e792d539f65be0a20e74bd17dd18
SHA1668082b67a60b782cb522305ffc205e821d737a0
SHA256ed800c562b26d09ba53e6090de6926b48eabf6010878061fb2e4fbddccc91824
SHA5128662b1543fbddf9a2cdd128ecc9abf1283f5a1a208044193358c4a0c27810ed3b444d1fe3bed6a34e384ca10402eae89cb0f0f5e89d2210a3dfabca0f1cee804
-
Filesize
1.5MB
MD5c7e2efe68a775d631b87397576e8be88
SHA185d78b61bacfbee18bf037a7f534bd0c7de681d1
SHA256a594f3094dedddb2a67e62de3fcbeb907bc347143a15978f2b08031f26a9974c
SHA512a77697cd94f848128178eb5296974144b9113e6f542213c3e35856148ea6b256cd736ff9c00a261cc8734f80bf0692d029a46072f5b26faa923d25dca54c7cb5
-
Filesize
1.2MB
MD52ea1faa8ee664240ba8697cfee4a02f6
SHA16100cac70e7b122f20575c1f17d7fabd0d9d7448
SHA256a4ba85fec4293c5de53c5717bcaa8c6ccc28c40b2090139b6f783964e18e8c35
SHA512cf19687b59b09f0ae984ebeb7fe18d0f73f3f33312a2df5f6e0db0d51c0e462881d14e3f6d1f25639e807164084ed16a759631364acee7e52b63407671e5bd5c
-
Filesize
582KB
MD554cf84af67ccfadc2c9404d21935ee81
SHA1da3b9ba4d41ec72957f4c4bdcae26c21e26b53f6
SHA256243e667a83a88d62652575a6157bb54bb5f50dc37694814484695e0967b962bb
SHA512745612866f3ce56a82b6e0dd04a746d2290b8b30b4420878cecfb4b4c49de1e9a24a5f1dd64c3ed7b9d85edb27a76559a26348050272c256ae75b59257184fc6
-
Filesize
840KB
MD5a826fdc9ecaaa8a52d36979c4160be94
SHA1d38d7e9b3b17d531ec18914ab0fabd34e44f5018
SHA2562282baa439d70f67d571e5daf5f567b18fee9a3394b3b24c8650e045c83b8aeb
SHA512092563964636a28e018c89f84e9ae8d1b8843f290af3b9d872579ba4770dc56b6d778469cdfc062a850cf4c1957153adba7776009480627b2370f069255e4881
-
Filesize
4.6MB
MD5c8da931363f181617b0289e9d1d42b78
SHA11d981ed9a6d4fc64dedf7d8f63019abfd126f880
SHA2561ff7b5f62ab2df0224eb3c43a25ffcb5e6b271640235f85b50d4f688e777ab9a
SHA512aff5368c614683e44b2219e7b3974d5905f41e814ad2113ece3e95aa855d2eeeacfe236d75c26e1cc20239c246ed0408e9943577156e7aade9bc86187411a503
-
Filesize
910KB
MD541df97db8b70b1b627244743837fa076
SHA1f1081eb21d928d847ac763d7d9681471558e2fbe
SHA256cabe7413abce19fe121eb9ba4aaad277bc591a3edf4109dced9946a14233fbd7
SHA512d10b197a8708de3b5985b286b87fe373b1b0f74025d79debf917db84dd99bd7ba55259a39b1c1059b5c918e2b0225cd65ce0c220325ebcaf6d33b32a1fc4bbdb
-
Filesize
24.0MB
MD528d4f786bbc14100c78062ebe050d4b1
SHA112c66216c6916a70987f8975dc357e0bf43ed472
SHA2561391bd00081ba3cc67324c8acb361e9f3529626696a31e16587971954aa5d9ac
SHA5127eb00af2e6ab374fb2b4ebde78ede8711f41f98c9b8502081987ee2363a15e2831020711185cc000f34a553a1ec83fa85469152f4826d401c587b3c273e46861
-
Filesize
2.7MB
MD585acec15e2caf5a1ba04d992f60eae86
SHA167c2250c41131c4f1612dd506699daf6b2966515
SHA2560966835c0b652362c9f9863b35e40c52d9cc88d8ba40264eef0dc40ab2a845a8
SHA512e070342b74a8cca05226bad77cf8a50ed52069994f2e18345b9cd9129653b97a446403d39c81ab702699bad59f4d3c86ebadc0dd13e4c5252da3dbb2032c5b49
-
Filesize
1.1MB
MD5090d235e2c645d2746c3789927764823
SHA1344a3982e1591efefb7e1fb65de4769bfa7746cf
SHA25644fdf431abed2d4f6348e5e65141cb40c70f46cb5135e5883167b7dee9107d7e
SHA512a160a7cf7e50f0d10f44f6067bbc944b489dca3dab5f2abf2b68c40686c53e83789b14399b192173612ad4ea745e9b311fc0f3c02d07c67006900a8943fef9c3
-
Filesize
805KB
MD5d73761c83b2b89c3138ff39ff0839b0e
SHA1d74e2f3a4bb849973c73d97aceaa597c789a6870
SHA25652f21de0ad4da906231cd06c48f102f028996f000b2c4b806e66566f823c3811
SHA512e78cbda88c821887f4b2519ac7bf642aee1c5aa9c03d70a9a26291dcc1240900ab8633391dcf37a4023b5ccc1d9e28a0ef2e75b969890ac890fd8c372e9a5069
-
Filesize
656KB
MD5b13d924b980a2aed4699ff654a8b58b7
SHA1290a2bbc366aefa2bf1f5c376abdfddfef3f2005
SHA256ebaea5a2f5dc6f6689a91d5e9965936ff4396666e4a357d001e733403d859acf
SHA512c0ed71ce1423bb107a8ef97e6b467a047e9edc3a5018d303766036b8fe6d66f05cf17bd253b38beda9591cb4cb4e6581215827de9941c4fece684e933f3fb508
-
Filesize
5.4MB
MD5d0f8a9476507efc6a6e5667f8994eb95
SHA18b9203c5612f3b1f34dc37c3b01447c6d3a5302b
SHA2566ede101ec4f519423dcd756a8bdbc97f65e0e791c66bfe5d128e0403b9aa1262
SHA51244db1e75d9f16f78564fd86a64fc3898bdd9bd67a0e27d4e7a32768c6f532839deb717af174362b81157a2b66dff5b400b73063ffa9224f10c694758ed7adf8f
-
Filesize
5.4MB
MD50fc56002d003823723ace68204e22a16
SHA1b4a31d4e2fb0292a76705a0a5f4e37968d84a02c
SHA25641c1d46336df6b6d887086bedf87cb72705a0358391ce96ebdbc0921c3a61e68
SHA512fe4b8b8e2ae4c5eaa85e8c0db37549969600612809a717626915445f9dd2521afdddc5a2c1b4fedbc9cc4a69a8c6e15da2c2796b6b9640ee5092f03fd6b1144b
-
Filesize
2.0MB
MD52624b299bb784dfa9c6b79606a62a398
SHA1f6f468f71b88af676ea6ab9f570acef8d24f89d1
SHA25637d54543e69b2b24a673b4e0539b277f46eece3dd6bc812d4582b0e8cb4e991e
SHA51255bced0e1e9f663042e67eec7d761240830979b44c2b47207b2adfeb06e0827257b941e957a62e2c0a04ab9c76759a2de9daec8f01aacae93656b0a8e24be7cb
-
Filesize
2.2MB
MD54693d395785bbd7cc5f907c40442e4d5
SHA19c787a21a52b0da591e12ce4ee89a965f3a6464d
SHA256bb363c0819b431db35cb37f847ff698bbb4964e539a44f4eb34f922914ef5509
SHA512daa75be35e0720c72a57bd31436ab7d1c70c4383911c56cf007866b76a59ed8a00435f255b524a5cdb0bd3203d71100371433fa47545f4c18aa2250c5b73cc34
-
Filesize
1.8MB
MD58b0314956b28bcae327fefedd19841f3
SHA179eea59c72dd7ab8dc2d3c78e6aeada98d128f90
SHA2565e7764ba674b665767d33f235b70c798801892ef1f6a142dc8693c36da486d0a
SHA51234723114c230715e043c7866513815498ab124f007168af02a6de7163a2a49526a3c481bda9fa15cab8dd33b8fd21d198a73e6f3c88cf2f98d9485bda6ded1fa
-
Filesize
1.7MB
MD5c0e4aa1c41632f7bdd3aa652fa0af14a
SHA1a944c2cbb7c36ed0019c50d2c853f9f79ae70c1a
SHA256a40ecaa1b2c477f19999a6b89b613c9e642943eca996fb8c067b8b9708c8a999
SHA512e536ad586b1e7a237c2a15b5a3fd75e97fe5f98fae3750982deae025997b95cc518dc2b9d89162794cdc89d759f6f427fc258156eeab2e35080ca910c3ccad17
-
Filesize
581KB
MD56afed924d4e8297ac59e8ab9dc9b14ea
SHA131c3926634b6610248ebfec5ad2b694767a8d140
SHA25699062ce4d47dcffa2032e0b1b0a8193b7c032b67f52f0b0ff0bf3e4bcd3311ce
SHA5121273a58b1e436e80d7c0419a7bf5e2fb9732d697cb6a87b86b9d33c25eca46bd518bdc25d7836235517634df9c1f868e831018f3039234929a56379d7f11fa63
-
Filesize
581KB
MD52f827126dfa667ceea93a54d179889e1
SHA18899d54f94a9d117ba772c3af21d721512e6b342
SHA256592a61c633c24f3aa1f643ba26a45e076c68ecc11d167f8085c94fd47b13fa82
SHA5129f952d5395ae689fcd654bdc54244a7d4f1b648432dd917b7272221e8d3b28a53b51d0f646b76a44777fcca90792c499cdf46686ba7c0e1fda8b9ada3c1eb3a3
-
Filesize
581KB
MD5a1ee7941537bce86b9f04054cd2eda3d
SHA1c5b23f3b88e1ea8016a142d6263b4374aa6b8a01
SHA256475b5978a4a422c49663425c9f61ee65a27d0c066b655d6624522bb764ae083a
SHA512f33b46629eb96f7b44762325638a9d062f68896c5d6709241a52c58550ecd47d79303cf45aff07e8bdc8377d7e2c30e415a413c2b82d13bf6206894c6a097711
-
Filesize
601KB
MD5242943f7dcc5b3206e6d0c4b18561bf3
SHA16e0e10f2516cfe3deb2868577fb436a1dc928af3
SHA256e1ce1f8035a9e48325aeafbd57265489f2f296227bd5f94804adce9535a898d6
SHA512c24721fe18731c3f78899c19e507e12dedf3cdc676ad81c143f38f1266d58bc4debac0e645eb1b1f4224b70d7621fb43bd63ecdfaf9ba9cc132442ab024f6eac
-
Filesize
581KB
MD56ecaab11a94a8531cbeeb8e5f4234679
SHA1dfb4fe2d819eaaa28db59d3dc7a658155538b35f
SHA25677dfe84525cd0900ecadeb9d639ac8431fed2af3efc411fa400941898973d569
SHA512f8142cac91d510523a5b508965d827b846009315e1a29e77fb27d25bc0448a632d7059c01b0819273f187f49ba9fec6f9cdcffc19645f3c6311369995240ce8b
-
Filesize
581KB
MD5ad92b7fccdcbff565a0aa1d8bfa00f97
SHA13ba3f29d2972525d082ec316efec20a1094ad681
SHA25603e126c0311fbea21a334965351134ffe5d6477cd45e40a6739cd842727fcbaa
SHA512a8416a32140c02855733d46b70c7c65c1bd095ee3981c2904cdfbd5bb57e5f11d7dbf709ac92b1fc7bb803a594497465d6e5c1a6c079a9bdd6bc2d78e31c5bde
-
Filesize
581KB
MD599bbbfa6d41b2a8971af338276ce4baf
SHA1d0d52c59f324ec2912aa6124e220c95c1d3f4dd2
SHA2561083d36ef91ff36d11739318c26c8bf19650ce03c5b1783b58c395d2003799b2
SHA512032efe4270ee019122cf54282e3e9442b5551ea99a33b90a7bc0b4cc653c56750cd1e2c316312d22544d3acb2ef8d160826fddbeeee04edf9388b05273397b53
-
Filesize
841KB
MD551c51eba67662aa0527e414640905d61
SHA1a116a7d9862c977c35c572494d3fa9b3b3c4fa0e
SHA256c3b06ed82af4d9d41a33a62498d3ec3eeafe7429d27049e1bf51593f3ea54926
SHA512ce444cd56d66628e3048c907176c174090cce9d0e19f1ecc3354d3626945ec95b7e1710aa4ba3fd91c6564c56d944afd72c5606489a614015046b3690ef40f2b
-
Filesize
581KB
MD595002a378c883b475e6899db767d95b7
SHA1d95311ae2b38b9df6b60ea9330e3380602129823
SHA256087e791c6ac97217c7e341ec848c530b6054b0d8985892af96f7d095d91250f7
SHA512f0f73b6008b8e63f95848a5c8e3b958effa5dfe9970f8e52349a6d966cd5eec58f4a23ed8f46a32c9debec90fd8c85a1b47f2ac011775d15999dd1054d60943b
-
Filesize
581KB
MD597dcd400aae4f81ab608ffd967c84eac
SHA1d7ed32606bca329968b167e7b6a73225439768bf
SHA2562e770ccb20ea02ca18dd0eee15809e87f6799dd1bd02853433b7813d17d4fac6
SHA5127f5da89b152024e909bf4518b1752fd82391c23115045c36c70c5f8ea4f84f4cc4c37221dfd3334366a00ffc1fb1c71e690d525906fbf859845e9e5f4acbad3c
-
Filesize
717KB
MD50ace0225b40baca0be7e0734c77006fb
SHA1f03889082779c63d1a9ba712b4fa0b4b98836532
SHA256fc9cd9f5a41486dc7dc00acb8d1008783c8f99f584dcfe90a05d106412531bf5
SHA51271560ea281b7d17f604197dee0a3a9311b8aee0b9f1f4d6e3f9fe342a1e7d97c1bd6c2345db2b6d7ceb0b70af3a75c9834b0e13a4eefb00ad306e0d16c79b091
-
Filesize
581KB
MD5ed78d0e684ba6f1f42b7ae3fc5fbbb8f
SHA1a224640524a909f61b6ff29d807ccfdd80c6c3b9
SHA2564fa5a1416561f2e45fc43294c6a09c4e779f9150e1a61373c7b943fb29e902ac
SHA5121ece455f873d0ddeb3a97c51caf03019b00329770172eebcba95ca4bb3062a982240c51c623e2d75f3cc330b3c05b8844c255933f45f44c2d61889b59ee6080f
-
Filesize
581KB
MD54013da4dda87e5197902c659ce2dd074
SHA1045b8da8bb56890cbe4d66c60ac25ae209886990
SHA256108a4451707aa2d6badf952df85ad2d39169446d44e4d78fe4def72932a8ca8c
SHA51225e9d7e40660b7f8c5ec04180ad9f63d0ac6728129b71fbbef3605e928ab505689ea5194106e4d844d57cf903103b398ef15f1ef39f82af7109736bda5919135
-
Filesize
717KB
MD5e41e3687544c5cc74f51d28ed54c9af2
SHA14a02ea5d9de3237473bab3b00d25c14873aa9de3
SHA256bba6435646643d0d558991016585de35c9eb2a75b71b4bc496b96fea939b9bad
SHA512a5fb2922fb36add36a6b9ed1bec5391fd07d0414f392a1fa8dc71b8b70eac6ab0ea0d2947a5055b8376f55d5045271560c882843cc327f5a1b559074656edb14
-
Filesize
841KB
MD5e9bb9323717b262f1760d229c8569ad3
SHA1600a9670ad43b875aeb8dded65445fd30c7cdc50
SHA2564878f432b4e77a5a1ca49fa71dde582ecab5c701c2b797ce3371a615c7d5b91b
SHA5127853859af0c12d92d574f7ed422392d5424e6db4c6674da1290657ce879e3f6fe636459dba222503fbab007884f03de96495a8e8b3fb6ad1939473a2055e499a
-
Filesize
1020KB
MD56ad44e972a26f4233a7dabe419dcabe1
SHA1f7cdc6b907701a781eec50b410298194f0028067
SHA25671cc541ab2cd4c424c7a59e844b301f51690b734c56172b55ec61ac38e4ec2ba
SHA512fdabdda3916a22e0d93810e07c7c048d0388ad0565044211cdba661a832a2f812febf26a6cd5c57e9b7ed9c062a3c85fdbf7d1ea68fa81bf04a54bd36757d20f
-
Filesize
581KB
MD55bc4b9309d5a84185f1afd4337fd1248
SHA1aac3dba290455737a1427578fc48bfd4dd06aa1c
SHA256cc3d27fa20b1f78f86da223dda5dc771df6f5d9e3f344d68e31fca579009d03d
SHA51254fef09d76850a05d886af1d938313bc168698579856dccf7ac41daf6be29a1fca0cfb5c104c93b6217ae7d6bf68d4de52d1be8ec2f25ad11791a64953d32dd7
-
Filesize
581KB
MD5726717cb79d865bf10d6509c8c4f58b6
SHA18eff35b339226adebf352d9df7cca2439e65f4e4
SHA256f38c221536cac3905f88cdff540ea668645a542628c3f42c97ba818d57bd19be
SHA512a93acd12a0da9d461496a807c7be212ce0b8330835062309d316289d39055e79dfe64f89ed3a5161a2434245fc3ddf12a2ff6da45c504755cb473f751420500f
-
Filesize
581KB
MD5e03ec2c153fd487a9ca911726ee13747
SHA150b520c22a8f5d0385c1c6a203bdc0bb8def0122
SHA256d27fa219ce64a63bcc913533ff86dbef7db1684d5d92e90f0902075df0df8ad0
SHA5127eb5714a516832c6ed3080d99f9b51d6f6a45dfd82a0293355f497d7a1b92d5c08d53695be75c59eb149c27d1d784d4771e4f8135f397a346e1d1b7244047588
-
Filesize
581KB
MD52b98f94f9fb3282bba7543b5a15da8b8
SHA19b631fc8e81de89fc5afd74e17f41bddf347731f
SHA256dad72268af2809bde7aa3b34d0912fca98061626045ab78ac2accabbc3e5fa0d
SHA512081e28291598db82a1032c41839b50e5073f1b017c9d15359045a04146bb70aa094a3d051cdaf88008238e754dd0e28fdcbcd863f72f193b86994d040b1c2c94
-
Filesize
581KB
MD539273e2411f3151e0ac99b9106e855e3
SHA17267a7a37a86c7db30566cbf812b70030287c2fa
SHA256c637c74a3848db1bab387e597f56343c84e04551cc3441f15a9ee03c3c2f55da
SHA51257be2fd49571b679840af82a7fcc01b7519b8f104d92557e1abf6bd1f66938f2a0efc1da781ed9dba5c0b8c38e5d887cfc94cbda116f7a84a4ad980bfac2bca1
-
Filesize
581KB
MD5317dfa5ac138db648c4630594a70b5c0
SHA1c5aba08a517a4651373d45fec5e6df72eabb981a
SHA2567e4be1f440632bc1c2f645dce19addb6da4bddb876566d0940f00589ed6ff7ef
SHA512038ea8ed404bf8c23b53103bd60f84d902d298cdc1c3a73888ab3907d993f7de31da012743cf0a90760041aaa5160ceede5bcc775b3c8dfa8f3fcd677d9d8f45
-
Filesize
581KB
MD566649589068586a781143bd3b3f5d483
SHA1eab11d9e0a48a89b7528c43327fb4e006405baba
SHA2560b5fc3c31310a06718a840152f92c4b3db587158b0684a05583d7796a7d31576
SHA512a212de211401f22e08b150f649c2c39f6e961560ccabeae1fbc9c3f636555990681594a20b2ddfa969b445e1808b64ff79eaab6443135f38d44a74d49a5d0a8c
-
Filesize
701KB
MD53da13f929dfac01f5709640e797559c6
SHA17dab8c56f08a42f7d0988e32825b58c38bb00ebd
SHA256a98fd2e2478a557994186b5ad54b97009749209eb11867b132f1a1da8972892f
SHA512ed7cadc42c39475bc29f40ccbca4567cf8c77ddfc3b94e8e7b33ad91576a30cbcddbd3f0c960aee93854331b825f5d08490080ed4cd28450309c5fd9af22d205
-
Filesize
588KB
MD57e7ff715cc3f37243634847a315fdaf0
SHA1a08e62112a50cf8d08e3bc88e560e33968ff43d9
SHA256de2f2153afd6a6ae797fe114027e7623fd51a0d4405b6964fdd81f2272e39929
SHA5121b3e854c509e94d935505924c501f8799413419664bfaa131ce6e78a5386987df6c63bea521418fcbfd846eb3aeb4087ef73ba27a720c5126c88274a582e5432
-
Filesize
1.7MB
MD5b714ee348be8d2ee0463ed7dd791de9e
SHA1befedf3d3281abc05a6fa6f6f58fe75bceb9d1b2
SHA2567ebcd98d24ab7ccc78df09a7a1aa5f79bccb939865267117558e9bdfc9990510
SHA512aa37ab5ea3c33e07660c6a53c3c26b481ff8626a04e5b2e57847513579c7ca60d238cd735917b9805fac70c0046ba69810a5053600aa0fcc00145b10522c0211
-
Filesize
659KB
MD518228a7da57e2d7957f337f4e56da494
SHA10086fe00b3fa1f26683ec7156f07a1990d67925d
SHA256f50a0d9fb35b82515d0b7b151c0f15f9e75e0c598167d312c772c34dd3618008
SHA512a1f45707251a8faf30baf20c501c0eeabfb5bd939cb5383a889a36b45ebd03af0f9678a65ad63cf6c977494d778496b39a452a44f6b35a38c9dd0d9c80e6c188
-
Filesize
1.2MB
MD59b8899abab5fa0d5f26ad47c77e2bcaa
SHA1a8ee3bec3a550276339d9c101907024c9b0f64b5
SHA25648abea6a7dd2382100cf75a0add2271d3f19676f2b10277ee8c93d51ba857430
SHA512c2618f5a4a5a2f7e1136522ee273a21f775a57fbed31ec1a103e7231a7542317d93a37d6efb551d839ac126c93e20e14d3922cf13e23b48b4d92dc7bfb42e70d
-
Filesize
578KB
MD5c7efc672c48f8e93afc173d60b2749dc
SHA1b18a5e18dc91add1fa84658725252de82498162c
SHA256c764e6862444933dbe2867a9f28cab474052ffd10b3f09e2178efe4f0f70a68b
SHA512ba0751a42b58ae1aeb31772039554fb07dc21a68b0d48240aee615698a145991cbd8ee4f3d0d73f9f513148572e9e5c4bf9c87feb440801c71081fb7192f0b36
-
Filesize
940KB
MD57d18e837145dfd74156d4b70b3d5f089
SHA11f337af994e085448a8ca98251722ee4bf6e065b
SHA2560378c697e020b08a6f9d371d08a16572830441f60828a9945be98fc2d893bb14
SHA512a88138d5458f32d44d344bb8ea5e0779ef952dc223f284e7901c7d54dbd359dc93ad651f72fc56c6ce57a327e585400b8c6c2b36e0bd6dccc427c60bede20e3d
-
Filesize
671KB
MD5f9307071c6bce8a3294270f7c360ea6f
SHA15701827cccb95f3f98358d16516aa3308ee4fcf0
SHA2564b04338aa8657306b681d56c94bec6e1468291114569c70c67fbc7ae72c0ae0e
SHA5127dd84173f541e46cea4f75713e3009e009f315d7f83094d9edaf2f4979204a3c71494a706b3a41e2de70e6c401f1316cfdfdd908166c30574a9ad2dd4c15a162
-
Filesize
1.4MB
MD5b864ff5734b8ce1401a0df492f2edcde
SHA15df7269b0ddba7be46481d82de78797efe55e336
SHA2562304d52a64af358af6285e168cb975a6e0a2d53290a7c9afcfb053be8bcd8383
SHA512586a4b4b271b76a8f7e12a604f6b517eede52bc0d4f8144fab30708c7a5efe9c458de394ff122bc75383f295bbeacdce516f46ccf058dc7ac7d1dd184eb23ada
-
Filesize
1.8MB
MD552815bb29f8338ec25b7c94718283e66
SHA19984359761d886373851566a19d52f137d29509c
SHA2568fa47e75be71df1298a4ffdf47b4e41e389d0fe00b52ad392ad392181a28d832
SHA51207e511b4937d308b01cf4dcebe76cadd5a063e6241624d084e4e39b892d146a2ab53f4f3f87b721660c9bb8e6a739f0114ab7375e358fdfc917ade3471e9a073
-
Filesize
1.4MB
MD5e4ac98de4484ba61839ea16fddc2428a
SHA114450939327b8c5eb93b4ec4e800ae4c71cc410b
SHA2569a67ef82ba4f9f09364bb773fba3a6eaab45012c0056a9f9fbdaceb49b5237af
SHA512c90bd7df0575e53405de988a6b6b3cfa1e96927a6cd85b294eb007673ffd5b986cdd82d65418f133b3c564d6a4d2094f0805730253439e3a02b67daddc21d554
-
Filesize
885KB
MD5788aafcfb589358ce4ba274098357778
SHA1b60df3205395750d651ce2dfbfd904f365e1419b
SHA256a48755eb91f4f71d1623f0353773d83d5f5b8278004067dfef5bf24fbd58e40d
SHA51240e349c5d003087d43aa44caa8a4e141c1a9efcd511b90a6320ba0cd75969b890e941fa3eafb68140b4aa5850ba764bec1bc18bb4f56c1866f55e76e38f7222a
-
Filesize
2.0MB
MD5f76e867d5435378bc3be4e4787e81edf
SHA159a390275663aaba09d30234c85ce12cf8bf40c1
SHA256e5bfd5871db535e458a26b681f255de33f4522394c0901eab69c0a99314c7b56
SHA512eb6da1f778674e42c9e05187cbe7ef7139f4a876efaf3576e77ab46ae593471531565324753aa0f5ff114a63586683c5fcfff66c77ea0cd2aacbaacbb01e8686
-
Filesize
661KB
MD55f35a1ad13f3739bfd07dbf19997c0e3
SHA13c08eee0e1830d03c0125ff657d25afcfc834aff
SHA2560694dc788d566d6b98a2f7e04f46bccac8802fd8c8f070c45b1766f145ab446d
SHA512fff94b42cb249d66677aec8826944b07980ee903a8c7804382db91ee44cd4a5525acc43df357f6ff0a82df85ba80d05d7a31de88e672d3a142cbdf1002ad73bc
-
Filesize
712KB
MD56cc04c71ee7db3e0ef96d52c8cfe5ce7
SHA119698b2c2ef2c474ddf2edc1ec4b41fdb6e0ec64
SHA2569cf308ea8f637b51e3daa054cc6958ef31ac38c191d2bbd2d16c699f9565bf86
SHA512eadceb83deaa858de9e66e9e6ccf95a887539f7563a65eb865fd832a092de36af9ff4f6ce25bd44b29b0f2c15f47c80a0747e2432e098c5d7fea1b990cfc1f45
-
Filesize
584KB
MD5ffdfb04898a4961b25c093bacd7e0c4e
SHA18c4537ed9e40d129f432e6168d8b3dcd85a5d858
SHA2568f16164d6a2079642fbf94591a7dee2aee9a541eab640c7a24fa6d6198d368cd
SHA512b9bbab3906636f6f1505c7f96c8749513f9d051c813805eab04fb827278c7de74d0a886e6c39a60392ccc16c153817246ead673c9afa868f53c6e00740c05686
-
Filesize
1.3MB
MD5e56d86d7af0fcc79973bb873871f45c9
SHA160623f46dcbb29a3303658107ac6bb31ad8262ee
SHA25692ef09927f9c6f1f67163d3f11b4369fbc7a257ad9173090795f73ff942fe6f1
SHA5129b0ae9154e2d274cbbef0b7e0d9c4612dc84c230d1dbf5bb14f5ea6b1aac96c0f4d0c119fe1e4c69ac4bdb938601b3676018beb507ff2933b5403fa2e33d8587
-
Filesize
772KB
MD5a459a3f10df9fb0a95b20c41948cc375
SHA15594d9e152375400f1469af54d7e9a7e19b81d8d
SHA256119b8b54bdbc61dfaf43406f2ba5e0dfc8b2e823e48abcee3f4861ce4fff7338
SHA512d8c3ef596c9baf2effd7534e32b19faded57e66da9731ff0837c8db31360311279636741572851d0056bcc84cf5f8ccceace4396f64f4b6cc5092c3f41d7939e
-
Filesize
2.1MB
MD588ab39ebc36a61b0a974752e656213dd
SHA18c7b76c36b82234de2659a8bf670853147c0e20b
SHA256d4ce484c0d3b160d4ddfcc67b72eab48527ec68b8eb3a2255112adfd478d49e8
SHA5120ff247d6e7cca51fa34958500300355a349e84a9491dc705177a5b95a5b1deffe7b33166c2f12aad1cdb9e61d6f4380079317224379edaf480e7f50b98b81a0d