Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe
Resource
win7-20231129-en
General
-
Target
2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe
-
Size
1.3MB
-
MD5
f17e82d0d93d45d8a91e0d5715405014
-
SHA1
5b657244449f7072ee64908e353172ca70957a70
-
SHA256
66876301b034570d785a6cba4cd95e376da4c408403dba83ba2b5e7a8ed0090f
-
SHA512
55cd615637d7ccf67b087af3df2a9a464260a16e8db2b17a8868280661bd7e697f84a9bc3a45dca60834b71f64389951955040011dfa9b3e2b4069e7a16d0139
-
SSDEEP
24576:72zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedlSkQ/7Gb8NLEbeZ:7PtjtQiIhUyQd1SkFdokQ/qoLEw
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 5020 alg.exe 4516 elevation_service.exe 4936 elevation_service.exe 5012 maintenanceservice.exe 1536 OSE.EXE 3388 DiagnosticsHub.StandardCollector.Service.exe 4844 fxssvc.exe 3052 msdtc.exe 1836 PerceptionSimulationService.exe 2724 perfhost.exe 4332 locator.exe 232 SensorDataService.exe 1016 snmptrap.exe 2204 spectrum.exe 4616 ssh-agent.exe 3708 TieringEngineService.exe 4540 AgentService.exe 3220 vds.exe 3640 vssvc.exe 3116 wbengine.exe 2260 WmiApSrv.exe 3948 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b5b751661ed82f9f.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077633acce8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a895b1cce8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072235ecce8b2da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000694b65cce8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ac8c0cbe8b2da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006578f0cbe8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b3590cce8b2da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f58660cce8b2da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4516 elevation_service.exe 4516 elevation_service.exe 4516 elevation_service.exe 4516 elevation_service.exe 4516 elevation_service.exe 4516 elevation_service.exe 4516 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5060 2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe Token: SeDebugPrivilege 5020 alg.exe Token: SeDebugPrivilege 5020 alg.exe Token: SeDebugPrivilege 5020 alg.exe Token: SeTakeOwnershipPrivilege 4516 elevation_service.exe Token: SeAuditPrivilege 4844 fxssvc.exe Token: SeRestorePrivilege 3708 TieringEngineService.exe Token: SeManageVolumePrivilege 3708 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4540 AgentService.exe Token: SeBackupPrivilege 3640 vssvc.exe Token: SeRestorePrivilege 3640 vssvc.exe Token: SeAuditPrivilege 3640 vssvc.exe Token: SeBackupPrivilege 3116 wbengine.exe Token: SeRestorePrivilege 3116 wbengine.exe Token: SeSecurityPrivilege 3116 wbengine.exe Token: 33 3948 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3948 SearchIndexer.exe Token: SeDebugPrivilege 4516 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3948 wrote to memory of 1824 3948 SearchIndexer.exe 123 PID 3948 wrote to memory of 1824 3948 SearchIndexer.exe 123 PID 3948 wrote to memory of 4488 3948 SearchIndexer.exe 124 PID 3948 wrote to memory of 4488 3948 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f17e82d0d93d45d8a91e0d5715405014_avoslocker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4936
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:5012
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1536
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3712
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3052
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1836
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2724
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4332
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1016
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2204
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4536
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3220
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2260
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1824
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:4488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51535d0e3a15c2cff06128ed59e0992fd
SHA1aa6970f04dfb810de8deace2c15a387091b3e276
SHA2562b6a341c080ef426d6341cd81f84415fdf42eb676e4632d19f4f3787ded4203a
SHA512a7ee319ceb0db48df9fe5ff8376aacb0588bb92613d1261a5d6ddcbef2b670481a0292588a75601d11538cb3a005ff5724f768fb6074e9051a12fd3069289c70
-
Filesize
797KB
MD50e6dab0c268a270ba7e6f81d291fa191
SHA13a5033104fce8ba0b44ebeaa9827f73e17dd080f
SHA256da83f2f284af72f85d16d05385c4f8fef73a4fe1be1f4ac4ae4ef90a319fd386
SHA5125db65bc347a3af88eefbf60b36e3023d521b20eac63b8abfd596e4af821a3db26e84d53044a5d3ff1062ef3da4e669bed9d7e980c6779a2492163132cefbad71
-
Filesize
1.1MB
MD5f32fe45666a40e7bf5359ad5182c772c
SHA13be25283e31c47ba4dce898296d6a44bf3c60b3b
SHA256412709a9e91cccfa45ddbec4787edcb5a09832fbd4e5ed71b9f02bf3fd9c9c89
SHA51229f85839c474734829749aa0d64441d52a2c34a7a9b3cc86db6656e06f8e5c3a8cdb9006cead45b951c9a0902ef652430213177c33f88337d84eb4133d8f50c9
-
Filesize
1.5MB
MD5f6d11a6a41f9a26affeb175797258182
SHA1bbcaa248164ee6420fe87b233bd5f1c7be9072b8
SHA25690227b8825371580a8aed4de5b577b969886c063a5785681618daa4c7a617284
SHA5120b1c562e995f5e4d49a2564530f546f7b286a5235558126fbdb6e05dd8d41b6c5985f52d92024d8b424bed1d40cae083aeec8edd9a42c87fa8f083ba428b62df
-
Filesize
1.2MB
MD51005d7e28363a12e122941bb6f19696f
SHA103dfbdf66d9b6222590a645e9c68e7480ba28cac
SHA256e9f044181b907b686821b9d85706593d4dee27b7909498104cd4ed6f0ad37c5d
SHA5120632d290d188ad1eed4a0183a1fd9073a8a54600315d785a29ed30ae6ebf6d90e5151c8233012f21acc6cdbb990c0583a12915f88cf6c5e675b8a77af2617b6b
-
Filesize
582KB
MD5ba206ae0e7771ea910a54be857c66635
SHA1db22d98740f6774676334623db474a1358e90aac
SHA256c19a333b831165f04d32b4782080d1cc9a89cc63e65c9212f644f621c338de4f
SHA512409e4832c7ba70f2c640bba4caccee5f852e36aaef5a0b9a6270c71e6a4c6ea0859243c043a90eaab2872504494074e866b98e3483e02829fd843b6e98dca522
-
Filesize
840KB
MD59e31d8a03ece15a1beb20953f394bc2a
SHA157902022de92d6b8e7bdbd2c9fd3fb3c4eba14bb
SHA2566d0804e752ae805104b06d386e23178fb9248af1a58ac0e10708a93b4aff51de
SHA51280e0973b88bb0bd93008be17a8a3112d75477aec0c44e64b4d5049255f2ca0e9d244f644ae5dc3de7ee1baacb764985ad29d1731283d47cbf427ca77ec610cc7
-
Filesize
4.6MB
MD50b8248a90d0c36cdc6dbf5318eaae81c
SHA1b95099e8dc987e99c64c53d8e50a8c5a5375bed9
SHA256ece1bf9a8f276bb744dc031ed99470a36cef0bb6e9af6328b498e29dbcb8d74d
SHA512d15f18d8bc1df237de3e2097bf6e6f9dd8c85b5ab08e2e54b44a40d0cf2efbdd761190982158efaa697da40861d2c2e1b162f2f1eab991a329be4e08c281b4d5
-
Filesize
910KB
MD5a0aa5ba4b657617212830b0e47e6248f
SHA1ad94d77677348fcb69e52f5b0da2fdbcff726564
SHA256f7f69d6f90232f7ddb244ecd4398b09f41f57ceb72e0492214839b02e01fb9bf
SHA5128bd32252815c9276ded2dafce5fe3b89b12a1f6b04983ccdca7e0264bad93d76cbfe765de3252195425c0583e8982a8407124b040394484888c535f238970ec1
-
Filesize
24.0MB
MD567ccaa38be0ef3532563586885c0a30f
SHA18dfbfa51f38333891866dc6a4c2c03593b5ff321
SHA256e1802dc8675ef09739d0e3f0b3dc9a134ab4e4358e607e6f20ca3dfc1525aa8b
SHA5129dc230600f2e6068767b3b571680645064a0e581ec3a555ed324153aa926b14ff8450129ac8fd38665f17dd4193d15bd345ce8532d005656ec4f250917bf0ac0
-
Filesize
2.7MB
MD593f93ecd6bb1284e2eff38fde2b700a1
SHA1c018621c9e715d407d77b2646642a7e58d1d1954
SHA25695572e16453e8161bc99b6b6b572a6486381126e3a147341a1fc14e48e3b57af
SHA5121c25e347509dc8fdf9ab659180c8bb3642245f961a9a61426fa4e5cd5c30e6152155bbd946f23c736c813ac3532b4ef5dc429468f64fac7e8b68434fe4dc3c1b
-
Filesize
1.1MB
MD5c12ea59c4c84f9be6388a00d7fdbb61c
SHA1e232bd848e7255068e92af912100b2ef197f744a
SHA256de888794105f50399e1f60b34149d0846f446756871448887de69c2977f6ef7c
SHA512aaea44852f9ee44dfe4b6a7fa1f913e60ec546408469ffcc181949607b3a7cd714eede5189ec1bd43236e870a6a6cd404f31274a3ed14fd22e01b45da6cd86e5
-
Filesize
805KB
MD57931ff0999e516fb9d32340f58a6e2c0
SHA122856230da1a62fdfb6a9e5e07aad5a78df3aa92
SHA256807fe0f095450131ac7be0fc4e1477b38d8df869b886676eb3035f43b4f17bcd
SHA512a01d15455ba0bd6800f91d7a144bbf9d63fa1cb114aed431234643ce2e1eaead1d65e85fb616c0771fa16a349e2aefe5897ef439b3a18c14f30f661cfc618cdc
-
Filesize
656KB
MD58120a7714fb5f5145e021e875abc109c
SHA14731f4d41cbe6a4d7d372ed07ba591c3ea8dd31a
SHA25603d8f7c0b057a53347cd236357f1d565a35bcda6bdc0f9ab739ab8ab259a2d8e
SHA512dd11db81527fdb8d74c94410ab64c87047c20f8853e44317d149e79ccac0f6abe2c27bc35e3128ed7229490677bf4be796925c7f8d526e5f63e7a954b4e4445e
-
Filesize
5.4MB
MD553745eb58c43263d765212b8816bca95
SHA13ab8b7dfe2f4cc5e6f5405ff8650cfabdf5d3f9e
SHA25678273b8f8c15532ac40c30ad1f47684460ef4954a5fd852c735b54c490aaa2f1
SHA512948a4eec529c3a1dcce0bb19a8f05f0963feffc7ba4385c5756976cf6fd2051b890bbbf6d8ed4ce36714a12918bf96fbdf191123150ee004e73808edeb4550fa
-
Filesize
5.4MB
MD56baa0396303fcfada5958feb554cb779
SHA12b2d762673b7a91a525fb50f5e6dd10ea2d03390
SHA256fe01c9744c6ef50bb1f24d21aa6900be37f1cf199ffa99a1f3e78d8565d48876
SHA512e3e0ec563021e8fe3ad20371eb119c3e4639a28b99f189d5c6f22b83657f512ac4838124a4a2bf839ef89b4173e339813a6c549dab9002fa5d08e36aeb73199b
-
Filesize
2.0MB
MD55126ac894dff0885bd6c3a588f989108
SHA1819e8340e54c66136f09e7ec594f0546ef28b319
SHA256d13776eaf31121b584e82237f94e13475645dc580053951b3f5c37136db7ac5d
SHA512be65c525f77a03898664043d29205d4d90151704e3ef7af7157bf69dc88d805bccc8e7387567979c7dc6ac22bef2b6bbac858ab3dcee96e0c689a957cd71ee86
-
Filesize
2.2MB
MD5979965570657e6a438264b4edb232195
SHA169ccddf8655b3744f1ba6495051ebad3f089dcea
SHA256f26c36a20cd8ff66a0488ac7ee480ad71c4c70248a7ba83261fb5c1d7b5f58d6
SHA5127dde590a5c5587ac2b14c0a419a3c73233d6ceb9903cecfd161d28f250399a06d6444724bbf6ffa2fd07fd38cdd1371faf446193fdbbe7a009ac734d6ef202aa
-
Filesize
1.8MB
MD5b70ec08ebc474dabb0e282d987470ae3
SHA140070d53bead32bdccac68cf0db54a3f54ba0c1b
SHA256a8a6ecab0d4218f2f14a34e1369e96a7597c3e5f472341a61d9af815bc52c996
SHA512befba0241b0dad523002843d7b576b5211c48ce1a751f8a5270c786a02dec4ff2ad1fea207c192e8cc4d739f6078eeff01b63f6dcedaa4db5dd39c9fb295749f
-
Filesize
1.7MB
MD5c8f4f622dcb67b498c61cbd2c784a981
SHA135c2cb3deaced77bc5d9b056c0668343bdc7b2e3
SHA256926bb0d289fbfe657267f954fbba78c67fefc99b23b830f1d1e98b369f2140d4
SHA51218ac15b361fd0f80deae4bdc48374244334c16a77b37aa004c5b24186534753b1280b4b5bcf4626e6164c6d3a26104e902cf8b55e6a1768c4cb60501974b583e
-
Filesize
581KB
MD58d825e3ba215340721d239d5aee512f3
SHA14de06ebc79840fba2a9eff17f04ca9cbb2734a3b
SHA2569fd2bab6a46f00c117b4a80403036a3bf82a1b74d9dd70a69a3014f1e9dd3b52
SHA5126db6d32474e830e33431fb16c9d04f64bbd3bacc5a14ff2d5c33c93ee9e003176f7fc460dbc2d05c591924fe169c0bb00003fbf9f9a5bebfbaba396d03d8c70d
-
Filesize
581KB
MD523d0a6020e209ac3eb74764ab73805e7
SHA1eec6944aa6dd69ceda69d037d04da873454f9168
SHA2562feb1829576f60b12f48dd61c7e72452531bc6151d991b1b5c7223e426afd060
SHA5120866bf018823f1a195b290f1d26b6b2d1f1c8ac2735ac5481c24c315c35b06eca9e6d38fabdba63f6f6630baf9b419ee48f5e24401568d639f130abcd75b54f2
-
Filesize
581KB
MD5ac809051f80f7c3012bfe053bc5ce5a2
SHA116853d1813d4b23ae6a1cb7de517c23df5cba7cc
SHA256532c04a9f1a339b2de1a1a4f31f4fefd748d6cba1ae344486521951cc4d3f9fb
SHA51274058ecd741e55ee1ecfee505dfe52df498eed40c93303d7c0fb0ad8a2c0bae9b5269ef0bb3765d5469b2157598507790503a999eb55a228f14fa105b84599cd
-
Filesize
601KB
MD55e9feee762f9972c95a427192f7b5428
SHA139a48c5abcc86699646231b4910f000b88598b2d
SHA2569b01e77d92d9203aaa85b53f52a231b845fee25dd4af4564a65829d4a82db977
SHA512702650f72cac2b329a1b0c1e3900b806836ec9d8b00a6ac53b5b737e619e6cac7f9f33e6d2f5de2543dffb37758dd5c2b7c262f7e8b3975049d37548e2e6b25a
-
Filesize
581KB
MD5538c35adaf42c8829bc84bfc2640b026
SHA1d50de27efa14f89df04412611bc6b2a5862da5fd
SHA2561ea2b78fd3635f450278a5929dae6f926fb7a1be7ef4f70ed46d80045c785dd6
SHA512118841ea6326a7624af4e7979d1ce6754b28d3198d7908c96381db50cc9b993e025730aca8a3dae9f2aaeab5d4cd4d9b674997e47e413d61b06a5a31f07b42aa
-
Filesize
581KB
MD5d39cdcaef45f88a88479b511c8187eb4
SHA1c52319dcd73c042d3df99b25797d175031537bb8
SHA256ac5e805298219631e6d67437aa91419a7b6ba08f58e7de17097303772f7dba0d
SHA51287093d088e75a6c2a1d6f0fcda76ce923332cbce288746cc54ea59973539ab779cec385e2726330978d184b8d7ca7c8c29c91889b65a0cae4768b8f07946df21
-
Filesize
581KB
MD5293a86d39a004d540d2309bccc402b88
SHA1385fcba22f6fb0c1d79c3b3f4aa5db28dfea6b21
SHA25659f76c1aa90b1d9332229f82525fab0753b172ce6f59b67f31dfa4c59ff27ea9
SHA5121aa516999cf8aa26e7d6ce6f043fa8f5db35a80fb3103ed84f89b3c327387c657b9d50fcf2cf106b81e3ed10999b0ebe64a7e49efefc9ceb1beb7dc99d76b1dd
-
Filesize
841KB
MD598720cf9efc4a82df6550d99a88de06c
SHA1825162a2150dec01b662b404960c9cc2750680ea
SHA2565ff1f8cf8f317fdf65492135f291dac190c6370ecd7cf17366cc0c25fa73ee8e
SHA51200d7c60d952796a6508f6ca38f78838c985b59435523d21dc76920a59a2dfabe6bc0525a6058aca61aec90d05fb787d8a010577bbfe3c68dd2589ede1194dd8c
-
Filesize
581KB
MD5f5c7a446a9c3e75c4e6135c8b941b388
SHA17289e91f37aeea49d4f266577f5d8b8adfb032e1
SHA25697c31d187d0b59f03aa74fc6d8648afdc4b4faea0daf1ab272b888e45e0ef406
SHA512d51ca1e4cda3f328572e924e7632795fa63c79a2667f2364edcced0a13ced56b3efbe8d71718290d853ea36ed5e24736954d9b817c5ade5814a71a8ce69bf697
-
Filesize
581KB
MD5fbda06a903700f2452830697b04033f8
SHA182a8e1e1e5af9859d7f84bd0daaad8aec3cd5cae
SHA256aef97f06848ff6580bf44784ae3551aad421dd7f049a232682027a9721a9a968
SHA512f2eacd3d351d2a165b7c7587061abf696383670849916ccf32f318a2e6a0f10f445852b8825c6b76d34799d8360ac8088d29bd38349f206d20881af386bb82b9
-
Filesize
717KB
MD58206af9485dc19dc3e945d13da67672c
SHA159d4dbe6686683fe40b9474f3429787c42c3a8c5
SHA256cdc099657c675a5ad46cdbe54d6efa1e6446068c2421738f4243cd11ce8a0502
SHA512b27204c276bf6ba52785bc49371dfa2254a83d01433ecdd8746742f09f37f88b5c383e56ac0e6e2378be0ad0d6afc7ed8ef15515af80f3f7cc1240ad71af6a84
-
Filesize
581KB
MD565eafdca54b81bb42db8e45840e192a2
SHA1bb0907fcc092eccedfc83973f762538bb14235af
SHA256c39150892c38ba2119ac5927d2b2edc1e00ff671492ecd8b4d2ad264d23a9af0
SHA512139bd32b80699ffcfddb0c4052643ba2900a910c8ce39dbed4dff63ca8c3de567847a89d8099974087b42d71182c0e8ce60ad2db247c9eb0f758d000c6aaedbe
-
Filesize
581KB
MD52abe27c23a28f1b364656b6f752bb5f7
SHA16ec7a925666fd2feeb68153f79dd5a9a123eb3ae
SHA2564b42853ee79e16b5b62740f3711cd79c2e0cab9c647e855ecdf2de91553e881d
SHA5120b618cdbb8aaf3aca09be642f9c7a7c711713ff2708764fec07cf28d8bef365f5d856987c87dfede0e6c90d670f5e8bb0fa8f6b277fe02b51ca5b9ca2f9e146a
-
Filesize
717KB
MD5a9772d53176bcc42ac1f10a3b5506f22
SHA126f734bab2ad07156e054ac40b65b6e2765ac551
SHA256cb87048c99c015c350408d2c3612bb4a91f8828c2c50a9976b5cfa70d090895f
SHA512047d310e5fa7f065d437ae68b5f469467f0b927d9d04ceb42e56363dfa0b88da41380f41c3f5503824395dec087d3ec7e82df5c9ad7f4c10cf4b01c822c38656
-
Filesize
841KB
MD5c84ca7aa1b7b3c985615f0710294cad4
SHA10d626061a28739816a957760d48fcabf89d40bd3
SHA2560cdcce401bd8f214483c6ddeff93e9dec4944c61c07ca7528f045ccdfe985eca
SHA5124298ae07f5c2cd274950b4557e6c3e2be388b309acd46785d9d2fa1bfd9725eaae36fb26615ca0dab932b35bea156d8eba0b8af0b0d783fc20bdf011b32ef727
-
Filesize
1020KB
MD5b612172067d7581ce3d68f18118c7799
SHA1bd1e93b44d43540eeb9692050bd22e826c8f9d17
SHA256c95dcc1418b0637cdf45b16c49e55aa3c29117f939542a22e3abc444ed87919d
SHA51222427b1765e0d2408bd1a3f182479afc1a45f014b6274084896fc5ee0129fe8384eb35c56936baf2c63600551d6668a09c966bb52f209f4ebb0435b97ba8f3db
-
Filesize
581KB
MD5b8c70019745bbeddf784e96ee872652d
SHA13b2be9eeb5bc240135816ae00f753434ccd8a52a
SHA256a08e5dadf1fa5aef88edfd2cc4d49e40640ed027aa16176d1734ab21755a7eaf
SHA51203177e419be9c635009bd7e73ca88129ca123fec944ab6511428023221a4ffeafb0f67337717dae721b5b89dd11a21f38d11ea0f25dec06f73dd0695af49f8b4
-
Filesize
581KB
MD54847c0fa90b6f9cdfeb0c7395cc681ed
SHA193209882d72ddc1daf56e39783936d79efaccd6f
SHA256e07232b8b8b6f18f9fde6add8ce66b413a4d3c41ea021139026f25061c44841d
SHA5122347b7c956c6db6a238783b8831db1d1f8e20a3a468cc59dc5d813a4a5d48f5dc1514f259d854250b9f2ba57748b43ffc92208b8fdb63d573bc2004dc60e0003
-
Filesize
581KB
MD583f00e9be4392815a10a6d9478491e99
SHA1c836419e2450392658abc728240e85d0e3de182e
SHA256bdf8ef97aee967df0a59e4d0654512fe768608ee3c9200be4e9e9a1336322193
SHA512f7c01bffc2367d036313e3179704cfe0e53e3e5965210d9ef9142d24df4515a0e8d2b869c71492ad28ddaf505915aaae36e070abb3ec364c100415d83e00a6be
-
Filesize
581KB
MD5732254be4293ba8d5cbc9d45869faa16
SHA18de8f0281d25e175033010ed1f7d4c9d5fcd0e87
SHA25684279d74f7c5965f71e3dfe672fe65c72ca8919f7d994bae65f4ad7e93b3ada4
SHA512d085a62f3de8252accee18c5fb8bc60259711efba0f64f03a442c2f4f386785a240c4ff2d586dc7b91121b92cdb9e8999dfe075a899abb3c084d247ac86e62b1
-
Filesize
581KB
MD5b9cae53015552426e3ed813c8aa3c8bf
SHA1417706117d571ab65f922d7aa0d8aa84e88abc08
SHA256dd0cf2444dace48512d14649bd236c46f874e66b1247ed8c50e54ac12895f94d
SHA5126a8514c2bb389763df8872c1c2b066cdf35ab4264a870aa1fe2c31c77d30c973e8279ee731b26f3f94d66fb81ed0ca575b0c2e916cd2a4e861eb49b9d923d9e7
-
Filesize
581KB
MD564acc354a314c187040ef78719bbfb61
SHA1aaec63847514d06496e91ab6531c9da7a26ecaaa
SHA256f4dc7d45873b15590eb69d1ad36b6bd19c1658ba95fbad9c74b0241a9c2d5419
SHA51251f835ee46c55f42dbc88cd301d202b393275bbfcf3e0bb012d3263fcdd4484a5afeb37f39c3b6163464cf105e3926bd011c6e25c1d8db096b15cc468dd61e72
-
Filesize
581KB
MD5dfb953a713ffbe34e34e01379b048cc0
SHA183dd68abda1e08fde336a5acda44a4add206ccba
SHA2569aed403eb3fbd78cb055eb4d23a281c8a75da99dd591ee20c902d5a2ea5a148b
SHA5123a8010fc16faa788e54fd0b14cba2f31b238bb92cff32c7c3dec041766393ad10851ae6ba645ef53284ff8fc37a58cb97a78a99f77f86c90cd55be724df3e4e3
-
Filesize
701KB
MD5e7f56def5af8364bad7da314ba39c2d5
SHA14656bcc047b75a260fdbac1bbc5b23f74364d8b6
SHA256cb9b5fb789bd68461825a35bd599599916277fb349f7737d49fdeb7ac4c57999
SHA5128e967e1c6aeab62ef42911d1f8db420a835e4a61f641b7331ba0382cd24213a2e426ad6ced22eda9daf2184c16e785a57490e1e8e1e43725aeceeff676434454
-
Filesize
588KB
MD5e03d4a5321552ae42aadbebdc0e38b96
SHA1e8d3ed8b9f4538a6e8753ebe79aa96c0cf40cac1
SHA2568fbd1ceb13fe00f3d7a9aac73fcfb022b757b6ef84a9e98975e33bfce0a089ca
SHA5127ab959c45f2a774b9c76a2115c522060010ac507e83a5bf2f031608979009d455dfb11b440f24b6f8519bbae153dea2738f6d520eebf7cdb43bf4aede07e0cd7
-
Filesize
1.7MB
MD5c5065f36433dfd303a29f6d76aed33f7
SHA1a21d0a311db03030761d56551161db2d1562423c
SHA256ab43e4cb9efb9f346460e3899a7ddb220062294894982b01b6c94a0a69a9174f
SHA5120ddf8b3b8842f01c15ca88d65f666d6842b57f23ac3a9e3bbbcb75addcb0e57101532a29ba6b0e5f37b3c1ed137a98b761744cd1b1694e95f8961d89d4765cc8
-
Filesize
659KB
MD56f6e91a7f1aedb3fe2461b8dd80952ab
SHA1838cce12fc04cd600673a8a8af280e0d8ab4fc74
SHA256f44d609e003fe3d9ee770a7241a796588886a80d9057a24e2782401e599289b3
SHA51278d4e68859c6b97c83c9249921128dd9ed2161c27ab8fcf0ebcb431c08a244c3ae94660dae99dd7255f2f3964240429fb9a5eeb1ba9b52d081537e0dd73e4666
-
Filesize
1.2MB
MD579694d4cacd003ec5c69c380482d50ff
SHA189b77ff8953f0af1b03940d8654953a12b162ab9
SHA2560d23d0f9d8dcb69ed28e7285449d300368b455a378d043061271c619b15a1cab
SHA5127c78b27846ff1b51577517117b12efd1bd0579a4470ad8480f896b3dc53a4df994699b4c1fe0d84fc3c86be54fa0ac3b0ea18936ae5694ccb77ad3cbddf88609
-
Filesize
578KB
MD52592338ae5231935f4100d75c76f20c1
SHA1bbcdd75fec4e629a15b874b1313a04f112a1da04
SHA256355fcac742fd31e73502ceac99b1ca4abe8fe3f46321a84bbd9222cc74d56dc1
SHA5126007809fd7cf5f79c6e50ae5552c0b248f6f61bae6aa34281b154e78530a2d52112dce6f28bd6eb8f6f4d8d2c891081cbbc7e332ee63f86e56b7e7ebe3d72e5d
-
Filesize
940KB
MD54a99ed1af7f17f0b4f871880f0daecd3
SHA1ee3a850976368a0f3aa20e75ba0cf7ac3f474d31
SHA2564d808388223b03d98bcb45b4683dd2131fd08e6fe1cdceaa57a6c9d1802d075f
SHA5128e9a178a23af3f2f838fe9a75f70f9b96550bd7962fac4b82e03b8cbf55bad0e9015ff14c9fb2705a8b16b084d8d2547e9bfe8f25bacfeb9558fc23d41ed68e4
-
Filesize
671KB
MD5ab9ee07bac738b929db9519ab6c1cd2e
SHA19f73acc19a53a8ddeff2e80d16dec6d7e86d8702
SHA256de7f21a67839b49d156711f12e4184465089825fd6f7c6ba1435d84596826bef
SHA512fe0167f6f39c88da662647ece24ea2f068a5bd6f5c2d4b880407a8d95a13b57d95b2958f01661c32eee76bae81aa23319407c9753b9b1ce5c6a8481ede9eeddc
-
Filesize
1.4MB
MD5d14289dc405059a7e0c72f8e98721930
SHA16ad68ee2ec214848be0c28d844bfe0412d4770b3
SHA2566fb1cc65e0a86373603cd03e80770cbd8795ce852346910ece808f5c9dfd3875
SHA512dec6d1095b289b595b0b58d20c430dc4193ef8469c0090337b896b9be887c4cfbbd24423fb8c8b1541c0392cbd2f0b8019afbf9fe58a74e2ddbd06ff22894118
-
Filesize
1.8MB
MD5abcad654a59df7bc107fef6b77a451bf
SHA14996646dc882ecbab99f47b3eedffec3809cbe77
SHA256f51832fa0b52c907ade1d190a1423b27d617c7fe6c25c0fc61df76d86804ccb6
SHA512c5bfcf9d4bae0bd66892abb16c8fd19607c00e70b7ab04017863b28413e62f3fd9849f4984cf24908bcd596245a5220f6811db677325c62064a21178166966c2
-
Filesize
1.4MB
MD5c24206e7f1b3c5cb76b4b1f6a7b6f3dc
SHA11ba5a379032f0c950c946499a420d0332b784bd1
SHA2560e2ed7199670f284e7f8a6c014efe89f67baf721ce9e0b209fff4ff569997bcc
SHA5124cc814721c19bb8fae1891c3cbdce1b39bead9e3d79acc09133c5a91067028719a461e5b0c325d1e6ceeedd8157e9346399573a25349de5dea67a407afc37c04
-
Filesize
885KB
MD527c6f859cfe0cf1c0903aab5cbdc0608
SHA1475d0b00f40292c513fc6485aaf3422e79588137
SHA25682dcb7f3ef9b84955f3ca405e5b0a882465df1cc9ac032d7bb0be706f5de638c
SHA512fce470c613baa82ee26a0faa9fab6ad14ffe9f5b529dacf40ab36fcd10bd5597dfbb84e469eed8e4dd62437d21c08850ecc4bc4e55f7f8b6b45ce078967527e4
-
Filesize
2.0MB
MD5667aa8843819a0c56a4bf45fcd005bd0
SHA11d37e0fb820f1e5182516338508d70536f730436
SHA256d7fc3ea6da492c7b6fce6fa8e825f1dab8490a1b6bf4ca56a71dd98886aad87a
SHA512331f8afdb2a5304cd035ff89bf757d750ce7f9abf9ed08874625e4e4bc44461f8b1554892910225c25b232fb64189b00e9091ca06b4b98b2ef1bcc6f92fa8610
-
Filesize
661KB
MD5eb6e33d518773a18671d233e688250df
SHA1208f261786415e6d5a32e3b1b2f39ecb980a9bbd
SHA256dabe6dea5fcd81d4847ed911a8088e6d566c7f43bfd747ec7900e1ead688930c
SHA5121d43055847193eba2e1337a6cd4edb13737176b21203b6e78cf98914ce747f4fcd5b2eb0c5425e00ffe9b48c67ea1b55c7915721bd8886a381aa307f3fb07bd4
-
Filesize
712KB
MD5ce036536c6e68c589dce00256d430174
SHA1729eefb1ab30e0f487313661e5b03cd3495c7fd2
SHA256369df6cb219a59628a81b216e5b208dee58e80d44783c2d2fb36bd9d29d55d70
SHA51275dd45740c368d1eca4f4609faa608f94995fe9100170817becfaf2be2ccea554080448a009d39ce10872ae4193e1cd988f5664cd4189b3c2c2464ee99eb0564
-
Filesize
584KB
MD531f92864423af3876a8be874c86fb9ef
SHA139cf96ee01b678b7d897ea2b6485a90b87c9db9c
SHA2569409811dd4868d1ff04a4e66d01437c706d861cff3833ab6735816883b06d4b2
SHA512dc724bd8733d334692c8b08bf0ac7f39d4d9c03eaf5c3ed488f55332ef39ee81aa67dec4d92b259437eca0f396edbdbe2abcdfc50718c3bc57874e91d6618e28
-
Filesize
1.3MB
MD58aa5b51762cf6b59bccef91bb357a9fe
SHA1307b90188f2f3a9e68d40c263e476d180e4b4ab6
SHA2566cbe3d5d196b04f6bcf2e33070a8aec969e2ba4696c6516e111023bcac22bacd
SHA512298b70cd5d443c287459395292653f4572b71d83e8eb2317e797bab8a39ea819b17a00ab1bc1353cd0d1ea3b77bc93ea414a131ac69c4efb8073adb8129bc294
-
Filesize
772KB
MD57cdbba80873845666ccc0b1f4d4e05df
SHA1ba207fd90c05d2f246b9586883b3bbfdd5baf98f
SHA25697bb6bdf943713e2a5917e00d753ca8dc37864b9979ea5b14f8e2423d946165e
SHA5121f2052336fc8aa298e1e0486d2b661763946ff353536b819c01e735f9464a5bb3701bb0709e020fb33357017f0f98a17faff1bf6d4af4beb77815c91eec6b626
-
Filesize
2.1MB
MD5bbaaedb7552088a7a0c8ed557dbf62da
SHA1f2616bcaa92abcdb2ee9ebbd288c0ebc9934eaa7
SHA2567fc029fa5235842b9d8d4093ef090f44e34a915473aede67fdbc65d28a5c9ca2
SHA512c204ed7f820b694e74d56abeca7aef76a063826985d9bcec2bbfe9d132a1811436171a5a40adb839f9b981afccba40a05c52a5d28b38c4e73b8f2ea878fda8a7